In computer programming, values that need to be acted on or processed somehow are stored in a variable.
A variable is simply a name and value pair.
People use many naming schemes but generally have few limitations on the actual names.
The value of a variable can be changed in the course of the program.
These languages have a layer of abstraction from the machine code that helps to keep writing code simple.
This approach does have some limitations, though.
It can often be preferred to code software in older low-level programming languages.
Note:Not all old languages are low-level, and not all high-level languages are modern.
There has generally been a shift towards higher-level languages though both are popular.
Low-level programming languages such as C are much less flexible and require more effort to achieve the same functionality.
One of the standard features in low-level languages is the ability to manage memory directly.
For example, lets imagine we have two variables,NameandAge.
The name has been defined as a string, while age is an integer.
Lets also suppose youve only ever known people with short names: Dave, Sean, and Mary.
Thankfully this holds other names such as James, Barry, and Becky.
Caitlyn is about to cause a bunch of trouble.
When she enters her name, the software does exactly what its told to and enters her name.
n
Now the written data has extended beyond the allocated buffer, overflowing it and overwriting Caitlyns age.
This isnt immediately a problem as nothing has tried using the values.
Unfortunately, you will have difficulties when you want to read the values.
Its rude to cut off the name, but not a big issue.
Theres a bigger problem when it comes to checking the age.
To do so, it might run a check like thisage> 18.
As a number, this operation is easy, is age greater than 18.
Both Becky and Dave pass, others might be too young.
something different happens to Caitlyn though.
The software tries to peek if yn is greater than 18.
As you might expect, the software throws an error because it cant do that.
Error Severity
The sort of error in the example is relatively tame.
It might even be handled by the software and allow you to edit the age to fix it.
In a worse scenario, the error might not be tolerated.
In this case, it will cause the whole program to crash.
The thing is, theres no guarantee that something as simple asageis what gets overwritten.
What if what followsNameispathToFileToDeleteorpathToOtherSoftwareToRun.In these examples, you could fundamentally change what the software does.
Now imagine if a hacker knows exactly how these attacks work and how to execute them reliably.
This entire class of vulnerability has been a gold mine for high-severity security vulnerabilities.
Most offer the ability to crash the program, but many can be much worse.
Numerous examples of buffer overflow vulnerabilities enable code execution or privilege escalation.
Unfortunately, these steps are optional extras that add complication and increase development time.
In many cases, this causes memory corruption and software crashes due to uncaught errors.
Some buffer overflow vulnerabilities can, however, be more dangerous.
Buffer overflow vulnerabilities stem from poor memory allocation management.
It exclusively happens in low-level languages that offer or require manual memory management.
High-level languages entirely abstract the memory management functionality from the developer, essentially preventing the class of vulnerability.
