PCI Requirement 6.5.2 – Buffer Overflow

by Randy Bartels / October 13th, 2017

What is Buffer Overflow?

PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed. One of the common coding vulnerabilities associated with secure application development is buffer overflow attacks, which is outlined in PCI Requirement 6.5.2. Although it’s a common coding vulnerability and widely understood, organizations still seem to struggle with how to protect themselves from buffer overflow attacks and how to comply with PCI Requirement 6.5.2.

PCI Requirement 6.5.2 requires that your organization protects its applications from buffer overflows. OWASP defines a buffer overflow as, “A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.” A buffer overflow is a vicious cycle. When buffer overflows occur, according to the PCI DSS, “an attacker could insert malicious code at the end of the buffer and then push that malicious code into executable memory space by overflowing the buffer. The malicious code is then executed and often enables the attacker remote access to the application and/or infected system.”

To comply with PCI Requirement 6.5.2, we recommend that when your organization develops applications, there are defined lengths within your code, you’re truncating or you’re extracting only the data that you would need for processing, and ignoring any other data. During an assessment for PCI Requirement 6.5.2, an assessor will examine your policies and procedures related to application development and interview the responsible personnel to verify that you are validating buffer boundaries and truncating input data.

Buffer overflows within applications are pretty nasty vulnerabilities. Effectively what is happening is you’ve defined memory space within the application, and the application itself is taking data from another source (from a user input, file, etc.), and that data that it’s accepting exceeds the boundaries of the memory that you’ve allocated. Typically, when that happens and that memory gets dumped into your heap and you exceed that buffer, that information that you’ve installed into that buffer has to go somewhere. Regardless of the source (even a trusted user or trust file), it’s going to be really important to validate your input lengths. When you’re developing software, what we’re looking for from a testing perspective is that you have defined lengths within your code and that you’re truncating or you’re extracting only the data that you would need for processing, and the rest of that data is ignored.