1. Overview
In this article, we’ll see what Buffer Overflow is and the threats it poses to our system. Additionally, we’ll see Java’s take on Buffer Overflow.
2. What Is Buffer Overflow?
A buffer is a portion of RAM involved in storing temporary data. Buffer size is usually fixed for a given program. But what if a program tries to write more data than the allocated memory? This usually results in Buffer Overflow. Simply put, Buffer Overflow refers to a program writing content to memory outside of the buffer (as a result of overflow). Buffer Overflow can lead to unexpected behaviour as well as software security threats.
3. Java’s Security Mechanism and Corner Cases
Buffer Overflow is common in languages such as C and C++. It’s easy to overwrite memory intentionally or unintentionally in these languages. However, many popular languages have safeguards in place against Buffer Overflow scenarios. For the specific case of Java, the use of a character array prevents Buffer Overflow.
As working with arrays requires checking array bounds, Java can ensure memory safety. Java does not allow for access beyond the allocated buffer memory. In this way, it prevents Buffer Overflow. Java will throw an ArrayOutOfBounds exception if the program tries to access memory beyond the allotted space. A more detailed description can be found in Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade.
Despite the security mechanism described above, it might still be possible to experience Buffer Overflow in Java. These are due to JVM implementations and not core Java. We cover two cases below.
3.1. JVM Uses C++
C++ is one of the languages in which it is easy to overwrite memory and cause Buffer Overflow. As JVM is written in C++, it is theoretically possible to have a Buffer Overflow scenario during the execution of a program. And since JVM is provided by individual vendors, it’s possible that a vendor’s implementation may lead to Buffer Overflow. However, this is highly unlikely in the real world.
3.2. Using Java Native Interface (JNI)
JNI allows Java programs to interoperate with native programs that might be written in C or C++. Since languages like C and C++ are unsafe, it is possible to cause Buffer Overflow via the Java Native Interface. It should be noted in this case that the source of vulnerability is not Java, but C or C++.
4. Conclusion
In this article, we saw what Buffer Overflow is and how Java has an appreciable safeguard against it by using array bounds checks. We saw that Java Native Interface (JNI) can lead to Buffer Overflow because of its use of native code.
