Communications of the ACM

ment exhibited great foresight. To this
day buffer errors represent the single
most common vulnerability,a even more
so among high-severity vulnerabilities
(see Figure 1 and Figure 2). Just imagine
if a law requiring bounds checks had
been enacted more than 40 years ago,
and there were no buffer overflows to-
day. As it stands, Microsoft for one insti-
tuted its Security Development Lifecycle
as a mandatory policy in 2004. This in-
cludes—among many other features—
the option to require compilation with
flags that insert bounds checks and the
option to ban unsafe library functions.
On the one hand this demonstrates that
such practices are just a matter of decid-
ing to use them. On the other hand they
are still not universally required, and
indeed even Microsoft products still oc-
casionally suffer from buffer issues.b
Indeed, lectures such as Patterson’s
are typically either ignored or stir up a
chorus of naysayers. The typical argu-
a The NIST National Vulnerability Database
uses 124 of the nearly 1,000 types listed in the
Common Weakness Enumeration to catego-
rize vulnerabilities. In 2015–1017, buffer er-
rors CWE- 119 accounted for 15.2%– 18.4% of
all vulnerabilities each year. The next highest
categories were information leak/disclosure
C WE-200 at 9.3%– 10.9%, permissions, privileg-
es, and access control C WE-264 at 8.2%– 10.0%,
and cross-site scripting CWE- 79 at 7.3%– 11.2%.
b One example: Microsoft Office Equation Editor
stack buffer overflow; see https://bit.ly/2z Tngss
Table 1. Changes in software and computing in the last 30 years.

1980s 2010s

C pointers Java garbage collection Emacs Eclipse Math library Frameworks Ad hoc programming Agile methodology Waterfall Evolution/continuous integration Flowcharts UML Write your own sort Copy from Stack Overflow Computer room Computer in your pocket Hard disk Cloud Text terminals Touch screens Email Internet of Things No regulation No regulation

Figure 1. The number of software vulnerabilities cataloged by the NIST National Vulnerability Database skyrocketed in 2017, and the fraction of vulnerabilities involving buffers (either categorized as “buffer error” or containing the keyword “buffer”) kept pace.

1995 2000 2005 2010 2015

0

2000

4000

6000

8000

10000

12000

Other Vulnerabilities Buffer Related

Vul nera bili tie s

Figure 2. According to the National Vulnerability Database, since the beginning of the decade approximately 15% of all vulnerabilities have been related to buffer errors, and this rises to between one-quarter and one-third of the vulnerabilities if only those with a high severity score are considered.