ment exhibited great foresight. To this
day buffer errors represent the single
most common vulnerability,a even more
so among high-severity vulnerabilities
(see Figure 1 and Figure 2). Just imagine
if a law requiring bounds checks had
been enacted more than 40 years ago,
and there were no buffer overflows to-
day. As it stands, Microsoft for one insti-
tuted its Security Development Lifecycle
as a mandatory policy in 2004. This in-
cludes—among many other features—
the option to require compilation with
flags that insert bounds checks and the
option to ban unsafe library functions.
On the one hand this demonstrates that
such practices are just a matter of decid-
ing to use them. On the other hand they
are still not universally required, and
indeed even Microsoft products still oc-
casionally suffer from buffer issues.b
Indeed, lectures such as Patterson’s
are typically either ignored or stir up a
chorus of naysayers. The typical argu-
a The NIST National Vulnerability Database
uses 124 of the nearly 1,000 types listed in the
Common Weakness Enumeration to catego-
rize vulnerabilities. In 2015–1017, buffer er-
rors CWE- 119 accounted for 15.2%– 18.4% of
all vulnerabilities each year. The next highest
categories were information leak/disclosure
C WE-200 at 9.3%– 10.9%, permissions, privileg-
es, and access control C WE-264 at 8.2%– 10.0%,
and cross-site scripting CWE- 79 at 7.3%– 11.2%.
b One example: Microsoft Office Equation Editor
stack buffer overflow; see https://bit.ly/2z Tngss
Table 1. Changes in software and computing in the last 30 years.
1980s 2010s
C pointers Java garbage collection
Emacs Eclipse
Math library Frameworks
Ad hoc programming Agile methodology
Waterfall Evolution/continuous integration
Flowcharts UML
Write your own sort Copy from Stack Overflow
Computer room Computer in your pocket
Hard disk Cloud
Text terminals Touch screens
Email Internet of Things
No regulation No regulation
Figure 1. The number of software vulnerabilities cataloged by the NIST National Vulnerability Database skyrocketed in 2017, and the fraction of vulnerabilities involving buffers
(either categorized as “buffer error” or containing the keyword “buffer”) kept pace.
1995 2000 2005 2010 2015
0
2000
4000
6000
8000
10000
12000
Other Vulnerabilities Buffer Related
Vul
nera
bili
tie
s
Figure 2. According to the National Vulnerability Database, since the beginning of the
decade approximately 15% of all vulnerabilities have been related to buffer errors, and
this rises to between one-quarter and one-third of the vulnerabilities if only those with
a high severity score are considered.
2007 2009 2011 2013 2015 2017
P
e
rc
en
tC
at
e
gor
i
ze
d
A
s
“B
uf
f
er
Er
rors
”
0
5
10
15
20
25
30
35
Of All
Vulnerabilities
Of High Severity
Vulnerabilities