Is buffer overflow vulnerability vanishing?

Buffer overflow vulnerability is one of the notorious vulnerabilities because they can be exploited by attackers to execute arbitrary code and gain access, in the worst scenario, control over a system with a root account. Buffer overflow vulnerabilities typically receive high scores in the Common Vulnerability Scoring System (CVSS) because they are often relatively easy to exploit and can lead to significant consequences for the targeted system.

Photo by Possessed Photography on Unsplash

Figure 1. Buffer Overflow Statistics in CVE, cite from An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques [1]

From the reference above, we can see multiple peaks of buffer overflow vulnerability happen in 2007 and 2018 which were reported as 938 cases and 1505 cases in the period of decade. We can make a guess of the future trend where the vulnerability will peak in another decade.

The key is most of the enterprise softwares that developed more than decades long , still using the legacy codebase which is often written in C or C++, the language being blamed for the cause of buffer overflow vulnerability due to their flexibility over memory control. Here is one example program written in c++, example1, where buffer overflow may happen if the input is more than 16 bytes.

#include <stdio.h>
#include <string.h>

int main()…