Buffer Overflow and Memory Leak

Memory Layout of a Process

Buffer means a segment of memory used to store a specific size of data. It gets overflowed if the size of data is larger than the buffer size. It typically causes an exception subject to privilege escalation or returning to the code address in the stack. If input validation and exception handling routine are properly arranged, a buffer overflow can be effectively mitigated.

Memory leak is a common application problem. An application or process is allocated a limited memory size, aka heap, when loaded and launched by the OS. The process may request segments of memory but not return them to the OS. The available memory is running out in the end. The performance is getting worse, and it may result in a process crash. Modern runtime frameworks, e.g., .NET, JVM, provide garbage collection or reference counter to address this issue.


According to Dorothy E. Denning, “the lattice properties permit concise formulations of the security requirements of different existing systems and facilitate the construction of mechanisms that enforce security.” Which of the following is not a lattice-based access control model? (Wentz QOTD)
A. Biba model
B. Clark-Wilson model
C. Brewer and Nash model
D. Bell-LaPadula (BLP) model

Continue reading


A trusted computer system is typically designed based on a formal model. Which of the following is incorrect about the Trusted Computer System Evaluation Criteria (TCSEC)? (Wentz QOTD)
A. TCSEC is developed based on the Bell-LaPadula Model (BLP).
B. The clearance/classification scheme is expressed in terms of a lattice.
C. A trusted path ensures recovery without a compromise if secure state transitions fail.
D. Discretionary access control enables objects sharing by named individuals or groups, or both.

Continue reading


You are evaluating alternative sites to support the continuous delivery of products and services if a disaster materializes. Which of the following is the best benefit of a cold site? (Wentz QOTD)
A. Shorten the relocation time
B. Provide off-site data vaulting
C. Respond to e-discovery requests
D. Reserve alternative computing capacities

Continue reading


As a system owner, you are planning for the recovery of a core system to support business continuity. Which of the following is not a recovery objective specific to your system? (Wentz QOTD)
A. Recovery Point Objective (RPO)
B. Recovery Time Objective (RTO)
C. Service Delivery Objective (SDO)
D. Maximum Tolerable Downtime (MTD)

Continue reading