CISSP · Question #265
Although code using a specific program language may not be susceptible to a buffer overflow attack,
The correct answer is D. the supporting virtual machine could be susceptible.. Even if a high-level language like Java prevents buffer overflows in application code, the underlying virtual machine (e.g., JVM) that executes the bytecode is typically written in C/C++ and can itself be vulnerable to buffer overflow attacks.
Question
Although code using a specific program language may not be susceptible to a buffer overflow attack,
Options
- Amost calls to plug-in programs are susceptible.
- Bmost supporting application code is susceptible.
- Cthe graphical images used by the application could be susceptible.
- Dthe supporting virtual machine could be susceptible.
How the community answered
(39 responses)- A15% (6)
- B3% (1)
- C5% (2)
- D77% (30)
Why each option
Even if a high-level language like Java prevents buffer overflows in application code, the underlying virtual machine (e.g., JVM) that executes the bytecode is typically written in C/C++ and can itself be vulnerable to buffer overflow attacks.
Plug-in susceptibility is a separate attack surface concern and is not the primary technical reason why memory-safe language code can still be indirectly vulnerable; the question targets the foundational execution environment.
While supporting application code could theoretically be vulnerable, this is not the specific and well-established security concern that directly undermines the memory safety guarantees provided by managed languages.
Graphical images can be vectors for exploits (e.g., malformed image parsing), but this is an application-layer parsing vulnerability, not the core reason why a memory-safe language's broader execution environment remains at risk.
Languages like Java and C# are memory-safe and abstract away direct memory management, making application-level buffer overflows largely impossible. However, the virtual machine (e.g., the JVM or CLR) that interprets or JIT-compiles the bytecode is itself written in native code (typically C/C++), which is susceptible to buffer overflow vulnerabilities. A flaw in the VM's own code can be exploited even though the application layer is safe, meaning the security of the entire stack depends on the VM's integrity.
Concept tested: Buffer overflow risks in virtual machine runtimes
Source: https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
Topics
Community Discussion
No community discussion yet for this question.