Buffer Overflows on Microcontrollers
The stack buffer overflow is the oldest trick in the book, and on microcontrollers it still works exactly as it did decades ago. No memory management unit, no address randomization, and often writable executable memory mean a single unbounded copy can hand an attacker the whole device. Here is how it plays out on embedded firmware.
The Vulnerable Pattern
It almost always comes down to copying attacker-controlled data into a fixed-size buffer without checking the length:
void handle(char *input) {
char buf[64];
strcpy(buf, input); // no length check
process(buf);
}
What Overflowing Does
Write past the 64 bytes and you start overwriting saved registers on the stack, including the return address. On an MCU, the crash tells the story: the program counter is now whatever you wrote:
# send 80 bytes of 'A' to the input handler
python3 -c "print('A'*80)" | ./send_to_device
[HardFault] taken PC = 0x41414141 LR = 0x41414141 Cause: INVSTATE / bus fault on 0x41414141
A program counter of 0x41414141 is the ASCII for AAAA. The input is now directly controlling where the CPU jumps, which on a device with executable RAM is one step from running attacker code.
Why MCUs Make It Worse
The mitigations that neutralized this class on servers are frequently missing on microcontrollers:
Closing the Gap
Use bounded string functions, enable the compiler’s stack protector, mark RAM non-executable through the memory protection unit, and fuzz the input parsers. Each control on its own is partial; together they turn a reliable exploit into an unreliable crash, which is most of the battle on embedded.
Where This Fits
Finding and proving memory-safety bugs in firmware parsers is core to a product security assessment and penetration test. That analysis is the kind of work we do at Berkner Tech.