Stack based VS heap based buffer overflow - Stack Overflow
Performance benefit of using buffer on heap over stack (C) - Stack Overflow
ELI5 the difference between heaps, buffers, and stacks.
Buffer overflows on the heap vs the stack - Information Security Stack Exchange
What programming languages are most vulnerable to heap buffer overflows?
How does ASLR protect against heap buffer overflow attacks?
Can antivirus software detect heap buffer overflow exploits?
Videos
If you are writing code for a very small system, you may need to get the buffer using malloc (or one of the related routines, such as calloc) so that you do not use limited stack space.
Otherwise, on modern systems, 1024 bytes is a modest amount of stack space to use, and creating a buffer on the stack is typically faster than using malloc. (A normal malloc call requires at least some amount of bookkeeping work that stack allocation does not. However, if a routine merely allocates a fixed-size buffer with malloc, uses it, and frees it, a compiler might optimize the buffer to a stack allocation anyway, in which case they would be equivalent.)
For reference, on macOS, Apple’s tools default to 8 MiB of space for the main stack and 2 MiB for each thread.
In general, stack allocation is always faster than heap allocation.
This is because stack allocation is as easy as a single write to the stack pointer, whereas dynamic memory allocation contains a lot of overhead code during allocation - malloc has to go look for the next free segment, possibly also handling issues with fragmentation etc.
If you re-use a buffer, you should make sure to only allocate it once, no matter where you allocate it. This might be in favour of the heap, since heap-allocated variables don't go out of scope.
As for accessing memory once it is allocated, the stack and heap should perform identically.
Most importantly, allocating a large chunk of data on the stack isn't recommended, since it has a limited size. 1024 bytes is fairly large, so the recommended practice would be to store it on the heap for that reason alone.
I often see stack overflow and buffer overflow, or occasionally some reference to heaps and have no idea what any of it is.
With a stack overflow - if you just keep overflowing - you overflow first locals vars, then saved registers, then the return address, then function arguments, then stuff further down the stack, maybe exception handlers, etc. Usually as an attacker you indeed use the overwritten return address to jump somewhere interesting.
With a heap overflow you overflow ... whatever lies beyond your piece of memory. In old or bad heap implementations that might be heap metadata that can give you e.g. the power to write stuff into targeted memory locations (which you could use to overwrite a function pointer). In other heap implementations you will have to engineer a pattern of allocations and deallocations to get the heap into a state where there is an interesting allocated piece to the right side of your piece of memory. Maybe a vtable or some other function pointers.
Heap overflows are highly specific to heap implementation and application. On linux there are the „house of ...“ techniques because glibc malloc is a joke (sorry!), on windows 7 the heap got very well secured and well randomized and you have to hope for applications to bring their own insecure heap implementations to get 1% more performance. They often do.
Gaining execution ability is indeed not the only way to exploit a buffer overflow. The heartbleed bug is a recent well known example of a heap buffer overflow type situation, where all the attacker could do was read beyond the buffer. Not write or gain execution ability. http://heartbleed.com