Implementation flaws, buffer overruns

Security in Computing (3rd Edition)

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 13 Topic: Software security; Common implementation flaws The purpose of the next few lectures is to teach you about software security. Even if we’ve got the perfect system design, specification, and algorithms, there can still be vulnerabilities introduced when it comes time to implement. We will start by showing you some common implementation flaws. Because a lot of our security-critical applications have been written in C, and because C has peculiar pitfalls of its own, many of these examples will be C-specific. However, implementation flaws can occur at all levels: in improper use of the program- ming language, the libraries, the operating system, or in the application logic. By far the most common class of implementation flaw is the buffer overrun, so we will start there. 1 Buffer overruns C is essentially a portable kind of assembler: in many ways, the programmer is exposed to the bare machine. In particular, C does not provide any sort of automatic bounds-checking for array or pointer accesses. In the case of a buffer overrun vulnerability (sometimes also called a buffer overflow ), out-of-bounds memory accesses are used to corrupt the intended behavior of the program and cause it to run amok. Let us start with a simple example. char buf[80]; void vulnerable() { gets(buf); } In this example, gets() reads as many bytes of input as are available on standard input, and stores them into buf . If the input contains more than 80 bytes of data, then gets() will write past the end of buf , overwriting some other part of memory. This is a bug. Obviously, this bug might cause the program to crash or core-dump if we are unlucky, but what might be less obvious is that the consequences can be far worse than that. To illustrate some of the dangers, we modify the example slightly. char buf[80]; int authenticated = 0; void vulnerable() { gets(buf); } Imagine that elsewhere in the code is a login routine that sets the authenticated flag only if the user proves knowledge of a super-secret password, and other parts of the code test this flag to provide special CS 161, Fall 2005, Notes 13 1 access to such users. We can see the risk. An attacker who can control the input to this program can cause buf to be overrun, so that data is written after the end of buf . Assuming the compiler stores the authenticated variable in memory immediately after buf , then the authenticated flag will be overwritten by this data. Consequently, the attacker can arrange to make the authenticated flag become true by supplying, say, 81 bytes of input, where the 81st byte takes on any non-zero value. This would give the attacker special access even though the attacker doesn’t know the secret password, a security breach....
View Full Document

This note was uploaded on 01/29/2008 for the course CS 194 taught by Professor Joseph during the Fall '05 term at Berkeley.

Page1 / 7

Implementation flaws, buffer overruns - CS 161 Computer...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online