Implementation flaws, buffer overruns

Security in Computing (3rd Edition)

Info icon This preview shows pages 1–3. Sign up to view the full content.

CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 13 Topic: Software security; Common implementation flaws The purpose of the next few lectures is to teach you about software security. Even if we’ve got the perfect system design, specification, and algorithms, there can still be vulnerabilities introduced when it comes time to implement. We will start by showing you some common implementation flaws. Because a lot of our security-critical applications have been written in C, and because C has peculiar pitfalls of its own, many of these examples will be C-specific. However, implementation flaws can occur at all levels: in improper use of the program- ming language, the libraries, the operating system, or in the application logic. By far the most common class of implementation flaw is the buffer overrun, so we will start there. 1 Buffer overruns C is essentially a portable kind of assembler: in many ways, the programmer is exposed to the bare machine. In particular, C does not provide any sort of automatic bounds-checking for array or pointer accesses. In the case of a buffer overrun vulnerability (sometimes also called a buffer overflow ), out-of-bounds memory accesses are used to corrupt the intended behavior of the program and cause it to run amok. Let us start with a simple example. char buf[80]; void vulnerable() { gets(buf); } In this example, gets() reads as many bytes of input as are available on standard input, and stores them into buf[] . If the input contains more than 80 bytes of data, then gets() will write past the end of buf , overwriting some other part of memory. This is a bug. Obviously, this bug might cause the program to crash or core-dump if we are unlucky, but what might be less obvious is that the consequences can be far worse than that. To illustrate some of the dangers, we modify the example slightly. char buf[80]; int authenticated = 0; void vulnerable() { gets(buf); } Imagine that elsewhere in the code is a login routine that sets the authenticated flag only if the user proves knowledge of a super-secret password, and other parts of the code test this flag to provide special CS 161, Fall 2005, Notes 13 1
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

access to such users. We can see the risk. An attacker who can control the input to this program can cause buf to be overrun, so that data is written after the end of buf . Assuming the compiler stores the authenticated variable in memory immediately after buf , then the authenticated flag will be overwritten by this data. Consequently, the attacker can arrange to make the authenticated flag become true by supplying, say, 81 bytes of input, where the 81st byte takes on any non-zero value. This would give the attacker special access even though the attacker doesn’t know the secret password, a security breach. We could conjecture a more serious version of this exploit, Suppose the code looked something like this: char buf[80]; int (*fnptr)(); ...
Image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.
  • Fall '05
  • Joseph
  • Computer Security, Call stack, malicious code, Computer security exploits, buffer overrun

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern