Lecture12 - IS 2150 TEL 2810 Introduction to Security James...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12 Nov 29, 2011 Vulnerability related to String, Race Conditions
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 Objectives Understand/explain issues related to  programming related vulnerabilities and  buffer overflow String related Integer related Race Conditions
Background image of page 2
3 C-Style Strings Strings are a fundamental concept in software engineering, but  they are not a built-in type in C or C++. C-style strings consist of a contiguous sequence of characters  terminated by and including the first null character.  A pointer to a string points to its initial character.  String  length  is the number of bytes preceding the null character The string  value  is the sequence of the values of the contained  characters, in order. The  number of bytes required  to store a string is the number of  characters plus one (x the size of each character) h e l l o \0 length
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
4 Common String Manipulation  Errors Common errors include Unbounded string copies Null-termination errors Truncation Write outside array bounds Off-by-one errors Improper data sanitization
Background image of page 4
5 Unbounded String Copies Occur when data is copied from an  unbounded source to a fixed length  character array 1. int main(void) { 2. char Password[80]; 3. puts("Enter 8 character password:"); 4. gets(Password); ... 5. } 1. #include <iostream.h> 2. int main(void) { 3. char buf[12]; 4. cin >> buf; 5. cout<<"echo: "<<buf<<endl; 6. }
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
6 Simple Solution Test the length of the input using  strlen()  and dynamically allocate the  memory    1. int main(int argc, char *argv[]) { 2. char *buff = (char *)malloc(strlen(argv[1])+1); 3. if (buff != NULL) { 4. strcpy(buff, argv[1]); 5. printf("argv[1] = %s.\n", buff); 6. } 7. else { /* Couldn't get the memory - recover */ 8. } 9. return 0; 10. }
Background image of page 6
7 Null-Termination Errors Another common problem with C-style  strings is a failure to properly null  terminate   int main(int argc, char* argv[]) { char a[16]; char b[16]; char c[32]; strcpy(a, "0123456789abcdef”); strcpy(b, "0123456789abcdef"); strcpy(c, a); } Neither a[] nor b[] are properly terminated
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
8 String Truncation Functions that restrict the number of bytes  are often recommended to mitigate against  buffer overflow vulnerabilities Example: strncpy()  instead of  strcpy() Strings that exceed the specified limits are  truncated Truncation results in a loss of data, and in some  cases, to software vulnerabilities
Background image of page 8
9 Improper Data Sanitization An application inputs an email address from a  user and writes the address to a buffer [Viega 03] sprintf(buffer, "/bin/mail %s < /tmp/email", addr ); The buffer is then executed using the  system()  call. 
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 34

Lecture12 - IS 2150 TEL 2810 Introduction to Security James...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online