SECURE PROGRAMMING Chapter 2 Strings

SECURE PROGRAMMING

Chapter 2

Strings

Overview

● Arrays and their Problems● Character Strings● Common String Manipulation errors● String Vulnerabilities and exploits● Mitigation Strategies● String Handling Functions, the bad and the good● Runtime Protection Strategies● Some Notable Vulnerabilities● Summary

Arrays and their Problems

1) Hard to determine size.

2) Size defaults may not work.

3) Easy to index an array out of bounds.

4) Easy to write non-portable code (non-consistent handling, for example).

5) Size parameters may be wrong (see 3))

6) Array copying may overflow the array

7) Pointer arithmetic may be incorrect.

Character Strings

The problem: Many strings come from outside:• Command line arguments• Environment variables• Console or other input• Text files• Network Connections

Strings are not built-in to C/C++, though there is (some) Library support

Character Strings: String Data Type

Most people implement a string as a Null terminated array of characters; addressed by a pointer. Have all the problems of arrays magnified because most string manipulation is done through procedures.

Five Important terms for arrays:

1. Bound = size of the array.

2. Lo = Address of first element of the array

3. Hi = Address of last element of the array

4. TooFar = The address of the one-too-far element of the array = Hi + 1 = Lo + Bound

5. Target size (Tsize) = Bound


Two more terms for strings.

1. Null-terminated if there is a null character within the array.

2. Length: For null-terminated strings, the number of characters before the (first) null terminator.

Problem with determining array size (clear procedure)


More problems:

What Characters? “Execution Character Set”

-locale- setlocale() function

Basic execution character set: 26 UC/LC letters, 10 digits 29 graphic characters, space, 33 control characters including HT VT FF Bell BS CR NL, NULL, DEL

Execution character set may contain many characters, require multiple bytes to represent a character (multibyte character set); basic character set still present. Locale-specific shift states.

Character Strings: UTF-8

Can represent any character in the Unicode character set, use 1-4 bytes.

0-127, 1 Byte

o.w As many 1 bits as the total number of bytes in the sequence, followed by a 0 bit; all succeeding bytes start with 10.

Thus: If leading 0, 1 byte:

If leading 11, start of multibyte code

If leading 10, continuation of multibyte code.

(Watch out for vulnerabilities!)

Character Strings: UTF-8

Wide Strings

16 or 32 bit characters

Terminated with a null wide character.

As is the case with regular strings (with caveats!)● Pointers point to left-most character.● The length is the number of wide characters

preceding the null wide character.● The value is the sequence of code values of the

contained wide characters, in order.

String Literals

Enclosed in double quotes “

Wide string literals prefixed by L

String literal tokens are concatenated together. If any of them is prefixed by L, the string is a wide string. Example in text, page 34. Null appended, used to initialize a static array.

In C, such a string is modifiable (no 'const' modifier available) but modification is “forbidden”.

Watch for declarations of the form:

const char s[3] = “abc”; //Not Null terminated string. Use:

const char s[] = “abc”

Strings in C++

● Proliferation of string classes.● Standardized (STL) down to

● String = typedef for basic_string<char>● Wstring = typedef for basic_string<wchar_t>

● Also allows:● null-terminated byte string (NTBS)● NTMBS is an NTBS that contains a sequence

of valid multibyte characters and ends in the same shift state it starts.

Strings in C++ (2)

basic_string class template specializations are safer than NTBS, but

NTBS are required all over the place:● Literals are NTBS● Existing libraries need NTBS or NTMBS

string objects are passed by value or reference, while c-strings are passed by pointer.

Thank goodness for member function data aka c_str

Character Types

Three types:● Plain● Signed● Unsigned

May cause compiler warnings if the wrong type is used.

int

Some gotcha's:● Getc and friends return an int so that EOF is an

authentic -1.● Functions in ctype.h (cctype) like isalpha accept an

int because they might be passed the result of a getc or similar.

● In C, a character constant has type int, so that sizeof('a') is 4, not 1. In C++ a character constant has type char and its size is 1.

Wide character literals have type wchar_t and multicharacter literals have type int.

Unsigned char and wchar_t

Unsigned char: all bits handled equally; pure binary. No padding bits, no trap representation, no sign extension, etc.

wchar_t: Can be used for natural-language character data. For characters in the basic character set, it does not matter, except for type compatibility issues.

Sizing String headaches

Three important numbers:

Size = number of bytes allocated to the array (sizeof(a))

Count = number of elements in the array (maybe different from size!)

Length = Number of characters before null terminator.

Notes:

If characters are wide, size may be 2*count or 4*count. (depends on OS)

Length MUST be smaller than count.

See Program fragments in book, pages 40-41.

Common String Manipulation Errors

● Use of gets NONONONONONONONO!!!!!!!!!!● Improperly bounded string copies. Do not use:

● strcpy()● strcat()● sprintf()

● Watch out for:● Input strings● Environment strings● Parameter strings.... (see programs, pp 42-47)


● Sizing strings: ● do not use strlen for wide strings; use wcslen● Multiply result by sizeof(wchar_t)

Programs, pages 41-42● Improperly bounded string input:

● Do not use:● gets● cin of string with unbounded length● Unbounded string scanf

See programs pp 42-43 (the program on page 43 is a typical implementation of gets)


● Careless copying and concatenation of strings

Program, page 44● Watch for strcpy, strcat, memcpy, sprint, etc.

● Off-by-one errors. (see program, page 47)● Null termination errors (pp 49-49)● String truncation● If you implement them yourself, you may still be

in trouble! (page 50)

String Vulnerabilities and Exploits

● String Vulnerabilities and Exploits● Where does your data come from? Are you

sure?

Program on page 51 is bad:● Uses gets● Doesn't even check the exit status of gets


String Vulnerabilities and exploits



(see ASM code, pp 56-58)

Effect called “Stack Smashing”

Example follows (remember the code from IsPasswordOK?)






This exploit is called “arc injection”


● Code Injection:● Injection of malicious address and malicious

code● Must be acceptable as legitimate input● May not cause abnormal termination● Must result in execution of the malicious code.

● IsPasswordOK is vulnerable (page 65)● Exploit with fgets and strcpy on page 66

(unclear; obviously not tested).


Arc injection aka return-into-libc includes:

Branching to an existing function

System(), exec(), setuid() are favorites

Example of vulnerable code, page 70

Prevents memory-based protection schemes from working.


Return-Oriented Programming

“gadget” = sequence of instructions followed by return.

Turing-complete set exists for many architectures, including x86, Solaris libc and there is a compiler.

Programs use the stack; values are pushed/popped,

return addresses can be skipped for branching.

Actually similar to FORTH programming.

Mitigation Strategies

Two kinds:

Prevent buffer overflows

Detect buffer overflows and recover securely

Best to do defense in depth and apply both.


Preventing Buffer Overflows:

Cert recommends using a consistent plan for managing strings.

Three models:

1) Caller allocates and frees

Most likely to prevent memory leaks

2) Callee allocates, caller frees

Ensures sufficient memory is available

3) Callee allocates and frees (only available in C++)

Most secure of the three solutions


Mitigation strategies:

Caller allocates and frees:C <string.h> family expanded with c11 functions:

strcpy_s strcat_s strncpy_s strncat_s

See example 2.5, 2.6, pages 74,75


Callee allocates and frees

Biggest problems:

DOS attack by exhausting memory

Dynamic memory management errors

Example 2.7 p 77

FILE *fmemopen , *open_memstream(signature, p78) to do memory “I/O”

Example code, page 79

Dynamic allocation disallowed in safety-critical systems


C++ string class pp 80-83

String Handling Functions, the bad and the good

gets: replace with fgets or getchar

Examples 2.9, 2.10, pp 84-86

… or gets_s

Example 2.11, page 87

… or getline() (~= getdelim())

Example 2.12, p88


Strcpy() and strcat()

Fixes:

Allocate required space dynamically

Strncpy and strncat are not recommended.

Strlcpy() and strlcat() (always null-terminate result)

strcpy_s and strcat_s (implementation, page 91)

Strdup() (dynamically allocated, requires free().

Summary, pp 92-93


strncpy() and strncat() (p 93)

See strncpy_s (p 95) and strncat_s (pp 97-98)

strndup() (uses dynamic memory allocation)

Summary on p 99


memcpy() and memmove(): replace by memcpy_s() and memmove_s() respectively

Watch out for strlen(). There is an strlen_s, strnlen and strnlen_s, all identical.

Runtime Protection Strategies

Detection and recovery

Provided via:

input validation

the compiler and its runtime system (e. g. array bounds checking)

Operating system

Runtime Protection StrategiesInput Validation

Input data size checking.

Object size checking (with ___builtin_object_size()) Use by turning on _FORTIFY_SOURCE=n for n ⩾ 1 (p 104, 105)

Runtime Protection StrategiesThe compiler, runtime system.

Visual Studio Compiler-Generated Runtime Checks

Turn on with flags: /RTCs turns on checks for:

Local variable overflows (including arrays)

Use of uninitialized variables

Stack pointer corruption

Can be tweaked: #pragma runtime_checks(“s”, off/restore)

Runtime Bounds Checkers:

Libsafe

Libverify

CRED

Runtime Protection StrategiesThe compiler, runtime system

Stack Canaries:

StackGuard

GCC's Stack-Smashing Protector aka ProPolice

-fstack-protector[-all] -wstack-protector

C++ .NET stack overrun detection capability /GS

recommend adding: #pragma strict_gs_check(on)

recommend adding #pragma string_gs_check(on)

Recommend compiling with /GS flag and linking with /GS compiledlibraries.

Runtime Protection StrategiesThe Operating System

Address space layout randomization

Linux (PaX project, 2000)

Windows, since Vista

MAC OS X since 2007/2011, IOS since 4.3

Nonexecutable Stacks

W^X

Data Execution Prevention (Microsoft Visual Studio)

PaX marked stack as non-executable

StackGap

Some Notable Vulnerabilities

rlogin – strcpy

Kerberos

Summary

● Arrays and their Problems● Character Strings● Common String Manipulation errors● String Vulnerabilities and exploits● Mitigation Strategies● String Handling Functions, the bad and the good● Runtime Protection Strategies● Some Notable Vulnerabilities

Documents

SECURE PROGRAMMING Chapter 2 Strings