Dr. Dobb's Journal - October 2008 - (Page 24) D10fish_p3as 8/14/08 12:38 PM Page 24 Core Technology by Gwyn Fisher Safe Coding Practices Tips and tricks for C, C++, and Java Security is becoming more and more critical to developers in all types of environments—even Gwyn, Chief Technology Officer at Klocwork, has over 20 years of global technology experience. At Klocwork, Gwyn focuses on his original passion, compiler theory, to move static source code analysis to the next level. those such as embedded systems that have until recently considered security a non-issue. In this article, I examine several types of coding vulnerabilities, pointing out what the vulnerability is, how you can mitigate the risk of exploit within your code, and how to best find these types of flaws in your code. Injection Flaws When attempting to inject information into a running process, attackers are trying to compromise the running state of the process to reflect some end goal that is unprotected by developers. For example, attackers could be trying to inject code into the process via stack corruption, resulting in the ability to execute code of the attacker’s choice. Alternatively, attackers could be trying to inject data into a database for future use, or unguarded strings into a database query to extract more information than was the original developer’s intent. Injection for any purpose is a bad thing and needs careful consideration at all times. Perhaps the most malicious form of injection attack is code injection—placing new code into the memory space of the running process and then directing the running process to execute it. Successful attacks of this type can do almost anything, as the running process is totally hijacked and compromised to perform whatever the attacker desires. One of the most famous instances of this type of attack is the Windows animated cursor attack, and it’s this pattern that I examine here. Using a simple webpage, attackers can cause a malformed animated cursor file to be downloaded to the viewer’s PC, cause that animated cursor to be invoked by the browser, and upon invocation cause arbitrary code injection to take place. In essence, it is a perfect attack vector, given that it requires zero physical access to the machine being attacked, zero end-user knowledge that anything untoward might be happening, and zero outward impact to end users if the payload of the attack is suitably malicious. Consider Example 1(a), which is paraphrased from the Windows exploit, of course, that forms the basis for this type of attack vector. The developer here is making a basic assumption about the trustworthiness of the incoming stream. Trust the stream and everything is fine. Call that function with a stackbased type to be deserialized, and an unknown stream of data and code injection is bound to happen at some point. So how does it happen? Assume you call the function in Example 1(b). Now we have an attack vector that is wide open to exploit. The problem here is that SOMETYPE has a defined size at compile time. Assume that it is represented in memory using 128 bytes. Now assume you construct the incoming stream so that the lead 4 bytes (the length of what will get deserialized) reads 256. Now, without checking the validity of what you’re doing, you copy 256 bytes into a stack area reserved at only 128 bytes. Given the typical layout of a release-mode stack, you’re in trouble. Take a look at the stack to see why this is. Each function that is called lays out its local data in a frame on the stack, typically by subtracting the known size of that local data from the stack pointer on entry (plus any management data required to deal with the call chain itself ). An idealized (pseudocode) function prolog emitted by the compiler reads something like: .foo sub sp, 128 ; sizeof SOMETYPE The call to our exploitable function then reads something like: 24 Dr. Dobb’s Journal l www.ddj.com l October 2008 http://www.ddj.com
Table of Contents Feed for the Digital Edition of Dr. Dobb's Journal - October 2008 Dr. Dobb's Journal - October 2008 Contents Friday Night Fish Fry Alia Vox Developer Diaries Developer’s Notebook Is Your Next Language COBOL? Conversations Safe Coding Practices Code Signing in Adobe AIR OpenID Single Sign-On The Book Cipher Algorithm Indexing and Searching Image files Extending Continuous Integration Into ALM The Agile Edge Effective Concurrency Swaine’s Flames Dr. Dobb's Journal - October 2008 Dr. Dobb's Journal - October 2008 - (Page Bellyband1) Dr. Dobb's Journal - October 2008 - (Page Bellyband2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page Cover1) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page Cover2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 1) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 2) Dr. Dobb's Journal - October 2008 - Dr. Dobb's Journal - October 2008 (Page 3) Dr. Dobb's Journal - October 2008 - Contents (Page 4) Dr. Dobb's Journal - October 2008 - Contents (Page 5) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 6) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 7) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 8) Dr. Dobb's Journal - October 2008 - Friday Night Fish Fry (Page 9) Dr. Dobb's Journal - October 2008 - Alia Vox (Page 10) Dr. Dobb's Journal - October 2008 - Alia Vox (Page 11) Dr. Dobb's Journal - October 2008 - Developer Diaries (Page 12) Dr. Dobb's Journal - October 2008 - Developer Diaries (Page 13) Dr. Dobb's Journal - October 2008 - Developer’s Notebook (Page 14) Dr. Dobb's Journal - October 2008 - Developer’s Notebook (Page 15) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 16) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 17) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 18) Dr. Dobb's Journal - October 2008 - Is Your Next Language COBOL? (Page 19) Dr. Dobb's Journal - October 2008 - Conversations (Page 20) Dr. Dobb's Journal - October 2008 - Conversations (Page 21) Dr. Dobb's Journal - October 2008 - Conversations (Page 22) Dr. Dobb's Journal - October 2008 - Conversations (Page 23) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 24) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 25) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 26) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 27) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 28) Dr. Dobb's Journal - October 2008 - Safe Coding Practices (Page 29) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 30) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 31) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 32) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 33) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 34) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 35) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 36) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 37) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 38) Dr. Dobb's Journal - October 2008 - Code Signing in Adobe AIR (Page 39) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 40) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 41) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 42) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 43) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 44) Dr. Dobb's Journal - October 2008 - OpenID Single Sign-On (Page 45) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 46) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 47) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 48) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 49) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 50) Dr. Dobb's Journal - October 2008 - The Book Cipher Algorithm (Page 51) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 52) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 53) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 54) Dr. Dobb's Journal - October 2008 - Indexing and Searching Image files (Page 55) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 56) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 57) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 58) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 59) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 60) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 61) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 62) Dr. Dobb's Journal - October 2008 - Extending Continuous Integration Into ALM (Page 63) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 64) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 65) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 66) Dr. Dobb's Journal - October 2008 - The Agile Edge (Page 67) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 68) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 69) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 70) Dr. Dobb's Journal - October 2008 - Effective Concurrency (Page 71) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page 72) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page Cover3) Dr. Dobb's Journal - October 2008 - Swaine’s Flames (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.