CSC 2045: C-Strings and Security

Questions and Answers

What is a primary reason programmers often write insecure code?

Programming in C always leads to security issues.

Using C-string functions is always safe.

Security considerations add extra development time and cost. (correct)

Most programmers are security experts.

What issue can arise from improper C-string manipulation?

Null-termination without any adverse effects.

Memory leak leading to data corruption.

Buffer overflow causing program crashes or security vulnerabilities. (correct)

Automatic memory handling eliminating all buffer concerns.

How can developers prevent buffer overflows in their C/C++ programs?

By allowing unrestricted memory access to optimize performance.

By implementing proper input validation and boundary checking. (correct)

By increasing buffer sizes indefinitely.

By avoiding the use of C-strings altogether.

What is the consequence of a buffer overflow in C/C++ programs?

An attacker may gain control over the vulnerable program.

What is a significant challenge associated with C-string manipulation?

C-style strings must always be terminated by a special character.

What distinguishes C-style strings from other string types in programming languages?

They are stored as arrays of characters with a null terminator.

What must be done when creating a C-style char array to accommodate a string?

Include an extra space for the null terminator.

What error is likely to occur when using standard string functions like strcpy and strcat?

Overwriting the destination buffer's allocated space.

Which of the following functions is specifically used to copy a specified number of characters from one string to another?

strncpy

What is the result of writing beyond the index of the null terminator in a C-style string?

A Buffer Overflow error happens.

In C++, what are C-style strings primarily managed by?

The developer through manual memory management.

Why is extra care needed when concatenating C-style strings?

They do not check for the size of the destination buffer.

What happens if you create a C-style string without sufficient space for the null terminator?

Buffer overflow might occur.

What does the function strlen() do?

Finds the length of a string.

What is a defining characteristic of C-strings in C++?

They require a null terminator to indicate the end of the string.

What type of string is introduced in modern C++ that is recommended over C-strings?

C++ string from the library

What is one reason why C-strings are less preferred in modern C++ programming?

They require manual memory management.

Which of the following best describes the relationship between char type and C-strings?

C-strings can only contain char type values.

What character signifies the end of a C-style string?

'\0'

When declaring a C-style string of 49 letters, how many characters should the array be defined to hold?

50

What is a major issue caused by the lack of inherent length information in C-strings?

Increased risk of buffer overflows

What issue may arise when using signed char types with C-string functions?

They can cause integer overflow if negative values are involved.

What is a potential consequence of passing a negative signed char to a C-string function?

The function may produce results that seem correct but are misleading.

What should a programmer be cautious about when manipulating C-strings containing signed chars?

They should verify that characters do not have negative integer representations.

Which statement accurately describes how C-string functions handle signed chars?

They may not always convert signed chars, affecting function behavior.

Study Notes

Course Information

• Course name: CSC 2045
• Topic: Legacy C++: C-strings

Objectives

• Understand vulnerabilities associated with C-string manipulation, including buffer overflows, format string vulnerabilities, and null-termination issues.
• Implement secure C-string manipulation techniques. This includes proper input validation, checking for buffer overflows, and ensuring correct string termination in C/C++ programs.
• Implement a program that detects potential overflows due to sign errors or truncation.

Agenda: Week 13

• Why do programmers write insecure code?
• Buffer Overflows
• C-Style Strings and Null Terminators
• C-String functions:
  • Signed and unsigned char
  • <cctype> and sizeof operator
  • SEI Characters and Strings

Pre-Challenge

• Read the first part of 5.4 Strings and answer the multiple-choice question.
• Q-1: What is the correct definition of C-strings?

Legacy Code

• C is an unsafe language, and its standard library string functions are unsafe and do not account for buffer protection.
• C's widespread use makes its simple methods prone to dangerous exploits.
• Most programmers aren't security specialists—they often don't think like attackers.
• Security measures increase development time and cost (e.g., red teaming and extra testing).

Restrict to Buffer Bounds

• Programs use memory buffers to capture input and process data.
• Buffer overflows occur when a program attempts to write beyond the allocated buffer space, either by writing more data than the buffer can hold or by writing into memory areas outside the buffer's boundary.
• Buffer overflows are a common and dangerous security vulnerability that can give attackers complete control of the vulnerable program.

Restrict to Buffer Bounds (High-Level Languages)

• Most high-level programming languages either automatically resize arrays or detect and prevent buffer overflows, protecting against buffer boundary issues.
• C/C++ languages lack automatic protection mechanisms.
• Some languages (e.g., C#, Ada, and Pascal) may disable overflow protection for performance.
• The safety measures of high-level languages might not be fully extended to libraries written in C/C++.

C-Style Strings in C++

• C++ has two types of strings: C-style strings and C++-style strings.
• C-style strings are prevalent in legacy code.
• C-style strings are arrays that use functions from the <cstring> library.
  • strcat: Adds strings (beware of potential buffer overflows).
  • strlen: Determines string length (returns the number of characters excluding the null terminator).
  • strcmp: Compares strings.

C-Style Strings: Null Terminated

• C-style strings are null-terminated ('\0').
• When creating a C-style character array, one extra space is required for the null terminator.
• The null terminator acts like a period; though it's not a character itself, it's crucial for string processing by telling the program where the string ends.
• Writing past the null terminator results in a buffer overflow vulnerability.

C-Style Strings

• C does not have a dedicated string type like other languages. C-style strings are implemented using character arrays.

C-Style Strings: Stack & Heap

• C-style strings are stored on the stack or the heap, depending on the memory management strategy used. Stack memory is automatically managed, and heap memory requires explicit allocation and deallocation.

String Copy and Concatenation

• Copying and concatenating strings in C can introduce errors if the destination buffer size is not carefully managed because functions like strcpy and strcat don't check for the destination buffer size; they can easily lead to buffer overflows.

Solution But Still Not Compliant

• Test input length using strlen() to dynamically allocate memory to prevent overflowing the destination buffer. This is crucial for preventing buffer overflows, and significantly more secure than using strcpy or strcat.

strncpy, source, num

• strncpy copies up to num characters from the source string to the destination.
• If the source string is shorter than num, the destination is padded with null (\0) characters.
• If not null-terminated in the original source up to the num characters, the destination may not be automatically null-terminated. This often implies a critical vulnerability.

String Truncation

• Functions like strncpy, fgets, and snprintf limit byte counts to prevent buffer overflows. These functions prevent writing past the allocated buffer.
• Strings exceeding the limit are truncated to fit within the allocated space. This can cause data loss—important consideration. Truncation is a key aspect of protecting against buffer overflows.
• Truncation results in data loss and potential software vulnerabilities.

Dynamically Allocated Strategies

• Dynamically allocated buffers resize as more memory is needed.
• Dynamic memory allocation scales better for variable-length data.
• However, improper management can lead to memory exhaustion, potentially causing denial-of-service attacks.

Functions

• <cctype> functions take an integer (representing a character or a boolean value) and return an integer.
• These functions help determine if characters are alphanumeric, alphabetic, blank, control characters, etc. This is vital for input validation and data processing.
• <cctype> helps validate input and represent data.

sizeof Operator

• The sizeof operator returns the size (in bytes) of an object or data type. Its behavior depends on the computer architecture.
• sizeof(char), sizeof(signed char), and sizeof(unsigned char) usually evaluate to 1 byte. In general, sizeof is vital for understanding memory usage and array sizes in C and C++.

SEI Risk Assessment: Do Not Apply sizeof with Arrays

• Incorrectly using sizeof on arrays can trigger buffer overflows, allowing potential exploits.

Mitigate Against (C-Style Strings)

• Prevent buffer overrun attacks. This significantly reduces the risk of exploitation.
• Do not create strings that have missing null-termination characters (unterminated strings).
• Do not unexpectedly shorten (truncate) strings. Maintain proper data length.
• Preserve the null-terminated string data type. This is crucial to avoiding common security vulnerabilities, which could allow attackers to compromise programs.
• Use compile-time checking to identify potential issues.
• Make errors easily noticeable and fixable. Effective error handling helps reduce vulnerabilities.
• Have a consistent pattern for function parameters and return types to reduce errors. Maintaining consistency in coding is vital.

Post-Review

• Complete the quiz on C-Style Strings.

Description

This quiz focuses on the vulnerabilities associated with C-string manipulation in C++, including buffer overflows and format string vulnerabilities. Participants will learn about secure techniques for managing C-strings, such as proper input validation and checking for buffer overflows. Test your understanding of these crucial concepts and improve your programming practices.