CSC 2045 - Legacy IO Quiz

Questions and Answers

What is a critical characteristic of C-Strings?

They are automatically expanded for size.

They are enclosed in double quotes.

They can hold more than one data type.

They are null terminated with the null-terminated character. (correct)

What is the purpose of the 'argc' parameter in the main function when using command-line arguments?

It counts the number of command-line arguments passed, including the program name. (correct)

It serves as the address of the command-line parameters.

It stores the return type of the program.

It represents the first command-line argument passed.

In C/C++, how are command-line arguments typically accessed in the main function?

Using an array of character pointers. (correct)

By passing them as strings within parentheses.

Using the same parameter format for all functions.

Through global variables initialized at runtime.

What vulnerability can occur when improperly handling C-String input?

Buffer overflow or input overflow.

Which statement accurately describes the behavior of the enter key during C-String input?

It is stored in the input buffer and represented as a newline character.

What is a primary vulnerability associated with the gets() function?

It can lead to buffer overflow if input length exceeds the array size.

Why is gets() no longer available in C/C++ as of C11 and C++14?

It is prone to buffer overflow vulnerabilities.

What is a risk of using C-strings with input functions?

They can lead to buffer overruns if sizes are fixed and managed poorly.

Which function reads from stdin, including whitespace characters?

getchar

What is a significant risk associated with the gets() function?

It can lead to buffer overflow vulnerabilities.

What makes fgets() a more secure alternative to gets()?

It ensures the buffer size is specified to prevent overflow.

Why is using fflush(stdin) to clear an input buffer considered incorrect?

It may cause undefined behavior in C/C++.

What is a common trigger for input data to be sent to a program in buffered input streams?

Pressing the Enter key.

What characteristic of standard C/C++ input streams can complicate clearing unwanted data?

Input streams are buffered, causing delays in data retrieval.

Which statement describes the behavior of fgets() compared to gets()?

fgets() allows for limits on input length to avoid overflow.

What is a significant risk when using C-strings with input functions?

They can lead to buffer overflow if size is not managed.

What is a primary issue that can arise from using the printf function with unvalidated user input?

It may allow an attacker to manipulate memory and execute arbitrary code.

In what way can unhandled Format Functions in an application impact its security?

They can lead to denial of service or execute arbitrary commands.

What consequence results from insufficient argument validation in functions like printf?

It can allow an attacker to read sensitive information from the stack.

Study Notes

CSC 2045 - LEGACY IO

• Objectives:
  • Identify legacy Input/Output (IO) mechanisms in C/C++ codebases and assess associated vulnerabilities.
  • Design and implement a program demonstrating correctly/incorrectly formatted output functions.

Agenda - Week 12

• C-String
• Command-line arguments
• I/O Streams
• Legacy Input Vulnerabilities
• Legacy Output Vulnerabilities
• Format String Attacks
• Format String
• printf
• Preventing Format String Exploit

C-Style Strings

• C-Strings are null-terminated: \0
• One additional space is required for the null terminator.
• Dynamic/run-time memory is used.
• Heap memory is managed by the programmer (allocation with new/malloc, deallocation with delete/free).
• Passing a C-String to a function automatically passes by reference (the address of index [0]).

C-String Input Vulnerability

• Most data exchanged between an end-user and a software system is done through command-line arguments, environment variables, and console input.
• The input buffer keeps all inputted values in the stream, including the enter key press (\n).

Command-Line Arguments

• The main function is the most important function in C/C++.
• It's typically defined with an int return type and no parameters: int main() { /* ... */ }
• C/C++ allows command-line arguments to be passed into the main function.
• Command-line arguments are passed into the main program when it is run.
• int main(int argc, char *argv[]) { /* ... */ }
• int argc holds the number of command-line arguments (including the program name).
• char *argv[] is an array of character pointers that hold the individual arguments. argv[0] is the name of the program.

Main Command Arguments

• argc (Argument Count) stores the number of command-line arguments including the program name.
• The value of argc should be non-negative.
• argv (Argument Vector) is an array of character pointers listing all the arguments.
• If argc is greater than zero, the array elements from argv[0] to argv[argc-1] contain pointers to C-style strings.
• argv[0] is the name of the program.

I/O Streams

• Streams (stdin and stdout) have properties defining how input/output functions handle data.
• A buffer is a memory block that accumulates data before physical read/write to a file or device.
• Standard C/C++ input streams are buffered.
• Input from the keyboard is buffered by the operating system until the Enter key is pressed.

Input Stream Libraries & Functions

• <cstdio>:
  • scanf: Reads formatted input from stdin. Using scanf without proper input validation can lead to format string exploits. scanf is vulnerable to buffer overflows, format string attacks, and other vulnerabilities if not used carefully. Using the correct format specifiers for input is crucial.
  • gets: Reads a string from stdin. gets is extremely dangerous and should never be used! It is particularly dangerous due to its lack of buffer size checking, leading to buffer overflows. Use fgets instead. It's crucial to avoid using gets.
  • getc, getchar: Reads a character from stdin.
• <iostream>:
  • std::istream::getline: Reads the entire line. Safely reads lines from input streams.
  • std::cin >>: Reads data until whitespace. Also, prone to vulnerabilities if not used correctly with proper validation, use with caution, and consider alternatives when possible. Using proper validation and error handling is important.

Scanf Vulnerabilities

• scanf reads formatted data from stdin.
• scanf basics: The good, the bad, and why so many ampersands?
• Discusses scanf's strengths, weaknesses, its function, and why ampersands are used in front of arguments. Critical to understanding potential vulnerabilities when using scanf.

gets() Vulnerability

• gets() receives the array name (pointer), doesn't know the size of the array, and has no buffer size checking.
• gets() reads all available data into the array, leading to buffer overflows if input exceeds buffer size.
• If more data than the array size is input, it causes a buffer overflow.
• gets() is no longer available in C11 and C++14. This function is extremely dangerous and should never be used due to the vulnerability it creates. Use safer alternatives like fgets.

getchar Vulnerabilities

• getchar() reads one character at a time, provides better control, but has additional performance overhead.

istream::getline

• Extracts characters from a stream, storing them in s as a C-string until a delimiter or n characters are written (including '\0').
• std::istream::getline operates on C-style strings from <iostream>.
• std::getline operates on C++ std::string from <string>. Using std::string is a safer alternative than C-style strings to prevent buffer overflows.
• C-strings have fixed sizes, making them vulnerable to buffer overflows, use std::string for safe string handling.

std::cin & C-String Vulnerability

• The first read will not overflow the buffer bufOne but can fill it with truncated data.
• The second read can still overflow bufTwo.
• It's essential to call width() before each operator>> call to prevent the buffer from overflowing.
• This doesn't account for truncated input, potentially leading to information loss or vulnerability. Critical to use the width functionality with std::cin.

Legacy: Flush the Input Buffer

• Clear unwanted data in input streams for security.
• A call to a read function that failed to input all available data.
• Ensure the user doesn't use the "type ahead" approach.
• There's no guaranteed method to clear input streams in legacy C/C++.
• If unwanted data is in the input stream, use a loop to read all data. Using std::cin.ignore or similar methods (e.g. std::cin.ignore(std::numeric_limits<std::streamsize>::max(), '\n')) is often preferable to prevent issues.

Output Stream Libraries & Functions

• <cstdio>:
  • printf: Prints formatted output to stdout.
  • puts: Prints a string to stdout.

Format String Attack

• The format string exploit occurs when submitted data of an input string is evaluated as a command by the application.
• An attacker can execute code, read the stack, or cause segmentation faults, compromising security or stability. Explicitly validating user input is crucial to avoiding this attack. Always sanitize user input.

Format String

• Format string specifiers:
  • %c: Character
  • %d: Integer
  • %x: Hexadecimal
  • %n: Number of characters printed before %n. %n is hazardous and should be avoided.
  • %s: String
  • %f: Floating-point.
• Format string functions: printf, fprintf, sprintf, snprintf (and their differences). Understand the potential vulnerabilities of each function.
• Format string vulnerability arises when a program expects a value but instead receives a format specifier.

What is Use of %n in printf()?

• %n is a special format specifier in printf() that loads the corresponding argument variable with the number of characters printed before %n. %n is hazardous and should be avoided.

Do Not Pass Non-Null-Terminated

• Many library functions require null-terminated strings.
• Passing non-null-terminated strings can access memory outside object bounds, leading to crashes or security vulnerabilities.
• If the array bound is not given, the compiler allocates enough storage for the whole string literal (including the \0 terminator). Always ensure that strings are null-terminated to prevent memory issues when using C-style strings. Null termination is crucial.

Preventing Format String Exploit

• Input validation is crucial.
• Format Guard helps.
• Kimchi, ASLR are defensive techniques.
• While format string vulnerabilities are hard to exploit, the impact can be significant, leading to complete system compromise. Safe code practices are vital to avoid vulnerabilities!

Description

Test your knowledge on legacy Input/Output mechanisms in C/C++. This quiz will cover C-strings, command-line arguments, and various vulnerabilities associated with legacy IO. Additionally, you'll explore format string attacks and how to prevent them in your programs.