CSC 2045 - Legacy IO Quiz

Questions and Answers

What is a critical characteristic of C-Strings?

They are automatically expanded for size.

They are enclosed in double quotes.

They can hold more than one data type.

They are null terminated with the null-terminated character. (correct)

What is the purpose of the 'argc' parameter in the main function when using command-line arguments?

It counts the number of command-line arguments passed, including the program name. (correct)

It serves as the address of the command-line parameters.

It stores the return type of the program.

It represents the first command-line argument passed.

In C/C++, how are command-line arguments typically accessed in the main function?

Using an array of character pointers. (correct)

By passing them as strings within parentheses.

Using the same parameter format for all functions.

Through global variables initialized at runtime.

What vulnerability can occur when improperly handling C-String input?

Buffer overflow or input overflow. (D)

Which statement accurately describes the behavior of the enter key during C-String input?

It is stored in the input buffer and represented as a newline character. (D)

What is a primary vulnerability associated with the gets() function?

It can lead to buffer overflow if input length exceeds the array size. (A)

Why is gets() no longer available in C/C++ as of C11 and C++14?

It is prone to buffer overflow vulnerabilities. (B)

What is a risk of using C-strings with input functions?

They can lead to buffer overruns if sizes are fixed and managed poorly. (A)

Which function reads from stdin, including whitespace characters?

getchar (A)

What is a significant risk associated with the gets() function?

It can lead to buffer overflow vulnerabilities. (C)

What makes fgets() a more secure alternative to gets()?

It ensures the buffer size is specified to prevent overflow. (B)

Why is using fflush(stdin) to clear an input buffer considered incorrect?

It may cause undefined behavior in C/C++. (A)

What is a common trigger for input data to be sent to a program in buffered input streams?

Pressing the Enter key. (C)

What characteristic of standard C/C++ input streams can complicate clearing unwanted data?

Input streams are buffered, causing delays in data retrieval. (C)

Which statement describes the behavior of fgets() compared to gets()?

fgets() allows for limits on input length to avoid overflow. (A)

What is a significant risk when using C-strings with input functions?

They can lead to buffer overflow if size is not managed. (D)

What is a primary issue that can arise from using the printf function with unvalidated user input?

It may allow an attacker to manipulate memory and execute arbitrary code. (B)

In what way can unhandled Format Functions in an application impact its security?

They can lead to denial of service or execute arbitrary commands. (A)

What consequence results from insufficient argument validation in functions like printf?

It can allow an attacker to read sensitive information from the stack. (B)

Flashcards

Buffer

A block of memory used to temporarily store data before it is transferred to a file or device.

Input Buffering

The process where the operating system temporarily stores keyboard input before it reaches your program.

scanf

A standard C/C++ function used for reading formatted data from the standard input stream (stdin).

gets

A standard C/C++ function that reads an entire line of input from stdin, including spaces.

getchar

A standard C/C++ function that reads a single character from stdin.

istream::getline

A class method in C++ used for reading an entire line from an input stream, including spaces.

Buffer Overflow

The vulnerability that occurs when using scanf, gets, or similar functions where the input size exceeds the allocated buffer size, leading to data overwriting unintended memory locations.

gets() Vulnerability

A vulnerability that occurs when using gets() since it relies on the pointer alone, making it impossible to determine the size of the input array, leading to uncontrolled data writes.

C-String Vulnerability

A vulnerability that occurs when reading data into fixed-size C-style strings, because if the input exceeds the string's allocated size, it can overwrite memory beyond the intended boundaries causing potential crashes or security issues.

std::cin & C-String Vulnerability

A vulnerability that arises from the use of cin in C++ with C-style strings. While the initial read may not overflow, subsequent reads could truncate the original input string, potentially causing errors.

What are C-style strings?

C-style strings are a fundamental data type in C used to represent sequences of characters. They are null-terminated, meaning they end with a special character '\0' indicating the end of the string. These strings are stored in the heap memory, which is dynamically allocated during program execution. This allows for flexibility in managing string lengths but requires careful memory management by the programmer through techniques like allocation (using 'new' or 'malloc') and deallocation (using 'delete' or 'free'). Passing a C-string to a function essentially makes it a pass-by-reference operation, as the function directly works with the memory location of the first character of the string.

Why are C-style strings vulnerable?

C-style strings are vulnerable to buffer overflows because they rely on the programmer to manage memory limits. When a program reads data into a string without checking its size, it can overwrite memory allocated to other parts of the program leading to unpredictable behavior or security breaches.

How can C-style strings cause vulnerabilities?

When a program gathers input from users or system settings, it often uses C-style strings to store the information. However, if the input contains more characters than the allocated string memory can hold, it can overflow the memory buffer, potentially overwriting or corrupting important data and potentially triggering security vulnerabilities.

What are command-line arguments?

Command-line arguments offer a way to provide extra information or options to a program when it's executed. They are accessed in the main function using the 'argc' (argument count) and 'argv' (argument vector) parameters. The 'argc' variable indicates the total number of command-line arguments passed, including the program's name itself. 'argv' is an array of strings that includes the command-line arguments as individual strings. This feature enables customizing a program's behavior based on user-specified inputs.

What are "stdin" and "stdout"?

"stdin" and "stdout" are standard input and standard output streams, respectively. They represent the default pathways for data to enter and exit a program. Stream properties influence how functions manage data flow. For instance, a function interacting with "stdin" might process data character by character, whereas a function interacting with "stdout" might handle data in a specific format.

fgets()

A standard C library function used for reading formatted input from the standard input stream (stdin). It's safer than gets() because you can specify the size of the input data.

fgets()

A safe alternative to gets(). It reads data from a file or stream into an array, but it also checks the maximum length of the data to avoid overflowing the buffer.

Function Arguments

Function arguments are values or addresses passed to a function when it is called. They are used as inputs for the function's operations.

Argument Passing

The process of moving data from one location in memory to another, specifically when a function is called and its arguments are passed to the function.

Stack Frame Argument Order

The method of storing function arguments on the stack in a specific order, typically right-to-left, before a function is called. This order determines how the arguments are accessed by the function.

String

A series of characters, often used to represent text, input, or data within a program. Think of it as a sequence of letters, numbers, or symbols.

Format Function

A function like printf or fprintf, used to convert data like numbers or variables into human-readable text.

Format String

The argument passed to the Format Function. A sequence of text and formatting parameters like '%x' or '%s' that defines how the data is presented.

Format String Parameters

These occur within the Format String, specifying how the Format Function should convert and display the given data. For example, '%x' converts data as a hexadecimal number.

Format String Exploits

A vulnerability that arises when a program fails to properly validate user input, allowing attackers to manipulate the format string parameters. This can lead to code execution, reading the stack, or crashing the application.

Study Notes

CSC 2045 - LEGACY IO

• Objectives:
  • Identify legacy Input/Output (IO) mechanisms in C/C++ codebases and assess associated vulnerabilities.
  • Design and implement a program demonstrating correctly/incorrectly formatted output functions.

Agenda - Week 12

• C-String
• Command-line arguments
• I/O Streams
• Legacy Input Vulnerabilities
• Legacy Output Vulnerabilities
• Format String Attacks
• Format String
• printf
• Preventing Format String Exploit

C-Style Strings

• C-Strings are null-terminated: \0
• One additional space is required for the null terminator.
• Dynamic/run-time memory is used.
• Heap memory is managed by the programmer (allocation with new/malloc, deallocation with delete/free).
• Passing a C-String to a function automatically passes by reference (the address of index [0]).

C-String Input Vulnerability

• Most data exchanged between an end-user and a software system is done through command-line arguments, environment variables, and console input.
• The input buffer keeps all inputted values in the stream, including the enter key press (\n).

Command-Line Arguments

• The main function is the most important function in C/C++.
• It's typically defined with an int return type and no parameters: int main() { /* ... */ }
• C/C++ allows command-line arguments to be passed into the main function.
• Command-line arguments are passed into the main program when it is run.
• int main(int argc, char *argv[]) { /* ... */ }
• int argc holds the number of command-line arguments (including the program name).
• char *argv[] is an array of character pointers that hold the individual arguments. argv[0] is the name of the program.

Main Command Arguments

• argc (Argument Count) stores the number of command-line arguments including the program name.
• The value of argc should be non-negative.
• argv (Argument Vector) is an array of character pointers listing all the arguments.
• If argc is greater than zero, the array elements from argv[0] to argv[argc-1] contain pointers to C-style strings.
• argv[0] is the name of the program.

I/O Streams

• Streams (stdin and stdout) have properties defining how input/output functions handle data.
• A buffer is a memory block that accumulates data before physical read/write to a file or device.
• Standard C/C++ input streams are buffered.
• Input from the keyboard is buffered by the operating system until the Enter key is pressed.

Input Stream Libraries & Functions

• <cstdio>:
  • scanf: Reads formatted input from stdin. Using scanf without proper input validation can lead to format string exploits. scanf is vulnerable to buffer overflows, format string attacks, and other vulnerabilities if not used carefully. Using the correct format specifiers for input is crucial.
  • gets: Reads a string from stdin. gets is extremely dangerous and should never be used! It is particularly dangerous due to its lack of buffer size checking, leading to buffer overflows. Use fgets instead. It's crucial to avoid using gets.
  • getc, getchar: Reads a character from stdin.
• <iostream>:
  • std::istream::getline: Reads the entire line. Safely reads lines from input streams.
  • std::cin >>: Reads data until whitespace. Also, prone to vulnerabilities if not used correctly with proper validation, use with caution, and consider alternatives when possible. Using proper validation and error handling is important.

Scanf Vulnerabilities

• scanf reads formatted data from stdin.
• scanf basics: The good, the bad, and why so many ampersands?
• Discusses scanf's strengths, weaknesses, its function, and why ampersands are used in front of arguments. Critical to understanding potential vulnerabilities when using scanf.

gets() Vulnerability

• gets() receives the array name (pointer), doesn't know the size of the array, and has no buffer size checking.
• gets() reads all available data into the array, leading to buffer overflows if input exceeds buffer size.
• If more data than the array size is input, it causes a buffer overflow.
• gets() is no longer available in C11 and C++14. This function is extremely dangerous and should never be used due to the vulnerability it creates. Use safer alternatives like fgets.

getchar Vulnerabilities

• getchar() reads one character at a time, provides better control, but has additional performance overhead.

istream::getline

• Extracts characters from a stream, storing them in s as a C-string until a delimiter or n characters are written (including '\0').
• std::istream::getline operates on C-style strings from <iostream>.
• std::getline operates on C++ std::string from <string>. Using std::string is a safer alternative than C-style strings to prevent buffer overflows.
• C-strings have fixed sizes, making them vulnerable to buffer overflows, use std::string for safe string handling.

std::cin & C-String Vulnerability

• The first read will not overflow the buffer bufOne but can fill it with truncated data.
• The second read can still overflow bufTwo.
• It's essential to call width() before each operator>> call to prevent the buffer from overflowing.
• This doesn't account for truncated input, potentially leading to information loss or vulnerability. Critical to use the width functionality with std::cin.

Legacy: Flush the Input Buffer

• Clear unwanted data in input streams for security.
• A call to a read function that failed to input all available data.
• Ensure the user doesn't use the "type ahead" approach.
• There's no guaranteed method to clear input streams in legacy C/C++.
• If unwanted data is in the input stream, use a loop to read all data. Using std::cin.ignore or similar methods (e.g. std::cin.ignore(std::numeric_limits<std::streamsize>::max(), '\n')) is often preferable to prevent issues.

Output Stream Libraries & Functions

• <cstdio>:
  • printf: Prints formatted output to stdout.
  • puts: Prints a string to stdout.

Format String Attack

• The format string exploit occurs when submitted data of an input string is evaluated as a command by the application.
• An attacker can execute code, read the stack, or cause segmentation faults, compromising security or stability. Explicitly validating user input is crucial to avoiding this attack. Always sanitize user input.

Format String

• Format string specifiers:
  • %c: Character
  • %d: Integer
  • %x: Hexadecimal
  • %n: Number of characters printed before %n. %n is hazardous and should be avoided.
  • %s: String
  • %f: Floating-point.
• Format string functions: printf, fprintf, sprintf, snprintf (and their differences). Understand the potential vulnerabilities of each function.
• Format string vulnerability arises when a program expects a value but instead receives a format specifier.

What is Use of %n in printf()?

• %n is a special format specifier in printf() that loads the corresponding argument variable with the number of characters printed before %n. %n is hazardous and should be avoided.

Do Not Pass Non-Null-Terminated

• Many library functions require null-terminated strings.
• Passing non-null-terminated strings can access memory outside object bounds, leading to crashes or security vulnerabilities.
• If the array bound is not given, the compiler allocates enough storage for the whole string literal (including the \0 terminator). Always ensure that strings are null-terminated to prevent memory issues when using C-style strings. Null termination is crucial.

Preventing Format String Exploit

• Input validation is crucial.
• Format Guard helps.
• Kimchi, ASLR are defensive techniques.
• While format string vulnerabilities are hard to exploit, the impact can be significant, leading to complete system compromise. Safe code practices are vital to avoid vulnerabilities!

Description

Test your knowledge on legacy Input/Output mechanisms in C/C++. This quiz will cover C-strings, command-line arguments, and various vulnerabilities associated with legacy IO. Additionally, you'll explore format string attacks and how to prevent them in your programs.