CSC 2045 Week 12 Legacy IO PDF

CSC 2045 LEGACY IO OBJECTIVES AGENDA: WEEK 12 Identify legacy Input/Output 1. C-String (IO) mechanisms in C/C++ 2. Command-line arguments codebases and assess 3. IO Streams associated vulnerabilities. 4. Legacy Input Vulnerabilities Design and implement a 5. Legacy Output program showing Vulnerabilities correctly/incorrectly formatted 6. Format String Attacks output functions. 7. Format String 8. printf 9. Preventing Format String Exploit C-STYLE STRINGS C-Strings are null terminated: '\0' One additional space is required Dynamic / Run-time memory Heap memory Programmers manage heap memory ▪ allocating with new/malloc ▪ deallocating with delete/free Passing a C-String to a function is automatically pass by reference and the address of index C-STRING INPUT VULNERABILITY Most of the data exchanged between an end-user and a software system is done through command-line arguments environment variables console input The input buffer keeps all inputted values in the stream, including the enter key press: '\n' COMMAND LINE ARGUMENTS The most important function of C/C++ is main. It is usually defined with a return type of int and without any parameters: int main() { } C/C++ also allow command-line arguments to be passed into main. Command-line arguments are passed into the main program when the program is run int main(int argc, char *argv[]) { } int main(int argc, char **argv) { } MAIN COMMAND ARGUMENTS (GEEKS FOR GEEKS) int main(int argc, char **argv) { } argc (ARGument Count) stores number of command-line arguments passed by the user including the name of the program. The value of argc should be non-negative. argv (ARGument Vector) is array of character pointers listing all the arguments. If argc is greater than zero,the array elements from argv to argv[argc-1] will contain pointers to C-Style strings. argv is the name of the program IO STREAMS Streams (stdin and stdout) have some properties that define which functions can be used on them and how these will treat the data input or output through them. A buffer is a block of memory where data is accumulated before being physically read or written to the associated file or device. In standard C/C++ input streams are buffered. This means that when you hit a key on the keyboard, it isn't sent directly to your program. Instead it is buffered by the operating system until such time that it is given to your program (generally triggered by the [Enter] key. INPUT STREAM LIBRARIES & FUNCTIONS o scanf - reads formatted input from stdin o gets - reads a string from stdin o getc, getchar - reads a character from stdin o std::istream::getline - reads the entire line o std::cin >> - reads data until whitespace SCANF VULNERABILITIES (CPLUSPLUS) Scanf reads formatted data from stdin Video Description: o Scanf Basics: the good, the bad, and why so many ampersands? o We're talking about scanf today, the function you might need, even if it isn't the function you want. o We talk about its strengths and weaknesses, how it works, and why you have to put those pesky ampersands in front of the arguments. GETS() VULNERABILITY gets() has only received the name of the array (a pointer), it does not know how big the array is, and it is impossible to determine this from the pointer alone When text is entered, gets() will read all available data into the array, this will be fine if the data is smaller than the array size. However, if more data than the array size is entered, gets() will NOT stop writing at the end of the array and causes buffer overflow. This function is no longer available in C/C++ (as of C11 & C++14) GETCHAR VULNERABILITIES Reading one character at a time using getchar() provides more flexibility in controlling behavior, though with additional performance overhead. ISTREAM::GETLINE (CPLUSPLUS) istream& std::istream::getline(char* s, int n); Extracts characters from the stream and stores them into s as a C-string, until either the extracted character is the delimiting character, or n characters have been written to s (including the null character '\0'). std::istream::getline operates on C-Style strings from std::getline operates on C++ std::string from C-strings sizes are fixed (whether at compile-time or run-time) and are vulnerable to buffer overrun errors if used improperly. STD::CIN & C-STRING VULNERABILITY The first read will NOT overflow but could fill bufOne with a truncated string. The second read still could overflow bufTwo. It is necessary to call width() prior to each operator>> call This does not account for the input being truncated, which may lead to information loss or a possible vulnerability. LEGACY: FLUSH THE INPUT BUFFER Clear unwanted data in an input stream to secure against: A call to a read function that failed to input all available data To ensure that the user doesn't try the "type ahead" approach when using your application. There is NO guaranteed method to clear an input stream in legacy C/C++. If you are sure that unwanted data is in the input stream, then a loop reading all data is good. However, if you call these when there is no data in the input stream, the program will wait until there is, which gives you undesirable results. ▪ while ((ch = cin.get()) != '\n' && ch != EOF); Read the article on: Why fflush(stdin) is wrong OUTPUT STREAM LIBRARIES & FUNCTIONS o printf - prints formatted output to stdout o puts - prints a string to stdout FORMAT STRING ATTACK (OWASP) The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system. Format String Bugs (Article) FORMAT STRING (OWASP) Format String Specifiers Char - %c Read Data from Stack (hexadecimal) - %x Int - %d Write an integer to locations in process’ memory - %n Float %f Read character string from process’ memory - %s Format String Functions: printf family (What's the difference) printf fprintf sprintf snprintf Format string vulnerability occurs when the program expects a value, but instead the user enters a format specifier. WHAT IS USE OF %N IN PRINTF() ? In C, printf(), %n is a special format specifier which instead of printing something causes printf() to load the variable pointed by the corresponding argument with a value equal to the number of characters that have been printed by printf() before the occurrence of %n. DO NOT PASS NON-NULL-TERMINATED Many library functions accept a string argument with the constraint that the string they receive is properly null-terminated. Passing a character sequence that is NOT null-terminated to a function can result in accessing memory that is outside the bounds of the object. If the array bound is omitted, the compiler allocates sufficient storage to store the entire string literal, including the terminating null character PREVENTING FORMAT STRING EXPLOIT Input validation Kimchi Format Guard ASLR Though Format String vulnerabilities are hard to exploit, when exploited, they can land a significant impact and result in the complete compromise of both the program and the system. It is easier to prevent these attacks than to launch these attacks, as long as you maintain high coding standards and use programs that can secure your own.

CSC 2045 Week 12 Legacy IO PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue