CSC 2045 Week 13 C-String PDF

Summary

This document is a lecture or presentation on C++ C-strings and related security concepts. It covers the vulnerabilities of C-style strings including buffer overflows and provides solutions like using strncpy and fgets. The document also includes questions to be answered.

Full Transcript

CSC 2045
LEGACY C++: C-STRINGS
 OBJECTIVES AGENDA: WEEK 13
Understand the vulnerabilities 1. Why do programmers
associated with C-String manipulation, write insecure code?
including buffer overflows, format string
vulnerabilities, and null-termination 2. Buffer Overflows
issues 3. C-Style String & Null
Implement secure C-String Terminator
manipulation techniques, including
proper input validation, boundary 4. C-String functions
checking to prevent buffer overflows, 5. Signed and Unsigned
and ensuring correct string termination Char
in C/C++ program.
Implement a program that includes 6. & sizeof operator
overflow detection, due to sign errors 7. SEI Characters & Strings
and/or truncation.
PRE-CHALLENGE
Read the first part of 5.4 Strings and complete the multiple-choice
question
Q-1: What is the correct definition of C-strings?
LEGACY CODE
Why do programmers write insecure code?
C is an unsafe language, and the standard C library
string functions are unsafe.
This is particularly important because C is so widely used -
the “simple” ways of using C permit dangerous exploits.
Most programmers are not security people; they
simply don’t often think like an attacker does.
Security costs extra development time.
Security costs in terms of additional testing (red teams, etc.).
RESTRICT TO BUFFER BOUNDS
Programs often use memory buffers to capture input and process
data. In some cases (particularly in C or C++ programs) it may be
possible to perform an operation, but either read from or write to a
memory location that is outside of the intended boundary of the buffer.
A buffer overflow occurs if a program attempts to write more data in a
buffer than it can hold or write into a memory area outside the
boundaries of the buffer.
Buffer overflows are an extremely common and dangerous security
flaw, and in many cases a buffer overlow can lead immediately to an
attacker having complete control over the vulnerable program.
RESTRICT TO BUFFER BOUNDS
Most high-level programming languages are essentially immune to
exceeding buffer boundaries, either because they automatically resize
arrays, or because they normally detect and prevent buffer overflows

However, C/C++ languages provides no protection against such problems

Some languages that normally include such protection (e.g., C#, Ada,
and Pascal) can have this protection disabled (for performance
reasons).

Even if most of your program is written in another language, many
library are written in C or C++, so other languages often do NOT
provide as complete a protection from buffer overflows.
C-STYLE STRINGS IN C++
In C++ there are two types of strings, C-style strings, and C++-
style strings.
C-Style strings live in legacy code and throwing away all the old
code isn't always an option.
C-style strings are really arrays that have functionality in
adding two strings: strcat
finding the length of string: strlen
checking to see if two strings match: strcmp
 C-STYLE STRINGS: NULL TERMINATED
C-Styles strings are null terminated: '\0'

When creating the C-style char array, an extra spot MUST be
created to ensure space for the null terminated character.

"It is like a period at the end of a sentence, it is not counted as a
letter, but it still takes up a space." Stated by
CProgramming.com https://www.cprogramming.com/tutorial/lesso
n9.html

Writing over or beyond the null terminator index is a Buffer Overflow.
C-STYLE STRINGS
Unlike many other programming languages, C does not have
a String type to easily create string variables. However, you can
use the char type and create an array of characters to make a
string in C.
Complete the 4 questions from w3schools.
 C-STYLE STRINGS: STACK & HEAP

Compiler Managed Memory Developer Managed
Memory
STRING COPY AND CONCATENATION
It is easy to make errors when copying and concatenating
strings because standard functions do NOT know the size of the
destination buffer: strcpy and strcat
SOLUTION BUT STILL NOT COMPLIANT
Test the length of the input using strlen() and dynamically allocate
the memory
STRNCPY(DESTINATION, SOURCE, NUM)
Copies the first num characters of source to destination.

If the end of the source C-string (which is signaled by a null-
character) is found before num characters have been
copied, destination is padded with zeros until a total of num
characters have been written to it.

if there is no null character in the first num characters of
the source, the destination will NOT be null-terminated

NO null-character is implicitly appended at the end of
destination. destination is NOT considered a null
terminated C-string
 STRING TRUNCATION
Functions that restrict the number of bytes are often
recommended to mitigate against buffer overflow vulnerabilities
strncpy() instead of strcpy()
fgets() instead of gets()
snprintf() instead of sprintf()
Strings that exceed the specified limits are truncated
Truncation results in a loss of data, and in some cases, to
software vulnerabilities
DYNAMICALLY ALLOCATED STRATEGIES
Dynamically allocated buffers dynamically resize as additional
memory is required.
Dynamic approaches scale better and do not discard excess
data.
The major disadvantage is that if inputs are not limited they can
exhaust memory on a machine - denial-of-service attacks
 FUNCTIONS
Function Description
isalnum Check if character is alphanumeric
isalpha Check if character is alphabetic
isblank Check if character is blank
iscntrl Check if character is a control character
isdigit Check if character is decimal digit
islower | isupper Check if character is lowercase or uppercase letter
isprint Check if character is printable
ispunct Check if character is a punctuation character
isspace Check if character is a white-space
isxdigit Check if character is hexadecimal digit
tolower | toupper Convert uppercase letter to lowercase or vice versa
 FUNCTIONS
The functions take the int equivalent of one character
as parameter and return an int that can either be another
character or an integer value representing a boolean value
In all cases the argument is an int, the value of which shall
be representable as an unsigned char or shall equal the value of
the macro EOF. If the argument has any other value, the behavior
is undefined.
Cast characters to unsigned char before converting to larger
integer sizes
SIZEOF OPERATOR (CPPREFERENCE)

Queries size of the object or type, when actual size of the object
must be known.
sizeof yields the size in bytes of the object
representation of type.
Depending on the computer architecture, a byte may consist of
8 or more bits, the exact number being recorded in CHAR_BIT.
The following sizeof expressions always evaluates to 1:
sizeof(char)
sizeof(signed char)
sizeof(unsigned char)
SEI RISK ASSESSMENT:
DO NOT APPLY SIZEOF WITH ARRAYS
Rule​ Severity​ Likelihood​ Remediation Priority​ Level​
Cost​
ARR01-C High Probable Low P18 L1

Incorrectly using
the sizeof operator to determine
the size of an array can result in a
buffer overflow, allowing the
execution of arbitrary code.
 MITIGATE AGAINST (C-STYLE STRING)
Buffer overrun attacks
Do not produce unterminated strings
Do not unexpectedly truncate strings
Preserve the null terminated string data type
Support compile-time checking
Make failures obvious
Have a uniform pattern for the function parameters and return type
POST-REVIEW
Complete the quiz: C-Style Strings