Safe C API—Cooouoncise solution of buffer overflow
Transcript of Safe C API—Cooouoncise solution of buffer overflow
![Page 1: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www owasp org
OWASP AppSecBeijing 2011 http://www.owasp.orgBeijing 2011
Safe C API—Concise solution a o o u oof buffer overflow
李建蒙
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
![Page 2: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/2.jpg)
A dAgenda• Brief introduction of buffer overflow
• The difference between standard C API and Safe C APISafe C API
• How does Safe C avoid buffer issue
• Cautions
• Summary
2
![Page 3: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/3.jpg)
B ff flBuffer overflowWhat is buffer overflow
• More data is put into a holding area than it can handle.
What’s the result of buffer overflow• Programs can act in strange ways.
• Programs can fail completely.
• Programs can proceed without any noticeable difference in execution.
3
![Page 4: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/4.jpg)
N i kNotorious attackAttack Date Damage
Morris Worm 1988-11 Over 6000 server crashMorris Worm 1988 11 Over 6000 server crashUnix sendmail、Finger、rsh/rexec
Code Red worm 2001-7 IIS 4.0 and 5.0ll i th t t bit d dallowing the worm to execute arbitrary code and
infect the machine. It affected almost 1,500,000 system.
Slammer Worm 2003-1 Microsoft SQL Server 2000Slammer Worm 2003-1 Microsoft SQL Server 2000a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Infect 359,000
Sun Solaris telnet daemon 2007-2 This may allow a remote attacker to trivially bypass the telnet and login authentication
h imechanisms.
Ubuntu Perl-Compatible Regular Expression (PCRE) library
2010-4 it could still be injected deliberated in malware to create backdoor entrances into a network
library
4
![Page 5: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/5.jpg)
Th f b ffThe cost of buffer error
5
![Page 6: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/6.jpg)
B ff fl bBuffer overflow bug
BufferBuffer overflow
6
![Page 7: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/7.jpg)
H id i ?How to avoid it?CPU/OS
• AMD Eh d Vi P t ti / I t l E t Di bl Bit(EDB)• AMD Ehanced Virus Protection / Intel Excute Disable Bit(EDB)• OS Data Execution Protection(NX)
Compilerp• MS: /GS /DYNAMICBASE /NXCOMPAT • Linux: FORTIFY_SOURCE StackGuard StackShield ProPolice
Use different languages like Java C#Use different languages, like Java, C#Write the right code
• Use safe libraryC++ STLC Safe C Library
http://sourceforge.net/projects/safeclib
7
![Page 8: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/8.jpg)
S f C LiSafe C License
8
![Page 9: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/9.jpg)
O i h diffOverview the differenceSample safe C replacement to traditional p p
standard C lib function
C Standard Safe C Standard
char *strcpy (dest, src) errno_t strcpy_s (dest, dmax, src)
Error codes toError codes to indicate specific failure
_s postfix for all safe functions
Max destination buffer size to prevent overflow
9
size to prevent overflow
![Page 10: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/10.jpg)
Th d d C APIThe standard C APIStrong points
Convenient to use.
Performance is a little better than Safe C API
Weak pointsWeak points
No input validation, easy to cause buffer issue.
Some APIs have no return value to check whether there is an issue happened.
10
![Page 11: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/11.jpg)
Th S f C APIThe Safe C APIStrong points
Input validation to avoid buffer issue, like overflow, un-terminated string etcterminated string etc.
Have return value to check whether there is an issue during llicalling.
Weak points
Performance is a little poorer than standard API.
Write more codes to check the return value.
11
![Page 12: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/12.jpg)
Wh S f C?Why Safe C?Guard against overflowing a bufferg g
Do not unexpectedly truncate string
Do not produce un-terminated string
R t l t h h th th i h dReturn value to show whether there is error happened
Provide unified Runtime-constraint handlerProvide unified Runtime constraint handler
12
![Page 13: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/13.jpg)
t i API Li tstring API List
13
![Page 14: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/14.jpg)
H d t i API t idHow does string API to avoid buffer issuebuffer issue
strcpy_spy_
14
![Page 15: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/15.jpg)
Th diff t t iThe difference to copy string
• Standard Cchar str1[20] = {0};
char str2[20] ={”Just a test”};c a st [ 0] { Just a test };
strcpy(str1, “a string“ );
• Safe Cerrno t rc =strcpy s(str1 20 str2);errno_t rc =strcpy_s(str1, 20, str2);
if ( rc != EOK) {/* copy failed */ }
else {/* copy success */ }
15
![Page 16: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/16.jpg)
Ho does st cp s a oid b ffeHow does strcpy_s avoid buffer
If Safe C check the buffer is not enough to contain the i (i l di h d h ‘\0’) i ill hstring(including the end char ‘\0’), it will empty the
dest string.
16
![Page 17: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/17.jpg)
Ho does st cp s a oid b ffe iss eHow does strcpy_s avoid buffer issue --overlap p
If Safe C check the buffer is overlapped, it will empty the dest string.
17
![Page 18: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/18.jpg)
f MSstrcpy_s of MS
18
![Page 19: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/19.jpg)
t / t P fstrcpy/strcpy_s Performancemsmsmsms
Million timesMillion times 32byte
19
![Page 20: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/20.jpg)
How does string API avoid buffer issueHow does string API avoid buffer issue
Which API will cause to set dest to empty?• strcpy_s strncpy_s strcat_s strncat_s• strcpyfld s strcpyfldin s strcpyfldout s• strcpyfld_s strcpyfldin_s strcpyfldout_s
What kinds of error will set dest to empty?
ESOVRLP Buffer overlapESUNTERM unterminated string
Like: dest[dmax-1] is not ‘\0’ESNOSPC not enough space
What is the default action?• The default will only set the first byte to ‘\0’• if want all bytes were set to ‘\0’, please define
SAFE_LIB_STR_NULL_SLACK. • Or redefine the error handler• Or redefine the error handler.
20
![Page 21: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/21.jpg)
M API liMemory API list
21
![Page 22: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/22.jpg)
How does memory API avoid buffer issueHow does memory API avoid buffer issue
Which API will cause to set dest content to 0?• memmove_s• memcpy_s
What kinds of error will cause to set dest to 0? ESZEROL smax is 0ESNULLP src is NULLESNULLP src is NULLESLEMAX smax exceeds dmaxESOVRLP Memory overlap
What is the default action?• the default will set all bytes to 0• the default will set all bytes to 0
22
![Page 23: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/23.jpg)
M API P fMemory API- Performance
For Safe C memcpy_s and memmove_s are same. They ll h APIcall the same API.
ms
memcpy s memmove s vs memcpy memmove
Hundred thousand
23
memcpy_s, memmove_s vs memcpy, memmove
![Page 24: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/24.jpg)
M APIMemory APIThere are 3 APIs were provided by safe C p y
for every standard API
Void * Uint16 * Uint32 *
memcpy_s memcpy16_s memcpy32_s
memmove_s memmove16_s memmove32_s
memset s memset16 s memset32 smemset_s memset16_s memset32_s
memzero_s memzero16_s memzero32_s
24
![Page 25: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/25.jpg)
Memory API Performance test result IMemory API- Performance test result Imsms
Million times
25
![Page 26: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/26.jpg)
Memory API Performance test result IIMemory API- Performance test result II
ms
Million times
26
![Page 27: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/27.jpg)
E h dlError handlerThe default handler
Simple error message to console
How to use your own handlertypedef void (*safe_lib_constraint_handler_t)(const char *msg, void *ptr,
errno_t error);
safe_lib_constraint_handler_t safe_lib_set_constraint_handler(
safe_lib_constraint_handler_t handler)
27
![Page 28: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/28.jpg)
Wh t ki d f l tfWhat kinds of platforms can use
Windows
MAC
Linux
Solaris
AIX
28
![Page 29: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/29.jpg)
H t it S l i ?How to use it on Solaris?The type in safe_types.h has conflict with inttypes.h
• int8_t int16_t int32_t uchar_t uint8_t uint16_t uint32_t ushort
• ulong ulonglong rsize_tg g g _
• f t h• safe_types.h
• #ifdef SOLARIS
• #include <inttypes.h>
• #else• #else
• #endif
29
![Page 30: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/30.jpg)
S f C C ti I b tSafe C Caution I --- about case
The API name with case means insensitive
• strcasestr_s
• strcasecmp_s
30
![Page 31: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/31.jpg)
S f C C ti II tSafe C Caution II– memset_s
errno_t memset_s (void *dest, rsize_t len , uint8_t value )rsize_t len uint8_t value
void* memset(void *s, int c , size_t n );size_t nint c
Use memzero_s to set memory to 0.
31
y
![Page 32: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/32.jpg)
S f C C i IIISafe C Caution IIISafe is based on the correct size of
destination buffer.
32
![Page 33: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/33.jpg)
Th lt f i S f CThe result of using Safe C
33
![Page 34: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/34.jpg)
Summary &Summary & ConclusionConclusion
![Page 35: Safe C API—Cooouoncise solution of buffer overflow](https://reader036.fdocuments.in/reader036/viewer/2022071601/613d3a05736caf36b75ad271/html5/thumbnails/35.jpg)
35