Channels ▼
RSS

C/C++

Illusions of Safety


Safety is a major league buzzword in the industry today. In many conversations it refers to the dangers, real or imagined, that arise from using data supplied by someone else, through the keyboard, a file, or an Internet connection. The advice you'll get on how to avoid these dangers usually recommends two approaches: Always validate data, and never use dangerous functions. To convince you that this is important, you'll hear slogans whose tone ranges from benign ("I always look both ways before I cross a street, even if it's a one-way street") through condescending ("We shouldn't leave sharp knives around where children can play with them") to outright insulting ("Anyone who uses gets is incompetent").

In the midst of all this we have the C technical report TR 24731 [1], which provides a set of replacements for the Standard C string-handling functions that are intended to "promote safer, more secure programming" [2]. In this column, I look at the nature of the problem that the functions in TR 24731 address, how the TR addresses the problem, and other ways it can be addressed in real-world code.

Buffer Overruns

Remember when you wrote code like this?

char buf[4];
strcpy(buf, "abcd");


Most of the time it would work. That is, the program would run to completion, doing what you expected it to do. But once in a while, a program with code like this would crash, and you'd have to fire up the debugger [3].

Now that you're more sophisticated, this kind of error takes on a more subtle form:

char buf[MAX_LINE};
gets(buf);

This code assumes that standard input has been redirected from a file consisting of lines that hold no more than MAX_LINE characters. If there's a longer line, there's no telling what will happen. For example, if standard input has not been redirected, users at the terminal can type anything at all, and will almost certainly at some point type something that's longer than any reasonable value of MAX_LINE.

In both of these cases, the extra characters get written to the memory locations beyond the end of buf. If there are other auto variables in the function that execute this code, they might get overwritten. This, of course, puts your program into an unanticipated state, which it probably can't handle. If you're lucky, it will crash immediately. If not, it continues to run with corrupted data and produces results that don't make sense.

But it's not just data that's vulnerable. A function's return address is stored on the stack along with its auto variables, so instead of overwriting your program's data, the buffer overrun can overwrite the return address. When the function returns, the processor jumps back to an address that doesn't make sense, and the program crashes.

Malicious users can deliberately feed bad data to a program with this sort of error to make it crash. When that's done through the Internet, it's one of the forms of a Denial of Service attack: If a web site's programs keep crashing, the web site can't be used for much.

Crashing someone else's program is fun for a while, but it soon gets boring. A much more exciting kind of exploit requires more sophistication. The attacker puts some assembly code into a buffer somewhere, then overwrites the function's return address with a new address that points to the assembly code. When the function returns, it jumps to the intruder's code, and he's in control [4].

So, obviously, you shouldn't write code that allows buffer overruns. The problem, of course, is how to prevent them.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video