RSS

Embedded Systems

Illusions of Safety

By Pete Becker, September 08, 2006

Buffer overruns—just maybe C's biggest bugaboo. Luckily, TR 24731 addresses the problem so that you can write fast, robust, and correct applications.

Safety is a major league buzzword in the industry today. In many conversations it refers to the dangers, real or imagined, that arise from using data supplied by someone else, through the keyboard, a file, or an Internet connection. The advice you'll get on how to avoid these dangers usually recommends two approaches: Always validate data, and never use dangerous functions. To convince you that this is important, you'll hear slogans whose tone ranges from benign ("I always look both ways before I cross a street, even if it's a one-way street") through condescending ("We shouldn't leave sharp knives around where children can play with them") to outright insulting ("Anyone who uses gets is incompetent").

In the midst of all this we have the C technical report TR 24731 [1], which provides a set of replacements for the Standard C string-handling functions that are intended to "promote safer, more secure programming" [2]. In this column, I look at the nature of the problem that the functions in TR 24731 address, how the TR addresses the problem, and other ways it can be addressed in real-world code.

Buffer Overruns

Remember when you wrote code like this?

char buf[4];
strcpy(buf, "abcd");

Most of the time it would work. That is, the program would run to completion, doing what you expected it to do. But once in a while, a program with code like this would crash, and you'd have to fire up the debugger [3].

Now that you're more sophisticated, this kind of error takes on a more subtle form:

char buf[MAX_LINE};
gets(buf);

This code assumes that standard input has been redirected from a file consisting of lines that hold no more than MAX_LINE characters. If there's a longer line, there's no telling what will happen. For example, if standard input has not been redirected, users at the terminal can type anything at all, and will almost certainly at some point type something that's longer than any reasonable value of MAX_LINE.

In both of these cases, the extra characters get written to the memory locations beyond the end of buf. If there are other auto variables in the function that execute this code, they might get overwritten. This, of course, puts your program into an unanticipated state, which it probably can't handle. If you're lucky, it will crash immediately. If not, it continues to run with corrupted data and produces results that don't make sense.

But it's not just data that's vulnerable. A function's return address is stored on the stack along with its auto variables, so instead of overwriting your program's data, the buffer overrun can overwrite the return address. When the function returns, the processor jumps back to an address that doesn't make sense, and the program crashes.

Malicious users can deliberately feed bad data to a program with this sort of error to make it crash. When that's done through the Internet, it's one of the forms of a Denial of Service attack: If a web site's programs keep crashing, the web site can't be used for much.

Crashing someone else's program is fun for a while, but it soon gets boring. A much more exciting kind of exploit requires more sophistication. The attacker puts some assembly code into a buffer somewhere, then overwrites the function's return address with a new address that points to the assembly code. When the function returns, it jumps to the intruder's code, and he's in control [4].

So, obviously, you shouldn't write code that allows buffer overruns. The problem, of course, is how to prevent them.



1 2 3 4 5 Next 

Related Reading

News

Most Popular

Commentary

On the Web

Video

Slideshow

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

DrDobbs encourages readers to engage in spirited, healthy debate, including taking us to task. However, DrDobbs moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. DrDobbs further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Best of the Web

What the New iPad and iOS 5.1 Mean for Developers

The new display is gorgeous. But local storage for HMTL5 is currently broken on the new iPad and performance of some apps is slower. Here's a deep dive into the issues, including benchmarks and analysis.

Quick Read

Triple Buffering as A Concurrency Mechanism

Triple Buffering is a way of passing data between a producer and a consumer running at different rates. It ensures that the consumer sees only complete data with minimal lag.

Quick Read

Embedding GDB Breakpoints in C Source Code

Have you ever wanted to embed GDB breakpoints in C source code? Something like this:
printf("Hello,\n");
EMBED_BREAKPOINT;
printf("world!\n");

Quick Read

Writing Kernel Exploits

Why attack the kernel? Because it has a huge attack surface with potential for very interesting bugs. This presentation (pdf) takes a code-level dive into recently reported Linux-kernel exploits.

Quick Read


More "Best of the Web" >>

Embedded Systems Recent Articles

Most Popular

Stories Blogs

Video

View All Videos

Featured Reports

Featured Whitepapers

Featured Webcasts

Most Recent Premium Content

Digital Issues

Enabling People and Organizations to Harness the Transformative Power of Technology