OWASP AppSec The OWASP Foundation http://www owasp org http://www.owasp.org Beijing 2011 Safe a C API—Concise o solution ou o of buffer overflow 李建蒙 [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. A Agenda d • Brief introduction of buffer overflow • The difference between standard C API and Safe C API • How does Safe C avoid buffer issue • Cautions • Summary 2 B ff overflow Buffer fl What is buffer overflow • More data is put into a holding area than it can handle. What’s the result of buffer overflow • Programs can act in strange ways. • Programs can fail completely. • Programs can proceed without any noticeable difference in execution. 3 N Notorious i attackk Attack Date Damage Morris Worm 1988-11 1988 11 Over 6000 server crash Unix sendmail、Finger、rsh/rexec Code Red worm 2001-7 IIS 4.0 and 5.0 allowing ll i the th worm to t execute t arbitrary bit code d and d infect the machine. It affected almost 1,500,000 system. Slammer Worm 2003-1 Microsoft SQL Server 2000 a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. Infect 359,000 Sun Solaris telnet daemon 2007-2 This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. h i Ubuntu Perl-Compatible Regular Expression (PCRE) library 2010-4 it could still be injected deliberated in malware to create backdoor entrances into a network 4 Th cost off b The buffer ff error 5 B ff overflow Buffer fl b bug Buffer overflow 6 H How to avoid id it? i? CPU/OS • • AMD Eh Ehanced d Virus Vi Protection P t ti / IIntel t lE Excute t Di Disable bl Bit(EDB) OS Data Execution Protection(NX) • • MS: /GS /DYNAMICBASE /NXCOMPAT Linux: FORTIFY_SOURCE StackGuard StackShield ProPolice • Use safe library C++ STL C Safe C Library http://sourceforge.net/projects/safeclib Compiler p Use different languages languages, like Java, Java C# Write the right code 7 S f C Li Safe License 8 O Overview i the h difference diff Sample p safe C replacement p to traditional standard C lib function C Standard Safe C Standard char *strcpy (dest, src) errno_t strcpy_s (dest, dmax, src) Error codes to indicate specific failure _s postfix for all safe functions Max destination buffer size to prevent overflow 9 Th standard The d d C API Strong points Convenient to use. Performance is a little better than Safe C API Weak points No input validation, easy to cause buffer issue. Some APIs have no return value to check whether there is an issue happened. 10 Th Safe The S f C API Strong points Input validation to avoid buffer issue, like overflow, unterminated string etc. etc Have return value to check whether there is an issue during calling. lli Weak points Performance is a little poorer than standard API. Write more codes to check the return value. 11 Wh Safe Why S f C? Guard against g overflowing g a buffer Do not unexpectedly truncate string Do not produce un-terminated string R t Return value l to t show h whether h th there th is i error happened h d Provide unified Runtime Runtime-constraint constraint handler 12 string t i API List Li t 13 H How d does string t i API to t avoid id buffer issue strcpy_s py_ 14 Th difference The diff to t copy string ti • Standard C char str1[20] = {0}; cchar a st str2[20] [ 0] ={”Just { Just a test test”}; }; strcpy(str1, “a string“ ); • Safe C errno t rc =strcpy_s(str1, errno_t =strcpy s(str1 20, 20 str2); if ( rc != EOK) {/* copy failed */ } else {/* copy success */ } 15 Ho does strcpy_s How st cp s avoid a oid buffer b ffe If Safe C check the buffer is not enough to contain the string(including i (i l di the h end d char h ‘\0’), ‘\0’) it i will ill empty the h dest string. 16 Ho does st How strcpy_s cp s avoid a oid buffer b ffe issue iss e --overlap p If Safe C check the buffer is overlapped, it will empty the dest string. 17 strcpy_s off MS 18 strcpy/strcpy_s t / t P Performance f ms Million times 32byte 19 How does string API avoid buffer issue Which API will cause to set dest to empty? • strcpy_s strncpy_s strcat_s strncat_s • strcpyfld_s strcpyfld s strcpyfldin_s strcpyfldin s strcpyfldout_s strcpyfldout s What kinds of error will set dest to empty? ESOVRLP Buffer overlap ESUNTERM unterminated string Like: dest[dmax-1] is not ‘\0’ ESNOSPC not enough space What is the default action? • The default will only set the first byte to ‘\0’ • if want all bytes were set to ‘\0’, please define SAFE_LIB_STR_NULL_SLACK. • Or redefine the error handler handler. 20 M Memory API list li 21 How does memory API avoid buffer issue Which API will cause to set dest content to 0? • memmove_s • memcpy_s What kinds of error will cause to set dest to 0? ESZEROL smax is 0 ESNULLP src is NULL ESLEMAX smax exceeds dmax ESOVRLP Memory overlap What is the default action? • the default will set all bytes to 0 22 M Memory APIAPI Performance P f For Safe C memcpy_s and memmove_s are same. They callll the h same API. API ms Hundred thousand memcpy s memmove memcpy_s, memmove_s s vs memcpy memcpy, memmove 23 M Memory API There are 3 APIs were p provided byy safe C for every standard API Void * Uint16 * Uint32 * memcpy_s memcpy16_s memcpy32_s memmove_s memmove16_s memmove32_s memset s memset_s memset16 s memset16_s memset32 s memset32_s memzero_s memzero16_s memzero32_s 24 Memory APIAPI Performance test result I ms Million times 25 Memory APIAPI Performance test result II ms Million times 26 E Error h handler dl The default handler Simple error message to console How to use your own handler typedef void (*safe_lib_constraint_handler_t)(const char *msg, void *ptr, errno_t error); safe_lib_constraint_handler_t safe_lib_set_constraint_handler( safe_lib_constraint_handler_t handler) 27 Wh t ki What kinds d off platforms l tf can use Windows MAC Linux Solaris AIX 28 H How tto use it on S Solaris? l i ? The type in safe_types.h has conflict with inttypes.h • int8_t int16_t int32_t uchar_t uint8_t uint16_t uint32_t ushort • ulong g ulonglong g g rsize_t _ • safe_types.h f t h • #ifdef SOLARIS • #include <inttypes.h> • #else • #endif 29 S f CC Safe Caution ti I --- about b t case The API name with case means insensitive • strcasestr_s • strcasecmp_s 30 S f C Caution Safe C ti II– II memset_s t errno_t memset_s (void *dest, rsize_t len , uint8_t value ) rsize_t len uint8_t value size_t n n ); void* memset(void *s, int int cc , size_t Use memzero_s to set memoryy to 0. 31 S f CC Safe Caution i III Safe is based on the correct size of destination buffer. 32 Th result The lt off using i Safe S f C 33 Summary & Conclusion 35
© Copyright 2026 Paperzz