reflections on using c root cause analysis
play

Reflections on using C(++) Root Cause Analysis Abstractions - PowerPoint PPT Presentation

Nov 17, 2023 •219 likes •517 views

Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1 There are only two kinds of programming languages: the ones people complain about and the ones nobody uses. Bjarne

  1. Hacking in C Reflections on using C(++) Root Cause Analysis Abstractions Complexity Assumptions Trust hic 1

  2. “There are only two kinds of programming languages: the ones people complain about and the ones nobody uses.” Bjarne Stroustrup, the creator of C++ hic 2

  3. What we have seen in this course Some complexities that hide under the hood of C: • representation of data types, eg – long as big/little endian sequences of bytes – string, or char* , as char sequence terminated by the null character ’ \ 0’ • allocation of data on stack (by default) and heap (with malloc) • execution of code - esp. function calls - using the stack – with return addresses and frame pointers with some consequences • unexpected interpretation of data implicit casts between data types, p+1 for pointers p , %n %s %p in format strings, undefined behaviour • unintended manipulation of data array index outside bounds, pointer arithmetic, accessing uninitialized or de-allocated memory, memory leaks which allows attacks hic 3

  4. The good news C is a small language that is close to the hardware • you can produce highly efficient code • compiled code runs on raw hardware with minimal infrastructure Therefore C is typically the programming language of choice • for highly efficient code • for embedded systems (which have limited capabilities) • for system software (operating systems, device drivers,...) hic 4

  5. The somewhat bad news The precise semantics of C programs depends on underlying hardware, eg • sizes of data types differ per architecture • casting between types will reveal endianness of the platform • ... The precise semantics of a C program can only be determined by looking at 1) the compiled code 2) the underlying hardware For efficiency it is unavoidable you have to know the underlying hardware, but for the semantics you’d wish to avoid this. This also hampers portability of code hic 5

  6. The really bad news Writing secure C(++) code is hard, because the built-in notorious sources of security vulnerabilities • buffer overruns, and absence of array bound checks • dynamic memory, managed by the programmer with malloc and free and using complex pointers More generally: undefined behavior caused by this And format string attacks, though these should be easy to fix.. hic 6

  7. The good vs the bad news “C is a terse and unforgiving abstraction of silicon” hic 7

  8. Undefined behaviour Defined in the FAQ as Anything at all can happen; the Standard imposes no requirements. The program may fail to compile, or it may execute incorrectly (either crashing or silently generating incorrect results), or it may fortuitously do exactly what the programmer intended. hic 8

  9. Undefined causing problems [Example from Linux kernel] 1. unsigned int tun_chr_poll(struct file *file, 2. poll_table *wait) 3. { 4. struct tun_file *tfile = file->private_data; 5. struct tun_struct *tun = __tun_get(tfile); 6. struct sock *sk = tun->sk; // shorthand for (*tun).sk 7. if (!tun) return POLLERR; // check if tun is non-null 8. ... .. } Line 7 checks if tun is NULL, and if so, returns error But in line 6 tun is already de-referenced... Compiler is now allowed to assume that tun is non-null in line 7 • because if tun is null, then line 6 is undefined behaviour, and any code the compiler produces is ok gcc will actually remove line 7 as compiler optimisation. This caused a security flaw in Linux kernel when compiled with gcc. hic 9

  10. Undefined causing problems [Example from Linux kernel] The code below is careful to check for negative lengths and potential integer overflows 1. int vsnprintf(char *buf, size_t size, ...) { 2. char *end; 3. if (size < 0) return 0; // reject negative length 4. end = buf + size; 5. /* Make sure end is always >= buf */ 6. if (end < buf ) {...} 7. ... 8. } Programmer assumes that if buf+size overflows, it will become negative. However, buf+size overflowing is undefined behaviour, and all bets are off. Compiler may remove line 6; it knows that size is non-negative and may assume that buf+size >= buf for any addition with a non-negative number • because if the addition overflows, this is undefined behaviour, and any code it produces is ok hic 10

  11. C(++) vs safer languages You can write insecure code in any programming language. Still, some programming languages offer more in-built protection than others, eg against • buffer overruns, by checking array bounds • problems with dynamic memory, eg by garbage collection • missing initialisation, by offering default initialisation • suspicious type casts, by disallowing these • integer overflows, by raising exceptions when these occur C(++) programmer is like trapeze artist without safety net hic 11

  12. Consequences of the bad news Many products should carry a government health warning Warning: this product contains C(++) code and therefore, unless the programmers were experts and never made a mistake, is likely to contain buffer overflow vulnerabilities. As a C(++) programmer, you have to become an expert at avoiding classic security flaws in these languages – incl. using all the defenses discussed last week hic 12

  13. C(++) secure coding standards & guidelines Fortunately, there is now good info available, eg C(++) Secure Coding Standards by CERT https://www.securecoding.cert.org NB • If you are going to write C(++) code, you have to read such documents! • If you work for a company that produces C(++) code, you’ll have to make sure that all programmers read them too! hic 13

  14. Dangerous C system calls [source: Building secure software, J. Viega & G. McGraw, 2002] Extreme risk • gets High risk Moderate risk Low risk • strcpy • getchar • fgets • strecpy • strcat • fgetc • memcpy • strtrns • sprintf • getc • snprintf • realpath • scanf • read • strccpy • syslog • sscanf • bcopy • strcadd • getenv • fscanf • strncpy • getopt • vfscanf • strncat • getopt_long • vsscanf • vsnprintf • getpass • streadd 14

  15. C(++) secure coding standards & guidelines More general coding guidelines, which also cover other (OS-related) aspects besides generic C(++) issues: • Secure programming HOWTO by Dan Wheeler chapter 6 on buffer overflows Linux/UNIX oriented http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/buffer-overflow.html • Writing Secure Code by Howard & Leblanc chapter 5 on buffer overflows Microsoft-oriented hic 15

  16. Some root cause analysis hic 16

  17. Recurring theme: functionality vs security There is often a tension between functionality and security. People always choose for functionality over security: Classic example: efficiency of the language (not checking array bounds) vs security of the language (checking array bounds) hic 17

  18. functionality vs security 18

  19. Recurring theme: mixing user & control data Mixing control data (namely return addresses & frame pointers) and untrusted user data (which may overrun buffers) next to each other on the stack was not a great idea. Remember the root cause of phone phreaking! Note that format string attacks also involve control data (or control characters) inside user input hic 19

  20. Recurring theme: complexity • Who understands all implicit conversions between C data types? • Who can understand whether a large C program leaks memory? Or accidentally accesses freed memory? (because there are too many/too few/the wrong free statements) • Who understands all the sources of possibly undefined behaviour? • Who understands the compiler optimalisations that are allowed in the presence of undefined behavior? • Should a programmer have to know the entire C language specification to be able to write secure code? Complexity is a big enemy of security Abstractions are our main (only?) tool to combat – or at least control – complexity. hic 20

  21. Controlling complexity: Abstractions We want to deal with abstractions instead of complex underlying representations, eg • a long instead of a big- or little-endian sequence of sizeof(long) bytes • a string "Hello" instead of a null-terminated sequence of • array indexing, eg. a[12] , instead of pointer arithmetic in &a+12*sizeof(int) • a function call f(12) instead of – push 12 on the stack – push current address & frame pointer on stack – allocate local variables and jump to f – upon return, pop everything from the stack & continue at the return address you found on the stack hic 21

  22. Abstractions Ideally, abstractions should be rock solid, so they cannot be broken. This means • they do not rely on assumptions (on how they are used) • the underlying representation does not matter, and is never revealed – even when users supply malicious input. If that is the case we do not have to trust programs, or the programmers that write them, to use abstractions in the right way. hic 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reflections on using C(++) Root Cause Analysis Abstractions Assumptions Trust sws1 1

Reflections on using C(++) Root Cause Analysis Abstractions Assumptions Trust sws1 1

Software and Web Security 1 Reflections on using C(++) Root Cause Analysis Abstractions Assumptions Trust sws1 1 There are only two kinds of programming languages: the ones people complain about and the ones nobody uses. Bjarne

527 views • 25 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Root C t Cause An Analysis Presented by: Isaac Garcia, RCC Objec ectives es Define Root

Root C t Cause An Analysis Presented by: Isaac Garcia, RCC Objec ectives es Define Root

Root C t Cause An Analysis Presented by: Isaac Garcia, RCC Objec ectives es Define Root Cause Understand how an organization benefits from root cause Learn how to determine root cause using the 5 Why method Learn how to

739 views • 31 slides
Root Cause Analysis Information Session SAICA Offices, JHB 27 June 2017 2 Root Cause Analysis

Root Cause Analysis Information Session SAICA Offices, JHB 27 June 2017 2 Root Cause Analysis

IRBA Root Cause Analysis Information Session SAICA Offices, JHB 27 June 2017 2 Root Cause Analysis (RCA) Information Session 27 June 2017 Presenters: Imre Nagy, Pieter Cloete &amp; Sadhir Issirinarain 3 RCA Information Session Index

748 views • 38 slides
Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I

Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I

Section 2 Solutions of Equations in One Variable (Root-Finding) Numerical Analysis I Xiaojing Ye, Math &amp; Stat, Georgia State University 21 Root-finding Definition Let f : R R (univariate), then x is called a root , or zero , of f

347 views • 7 slides
Root Causes Analysis Case studies &amp; exercises Sansanee Choowaew Causes of Problems Causes

Root Causes Analysis Case studies &amp; exercises Sansanee Choowaew Causes of Problems Causes

Root Causes Analysis Case studies &amp; exercises Sansanee Choowaew Causes of Problems Causes of Problems Immediate causes (threats) Root causes If the Root Causes are not understood, efforts are wasted - by addressing only the

176 views • 15 slides
Risk Control Projects Workforce Capability and Human Error Event Analysis Root Cause

Risk Control Projects Workforce Capability and Human Error Event Analysis Root Cause

Risk Control Projects Workforce Capability and Human Error Event Analysis Root Cause Determinations James Merlo, Associate Director of Human Performance Reliability Issues Steering Committee Meeting April 16, 2013 Event Analysis Root Cause

348 views • 7 slides
2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The

2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The

2018 RCMP Youth Academy Why the RCMP Youth Academy? Reflections Reflections Reflections The Details aged 16 to 18 interested in police work as a possible future career. Burnaby, Coquitlam, North Vancouver, Richmond and Surrey

395 views • 10 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan &amp; Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis,

Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis,

Lecture Outline Systeem- en Regeltechniek II Previous lecture: The root locus method, analysis, design. Lecture 6 Root Locus, Frequency Response Robert Babu ska Today: Remarks on the computer session. Delft Center for Systems and

226 views • 6 slides
Tackling Root Causes TACKLING ROOT CAUSES AGENDA 1) Downstream Solutions suggested time 15-20

Tackling Root Causes TACKLING ROOT CAUSES AGENDA 1) Downstream Solutions suggested time 15-20

Part 3 of Moving from Service to Solutions Modeled from Solutions U Tackling Root Causes TACKLING ROOT CAUSES AGENDA 1) Downstream Solutions suggested time 15-20 minute 2) The Five Whys suggested time 20-30 minutes 3) Root Cause Analysis

656 views • 9 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno

CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno

CDAR Continuous Data-driven Analysis of Root Stability March 8, 2016 ICANN55, Marrakech Benno Overeinder (NLnet Labs) Cristian Hesselman (SIDN) Objective Analyze technical impact of the New gTLD Program on stability of the root server

440 views • 10 slides
Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory

Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory

Continuous Improvement Through Networked Improvement Communities Root Cause Analysis and Theory of Action Agenda 1. Welcome and Introductions 2. Continuous Improvement Overview 3. Root Cause Analysis 4. Theory of Action 5. Closing

739 views • 57 slides
Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins

Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins

Reflections on Statistical Data Analysis in Neutrino Experiments since NOMAD and F-C Bob Cousins Univ. of California, Los Angeles (UCLA) PHYSTAT- Workshop on Statistical Issues in Experimental Neutrino Physics, Fermilab September 21, 2016

690 views • 56 slides
Private Networks Physically disconnected from the outside Internet. Three properties: Users

Private Networks Physically disconnected from the outside Internet. Three properties: Users

1 Virtual Private Networks Chester Rebeiro IIT Madras 2 Private Networks Physically disconnected from the outside Internet. Three properties: Users Authenticated. Users are authorized and their identities verified. Content Protected.

684 views • 37 slides
OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3

OMNeT++ Community Summit, 2015 Beyond INET 3.0 IBM Research - Zurich, Switzerland September 3 - 4, 2015 Levente Mszros Overview Network node architecture refactoring Cross-layer communication and optimization Mobility refactoring

1.09k views • 38 slides
SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn

SoK: Sanitizing for Security Dokyung Song , Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, Michael Franz Finding Bugs in C/C++ Manual Analysis Static Analysis Dynamic Analysis AddressSanitizer MemorySanitizer Code

658 views • 39 slides
Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A.

Automated deployment and customization of routing overlays on PlanetLab C. Freire, A. Quereilhac, T. Turletti, W. Dabbous {claudio-daniel.freire,alina.quereilhac,thierry.turletti,walid.dabbous}@inria.fr A primer to PlanetLab A worldwide

869 views • 39 slides
FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net /

FreeBSD 8, ipfw and OpenVPN 2.1 server (bridged mode) Toma Muraus (kami@k5-storitve.net / @KamiSLO) October 2009 1. Table of contents 1. Table of

384 views • 14 slides
Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of

Mobitopolo: A Portable Infrastructure to Facilitate Flexible Deployment and Migration of Distributed Applications with Virtual Topologies Richard POTTER NICT Akihiro NAKAO University of Tokyo NICT Virtual Infrastructure for Testbeds

161 views • 13 slides
Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer

Outline Where overflows come from, contd CSci 5271 More problems Introduction to Computer Security Announcements intermission Low-level vulnerabilities and attacks (combined lecture) Classic code injection attacks Stephen McCamant

391 views • 9 slides
MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor

MTS: Bringing Multi-Tenancy to Virtual Networking Kashyap Thimmaraju, Saad Hermak, Gbor Rtvri and Stefan Schmid USENIX Annual Technical Conference 2019 July 11, Renton, Washington, USA Virtual Networks Using Virtual Switches VM VM VM

962 views • 58 slides

More recommend