Presentation is loading. Please wait.

Presentation is loading. Please wait.

Failure to handle errors correctly. Intro Many security risks are possible when programmers fail to handle error conditions correctly –The program can.

Similar presentations

Presentation on theme: "Failure to handle errors correctly. Intro Many security risks are possible when programmers fail to handle error conditions correctly –The program can."— Presentation transcript:

1 Failure to handle errors correctly

2 Intro Many security risks are possible when programmers fail to handle error conditions correctly –The program can end up into an insecure state –The application can die: denial of service (DOS) C#, Ruby, Python, Java. Crashing, aborting, or restarting in server code could be serious problems. Common source of problems is code “cut&paste”

3 CWE CWE 81: Failure to sanitize Directives in error message Web Page CWE 388: Error Handling CWE 209: Error Message Information leak CWE 390: Detection of Error Condition Without Action CWE 252: Unchecked Return Value

4 Affected Languages ASP PHP C C++ C# Ruby Python VB.NET Java.

5 The flaw explained… Yielding too much information Ignoring errors Misinterpreting errors Using useless return values Using non-error return values

6 … The flaw explained… Yielding too much information: –an error occurs and the programmer says exactly what happened and how to fix the error Ignoring Errors: –Some errors are informational or optional (the return value of printf is very rarely checked) –Windows impersonation functions: ImpersonatedSelf(), ImpersonateLogonUser(), SetThreadToken(), when fail the token still has the identity associated with the process token->privilege elevation bug –Call fopen(), it fails (no file, file locked, access denied): if you don’t handle the error, calls to fwrite() or fread() fail too->DOS.

7 Windows Impersonation Mechanism In distributed systems, it is typical for one server to call another server to accomplish a task for a client. This functionality is called impersonation. To handle these requests for a client, the server must be given the authority to do so. The ability to call other servers while impersonating the original client is called delegation. Through impersonation, a thread runs in a security context that is different from the context of the process that owns the thread. When a server thread runs in the security context of the client, it uses an access token that represents the client credentials in order to obtain access to the objects to which the client has access. This provides the ability for a thread to run by using different security information from the process that owns the thread. Typically, a thread in a server application impersonates a client. This impersonation allows the server thread to act for that client in order to access objects on the server or validate access to the client objects. The following diagram shows the impersonation process. A client makes a request to server A. If server A must query server B to complete the request, server A impersonates the client security context and makes the request to server B for the client. Server B uses the security context of the original client, instead of the security identity for server A, to determine whether to complete the task.

8 … The flaw explained… –Some errors mustn’t be caught as well as NullPointerException, and in some cases programmer do not catch correctly the exception, just force to quit-> DOS. Misinterpeting errors: –recv() return three values Length of messages in bytes I f no msgs available and the user has performed an orderly shutdown, it returns 0 Otherwise -1 and errno is set to indicate the error. –Malloc(): if the size argument is 0 allocates a zero length item return a valid pointer to that item –If the size argument is >0 and there isn’t enough memory available return NULL –Realloc() if the size argument is 0, the block pointed to by the,memblock argument is freed and the return value is Null. If the size argumentis >0 and there isn’t enough memory available, realloc() returns NULL

9 … The flaw explained Using useless return values –Some of the C standard return functions are simply dangerous strncpy() returns no useful values, just a pointer to the destination buffer, regardless the state of the destination buffer –If the call leads to a buffer overrun, the return value points to the start of the overflowed buffer! Using non error return values –MulDiv() (Win OSs) allow programmers to do a little 64 bit math before 64 bit integers. –Int result= ((long long) x * (long long)y)/z –The function returns -1 on error, which could be an acceptable result.

10 Sinful C/C++… The developer is checking the return from a function that yields a completely useless value The return from strncpy() is a pointer to the start of the destination buffer It’s of little use, but it allows chaining of function calls Assume there is no buffer overrun along the way. Char dest [19]; Char p = strncpy(dest, szSomeLongDataFromAHaxOr, 19); If (p) { Everything worked fine, party on dest or p } Programmer is expecting NULL on error->OOOps

11 … Sinful C/C++… Common mistake. The code checks for a return value but only in an assert, which goes away once you no longer use the debug option. DWORD OpenfileContents (char *szFileName) { Assert (szFilename !=Null); Assert (strlen(szFileName) >3); FILE *f = fopen(szFileName, “r”); Assert(f); //Do work on the file Return 1; }

12 …Sinful C/C++ (on Win) Windows include impersonation functions that may fail. Windows server 2003 allows to grant privileges only to specific accounts such as service accounts (local systems, local services, network services) and administrators. Thus your code could simply fail when calling an impersonation function ImpersonatedNamedPipeClient(hPipe); DeleteFile(szFileName); RevertToSelf(); If the process is running as Local System, and user calling the code is a low-privileged user, the call to DeleteFile() may fail because the user has no access to the file If the impersonation function fails the thread is still executing in the context of the process, Local System, which probably can delete the file (a LOW-PRIVILEGED USER!!!!!!)

13 Spotting the Sin during code reviews Verify the correctness of all functions that do not check the return value from functions with a non –void return type. The best way to find the sin is through code review.

14 Redemption Steps… DWORD OpenFileContents (char *szFileName) { If (szFileName == NULL || strlen(szFile) <=3) Return ERROR_BAD_ARGUMENTS; FILE *f = fopen(szFileName, “r”); If (f==NULL) Return ERROR_FILE_NOT_FOUND; //Do work on the file Return -1; }

15 Resources Code complete, Second Edition by Steve McConnell (Microsoft Press, 2004) Linux Kernel mremap() Missing Return Value Checking Privilege escalation:

Download ppt "Failure to handle errors correctly. Intro Many security risks are possible when programmers fail to handle error conditions correctly –The program can."

Similar presentations

Ads by Google