Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Published bySusanna Georgiana Williamson Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Format String Vulnerabilities CSC 482/582: Computer Security

2 Variadic Functions Functions with a variable number of arguments.
Use <stdarg.h> in standard C. Supported by most languages in some way. Defining the interface Mem location where variadic arguments begin. Size of arguments (int, double, etc.) Method for communicating count of arguments. Repeat to find all arguments Increment pointer by argument size. Get data. CSC 482/582: Computer Security

3 Variadic Functions in C
#include <stdarg.h> double average(int count, ...) { va_list ap; int j; double sum = 0; va_start(ap, count); /* Last fixed param gives address */ for (j = 0; j < count; j++) { sum += va_arg(ap, double); /* Incr ap to next arg */ } va_end(ap); return sum / count; CSC 482/582: Computer Security

4 Format Strings Convert basic data types to output strings
Percent(%) symbols in string indicate substitutions. %[flags][width][.precision][length][type] Example format strings and resulting output printf(“%010d”, 2009)  printf(“%4.2f”, )  3.14 Example functions printf(), fprintf(), sprintf(), etc. scanf(), fscanf(), etc. syslog() CSC 482/582: Computer Security

5 Format String Types Type Meaning Passed As %d
Integer as a signed decimal number. Value %u Unsigned integer as decimal number. %f Double in fixed point notation. %x Unsigned integer as hexadecimal number. %s Null-terminated string. Ref %n Write number of characters successfully written so far into an integer pointer. CSC 482/582: Computer Security

6 printf() information leaks
User-specified format strings userstring = “foo %x”; printf(userstring); Where can it find arguments to replace %x? The Stack: %x reads 4-bytes higher in stack Could be another local variable from this function or a previously called one. Solution: printf(“%s”, userstring) or fputs(userstring) CSC 482/582: Computer Security

7 printf() buffer overflows
Overflow example char buf[256]; sprintf(buf,“The data is %s\n”, userstr); C90 solution sprintf(buf,“The data is .32%s\n”,userstr); C99 solution snprintf(buf, 255, “The data is %s\n”, userstr); CSC 482/582: Computer Security

8 %n format command Number of characters written so far is stored into the integer indicated by the int * pointer argument. char buf[] = " "; int *n; printf(“buf=%s%n\n", buf, n); printf("n=%d\n", *n); Output: buf= n=14 CSC 482/582: Computer Security

9 %n format attack Plan of Attack Use %n to write anywhere in memory
Find address of variable to overwrite Place address of variable on stack (as part of format string) so %n will write to that address Write # of characters equal to value to insert into variable (use precision, e.g., %.64x) Use %n to write anywhere in memory Address on stack can point to any location CSC 482/582: Computer Security

10 Securing Formatted Output
Exclude user input from format strings. Limit length of formatted output with length specifies or by using snprint(). Compiler checks gcc provides –Wformat-security option, which will warn about potential formatted output security issues. CSC 482/582: Computer Security

Download ppt "CSC 482/582: Computer Security"

Similar presentations

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.

I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Dale Roberts Basic I/O – scanf() CSCI 230 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Department of.

Dale Roberts Basic I/O – scanf() CSCI 230 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Department of.
CS1061 C Programming Lecture 16: Formatted I/0 A. O’Riordan, 2004.

CS1061 C Programming Lecture 16: Formatted I/0 A. O’Riordan, 2004.
41 A Depth Program #include int main(void) { int inches, feet, fathoms; //declarations fathoms = 7; feet = 6 * fathoms; inches = 12 * feet; printf(“Wreck.

41 A Depth Program #include int main(void) { int inches, feet, fathoms; //declarations fathoms = 7; feet = 6 * fathoms; inches = 12 * feet; printf(“Wreck.
More on Numerical Computation CS-2301 B-term 20081 More on Numerical Computation CS-2301, System Programming for Non-majors (Slides include materials from.

More on Numerical Computation CS-2301 B-term More on Numerical Computation CS-2301, System Programming for Non-majors (Slides include materials from.
Chapter 9 Formatted Input/Output Acknowledgment The notes are adapted from those provided by Deitel & Associates, Inc. and Pearson Education Inc.

Chapter 9 Formatted Input/Output Acknowledgment The notes are adapted from those provided by Deitel & Associates, Inc. and Pearson Education Inc.
1 CSE1301 Computer Programming: Lecture 9 Input/Output.

1 CSE1301 Computer Programming: Lecture 9 Input/Output.
CS 161 Introduction to Programming and Problem Solving Chapter 13 Console IO Herbert G. Mayer, PSU Status 9/8/2014 Initial content copied verbatim from.

CS 161 Introduction to Programming and Problem Solving Chapter 13 Console IO Herbert G. Mayer, PSU Status 9/8/2014 Initial content copied verbatim from.
Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 18-2 Standard C Library I/O commands.

Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Standard C Library I/O commands.
 2000 Prentice Hall, Inc. All rights reserved. Chapter 9 - Formatted Input/Output Outline 9.1Introduction 9.2Streams 9.3Formatting Output with printf.

 2000 Prentice Hall, Inc. All rights reserved. Chapter 9 - Formatted Input/Output Outline 9.1Introduction 9.2Streams 9.3Formatting Output with printf.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. 1 9.2Streams Streams –Sequences of characters organized.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved Streams Streams –Sequences of characters organized.
CMPE13 Cyrus Bazeghi Chapter 18 I/O in C. CMPE13 18-2 Standard C Library I/O commands are not included as part of the C language. Instead, they are part.

CMPE13 Cyrus Bazeghi Chapter 18 I/O in C. CMPE Standard C Library I/O commands are not included as part of the C language. Instead, they are part.
Chapter 9 Formatted Input/Output. Objectives In this chapter, you will learn: –To understand input and output streams. –To be able to use all print formatting.

Chapter 9 Formatted Input/Output. Objectives In this chapter, you will learn: –To understand input and output streams. –To be able to use all print formatting.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Sales person receive RM200/week plus 9% of their gross sales for that week. Write an algorithms to calculate the sales person’s earning from the input.

Sales person receive RM200/week plus 9% of their gross sales for that week. Write an algorithms to calculate the sales person’s earning from the input.

Similar presentations

Ads by Google