Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use.

Published byAgnes Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use."— Presentation transcript:

1 Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use them without initializing them –E.g., C and C++ Why is that a problem?

2 Lecture 14 Page 2 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use them without initializing them –E.g., C and C++ Why is that a problem?

3 Lecture 14 Page 3 CS 236 Online A Little Example main() { foo(); bar(); } foo() { int a; int b; int c; a = 11; b = 12; c = 13; } bar() { int aa; int bb; int cc; printf("aa = %d\n",aa); printf("bb = %d\n",bb); printf("cc = %d\n",cc); }

4 Lecture 14 Page 4 CS 236 Online What’s the Output? lever.cs.ucla.edu[9]./a.out aa = 11 bb = 12 cc = 13 Perhaps not exactly what you might want

5 Lecture 14 Page 5 CS 236 Online Why Is This Dangerous? Values from one function “leak” into another function If attacker can influence the values in the first function, Maybe he can alter the behavior of the second one

6 Lecture 14 Page 6 CS 236 Online Variable Cleanup Often, programs reuse a buffer or other memory area If old data lives in this area, might not be properly cleaned up And then can be treated as something other than what it really was E.g., bug in Microsoft TCP/IP stack –Old packet data treated as a function pointer

7 Lecture 14 Page 7 CS 236 Online Use-After-Free Bugs Increasingly popular security bug type Related to memory management –Memory structures are dynamically allocated on the heap Either explicitly or implicitly freed –Depending on language and context In some cases, pointers can be used to access freed memory –E.g., in C and C++

8 Lecture 14 Page 8 CS 236 Online An Example Use-After-Free Bug In OpenSSL (from 2009)... frag->fragment,frag->msg_header.frag_len); } dtls1_hm_fragment_free(frag); pitem_free(item); if (al==0) { *ok = 1; return frag->msg_header.frag_len; } dtls1_hm_fragment_free(frag); return frag->msg_header.frag_len

9 Lecture 14 Page 9 CS 236 Online What Was the Effect? Typically, crashing the program But it would depend When combined with other vulnerabilities, could be worse E.g., arbitrary code execution Often making use of poor error handling code

10 Lecture 14 Page 10 CS 236 Online Recent Examples of Use-After- Free Bugs Internet Explorer (2014, several in 2012-2013) Adobe Reader and Acrobat (2014) Mozilla, multiple products (2012) Google Chrome (2012)

11 Lecture 14 Page 11 CS 236 Online Some Other Problem Areas Handling of data structures –Indexing error in DAEMON Tools Arithmetic issues –Integer overflow in Sophos antivirus –Signedness error in XnView Errors in flow control –Samba error that causes loop to use wrong structure Off-by-one errors –Denial of service flaw in Clam AV

12 Lecture 14 Page 12 CS 236 Online Yet More Problem Areas Null pointer dereferencing –Xarrow SCADA system denial of service Side effects Punctuation errors Typos and cut-and-paste errors –Recent iOS vulnerability based on inadvertent duplication of a goto statement There are many others

13 Lecture 14 Page 13 CS 236 Online Why Should You Care? A lot of this stuff is kind of exotic Might seem unlikely it can be exploited Sounds like it would be hard to exploit without source code access Many examples of these bugs probably unexploitable

14 Lecture 14 Page 14 CS 236 Online So...? Well, that’s what everyone thinks before they get screwed “Nobody will find this bug” “It’s too hard to figure out how to exploit this bug” “It will get taken care of by someone else” –Code auditors –Testers –Firewalls

15 Lecture 14 Page 15 CS 236 Online That’s What They Always Say Before their system gets screwed Attackers can be very clever –Maybe more clever than you Attackers can work very hard –Maybe harder than you would Attackers may not have the goals you predict

16 Lecture 14 Page 16 CS 236 Online But How to Balance Things? You only have a certain amount of time to design and build code Won’t secure coding cut into that time? Maybe But less if you develop code coding practices If you avoid problematic things, you’ll tend to code more securely

17 Lecture 14 Page 17 CS 236 Online Some Good Coding Practices Validate input Be careful with failure conditions and return codes Avoid dangerous constructs –Like C input functions that don’t specify amount of data Keep it simple

Download ppt "Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use."

Similar presentations

Dynamic Memory Management

Dynamic Memory Management
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
C Language Elements (II) H&K Chapter 2 Instructor – Gokcen Cilingir Cpt S 121 (June 22, 2011) Washington State University.

C Language Elements (II) H&K Chapter 2 Instructor – Gokcen Cilingir Cpt S 121 (June 22, 2011) Washington State University.
Nov 10, Fall 2006IAT 8001 Debugging. Nov 10, Fall 2006IAT 8002 How do I know my program is broken?  Compiler Errors –easy to fix!  Runtime Exceptions.

Nov 10, Fall 2006IAT 8001 Debugging. Nov 10, Fall 2006IAT 8002 How do I know my program is broken?  Compiler Errors –easy to fix!  Runtime Exceptions.
CS414 C Programming Tutorial Ben Atkin

CS414 C Programming Tutorial Ben Atkin
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
More on protocol implementation Packet parsing Memory management Data structures for lookup.

More on protocol implementation Packet parsing Memory management Data structures for lookup.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays 2005-06-22.

CS 61C L03 C Arrays (1) A Carle, Summer 2005 © UCB inst.eecs.berkeley.edu/~cs61c/su05 CS61C : Machine Structures Lecture #3: C Pointers & Arrays
Memory and C++ Pointers.  C++ objects and memory  C++ primitive types and memory  Note: “primitive types” = int, long, float, double, char, … January.

Memory and C++ Pointers.  C++ objects and memory  C++ primitive types and memory  Note: “primitive types” = int, long, float, double, char, … January.
. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.

. Memory Management. Memory Organization u During run time, variables can be stored in one of three “pools”  Stack  Static heap  Dynamic heap.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
C++ Programming: From Problem Analysis to Program Design, Second Edition1 Objectives In this chapter you will: Learn about the pointer data type and pointer.

C++ Programming: From Problem Analysis to Program Design, Second Edition1 Objectives In this chapter you will: Learn about the pointer data type and pointer.
Storage Management. The stack and the heap Dynamic storage allocation refers to allocating space for variables at run time Most modern languages support.

Storage Management. The stack and the heap Dynamic storage allocation refers to allocating space for variables at run time Most modern languages support.

Similar presentations

Ads by Google