Index
Note: Page numbers followed by f and t indicate figures and tables, respectively. Footnotes are indicated by n.
A
ABI (application binary interface), 127–128
Absolute path name, 405–406, 432
Accelerated Requirements Method (ARM), 484
Access control lists (ACLs), 413
Access right(s), analysis and reduction, 494–495
ACLs. See Access control lists (ACLs)
ActiveX controls, vulnerabilities in, 515
one’s complement, 233
Address space layout randomization (ASLR), 111–116
Adve, Vikram, 506
AHP (Analytical Hierarchical Process), 485
AIR. See As-if infinitely ranged (AIR) integer model
Alert TA06-081A, 428
aligned_alloc() function, 146, 148–149, 153
return values on success and error, 217, 217t
Alignment(s)
definition, 147
extended, 148
fundamental, 148
stronger/stricter, 148
weaker, 148
Allocation function(s), 163–168
for array types, 163
and deallocation functions, correct pairings, 176, 176t
incorrect pairing of C and C++ allocation and deallocation functions and, 172–173
for nonarray types, 163
American National Standards Institute (ANSI)
C Standard, 20
Analytical Hierarchical Process (AHP), 485
The Annotated C++ Reference Manual (Ellis and Stroustrup), 20
ANSI. See American National Standards Institute (ANSI)
Apple file system forks, and equivalence errors, 436–437
Application binary interface (ABI), 127–129
Application Verifier, 222
Arbitrary memory write, 124–125, 127
and atexit() function, 133–134
and global offset table, 127–129
and longjmp() function, 134–136
and structured exception handling, 138–139
and system default exception handling, 139
and virtual pointers, 133
Arbitrary write condition, 288
Arbitrary-precision arithmetic, 227, 292–293
Architecture and design, in software development, 486–503
Arena(s), jemalloc, 216
malicious, 64
naming, 313
passing, 313
sequentially ordered, 312–313, 312f
Argument pointer(s), 323, 323f
and buffer expansion, 346
and variadic function implementation, 344–345
Ariane 5 launcher, 301
Arithmetic. See also Integer(s)
arbitrary-precision, 227, 292–293
C language solution, 293
bignum, 227
GMP (GNU Multiple-Precision Arithmetic Library), 292
Java BigInteger, 292
modulo (modwrap semantics), 302
one’s complement, 233
usual integer conversions, 249
Arithmetic operations
one’s complement, 233
division and remainder, 274–279
ARM (Accelerated Requirements Method), 484
Arrays, 30
character, 30
count, 40
fixed-length, and data from unbounded sources, 43
length, 40
variable-length (VLAs), 150–151
The Art of Computer Programming (Knuth), 181–182
As-if infinitely ranged (AIR) integer model, 303–304, 505
and observation point, 303–304
As-if rule, 369
ASLR (address space layout randomization), 111–116
asprintf() function, 340
ATM, application-specific misuse case, 485, 486t
relaxed, 371
use, 463
Attack surface
analyzing, 494
Attack Surface Analyzer, 517
Attackers, definition, 14
AusCERT, 28
Advisory AA-2000.02, 348
Automated teller machine (ATM), application-specific misuse case, 485, 486t
Avoidance strategy(ies). See Mitigation(s)
B
Basic character set, 32
Basic Combined Programming Language (BCPL), 19
Basic Fuzzing Framework (BFF), 514
BCPL. See Basic Combined Programming Language (BCPL)
Best-fit memory allocation, 181
BFF (Basic Fuzzing Framework), 514
flawed logic exploited by, 5, 5f
Block devices, 407
Boehm-Demers-Weiser conservative garbage collector, 169
Bound, definition, 30
Boundary(ies), exploitable, 500–501, 501f
Boundary tags, 181, 181n, 201–202, 201f
Branching
Buffer overflow(s), 53–54, 53f, 70, 118–120. See also String(s)
dlmalloc
formatted output functions and, 319–321
inadequately bounded loops and, 122–123
mitigation strategies, detection and recovery, 72, 101–102
secure recovery from, 72, 101–102
in stack segment, 59
__builtin_object_size() function, 102–106
__builtin___strcpy_chk() function, 105–106
Butenhof, David, 368
C
C*, 20
C and C++
alternatives to, 25
descendants of, 20
and implementation-defined behavior, 22, 23
legacy code, 24
and locale-specific behavior, 21, 23
standards, 20
and type safety, 24
and unspecified behavior, 21–22
and vulnerabilities, 21
C11 Annex K bounds-checking interfaces, 73–76, 282, 340–341
C++ Coding Standards: 101 Rules, Guidelines, and Best Practices (Sutter and Alexandrescu), 83
The C Programming Language (Kernighan and Ritchie), 19, 181–182
C range error detector (CRED), 107–108
C runtime (CRT) library, in Win32, 197–198
C Standard, memory management functions, 146–147
calloc() function, 147, 152, 153–154, 173
and integer wraparound vulnerability, 284
return values on success and error, 217, 217t
Canary(ies)
Random XOR, 109
Canonicalization, 439–442, 499–500
Case sensitivity, and equivalence errors, 436
Casts, 38
__cdec1, 313
Center for Strategic and International Studies (CSIS), list of significant cyber events, 10
Cerb CerbNG, concurrency vulnerabilities, 400
CERT Advisory
CA-1996-20, 428
CA-1996-24, 428
CA-1996-25, 428
CA-1997-05, 428
CA-1997-06, 118
CA-2000-06, 118
CA-2000-13, 348
CA-2001-27, 349
CA-2002-33, 223
CA-2003-02, 223
CA-2003-07, 428
CA-2003-12, 428
CA-2003-16, 2
CA-2003-25, 428
The CERT C Secure Coding Standard (Seacord), 482–483, 510
“Arrays (ARR),” 30
ARR32-C, 150
DCL03-C, 273
DCL12-C, 292
ERR00-C, 76
ERR02-C, 88
ERR03-C, 75
EXP33-C, 151
EXP34-C, 155
FIO02-C, 440
FIO15-C, 429
FIO30-C, 338
FIO32-C, 445
FIO33-C, 45
FIO34-C, 86
FIO35-C, 86
FIO37-C, 64
FIO43-C, 460
INT01-C, 290
INT06-C, 339
INT07-C, 240
INT13-C, 281
INT15-C, 244
INT34-C, 280
MEM03-C, 152
MEM07-C, 152
MEM09-C, 151
MEM11-C, 153
MEM35-C, 156
MEM36-C, 149
MEM39-CPP, 176
MSC06-C, 153
MSC10-C, 33
MSC23-C, 162
MSC34-C, 42
POS01-C, 467
POS35-C, 466
POS36-C, 426
POS37-C, 428
SIG30-C, 355
“Signals (SIG),” 279
STR00-C, 39
STR01-C, 73
STR30-C, 35
STR32-C, 49
STR35-C, 43
STR36-C, 36
CERT Vulnerability Note, 11
VU#29823, 348
VU#159523, 154
VU#192038, 222
VU#210409, 433
VU#286468, 349
VU#542081, 223
VU#568148, 2
VU#595507, 349
VU#650937, 223
VU#866472, 224
CERT/CC
Insider Threat Center, 9
role in security training, 481
ROSE Checkers SourceForge, 305
vulnerabilities reported to, 11, 12, 18
Vulnerability Disclosure Policy, 9n
Chamber of Commerce, U.S., computer network, hacker penetration of, 10
Change state property, 363, 469
Channel(s), analysis and reduction, 494–495
Character devices, 407
Character set
basic, 32
execution, 32
Character string literals, 34–36
Checklists, for software development, 516
Check-use-check pattern, 463–466
chroot() system call, 487, 487n
clear(), 31
close() function, 410–411, 411t
cmd.exe, 4
Code audits, 515
for integer range errors, 306
CodeSonar, 506
COFF (common object file format), 207n
Common desktop environment (CDE), 348
Common object file format (COFF), 207n
Compass/ROSE tool, 506–507, 511
Competitive intelligence professionals, as threat, 9–10
Compilation flags, 503–504, 504f
Compiler optimization, undefined behaviors in C and, 23
Compiler reordering, and thread safety, 369–370
Compiler-generated runtime error checks, 106, 300–301
Complete mediation, 488–489, 490f
Complete object, 148
Computer Crime and Security Survey, 2010/2011, 6
Computer security, 12
Concatenation functions, 89–93, 93t
Concurrency
definition, 353
livelock, 385
and lock contention, 383, 392–393
mitigation strategies, 368–384
concurrent code properties, 383–384
happens before, 371
immutable data structures, 383
lock guards, 375
memory barriers (fences), 378–379
message queues, 380
relaxed atomic operations, 371
semaphores, 379
synchronization primitives, 371–374
and prematurely releasing a lock, 391–392
programming for, common errors, 362–368
single-threaded programs and, 354–355
spinlocks, 398
starvation, 385
DoS attacks in multicore DRAM systems, 399
in system call wrappers, 400–401
time-of-audit-to-time-of-use (TOATTOU), 401
time-of-check-to-time-of-use (TOCTTOU), 401
time-of-replacement-to-time-of-use (TORTTOU), 401
Concurrent Versions System (CVS). See CVS
Concurrent-C, 20
Conforming program, 23
Conover, Matt, 198
const char, 35
Constructor attribute, 129–131
Container virtualization, 470
Control flow(s)
Control transfer instructions, 125
Conversion specification, 314–315
Conversion specifier(s), 315, 315t–316t
Conversions, integer. See Integer conversions
Copy functions, string, 89–92, 92t
of Blaster worm, 4
Counted minus loop, 290
Countermeasure(s). See Mitigation strategy(ies)
_countof(array), 40
Crackers. See also Attackers
definition, 9
CRED (C range error detector), 107–108
Crimes. See Cybercrime
Criminals. See also Attackers
as threat, 9
Critical section, 363
Critical undefined behavior, 303–304
CSIS. See Center for Strategic and International Studies (CSIS)
.ctors section, 130
CVS buffer overflow vulnerability, 222
CVS server double-free, 214, 223–224
traditional crimes becoming, 6, 8t
trends in, 6
underreporting of, 6
unnoticed, 6
unreported, 6
CyberSecurity Watch Survey, 2010, 6
Cyberterrorism, 10
Cyclone, 25
D
D programming language, 25
DAG. See Directed acyclic graph (DAG)
Data
ad hoc, processing, 498
encapsulation, 497
external, trusted vs. untrusted, 50
in nonstandard formats, processing, 498
sanitization, 500. See also Blacklisting; Whitelisting
specifications for, 497
Data execution prevention (DEP), 114–115
Data parallelism, 357–359, 357f
Data races, 370–371. See also Deadlocks
Data streams, 408
Deallocation function(s), 163, 164, 168–169
and allocation functions
for array types, 163
for nonarray types, 163
throwing an exception, 179–180
decode_pointer() function, 140–142
Defect report (DR) 400, 161–162
Defense in depth, 72, 120, 511–512
Defensive strategy(ies). See Mitigation strategy(ies)
Déjà vul, 152
delete expression, 162, 172–173
Denial-of-service (DoS), 4, 4n
DEP (data execution prevention), 114–115
Department of Homeland Security, Software Assurance Curriculum Project, 481
Detection and recovery strategy(ies)
Development, software. See Software development
preventing operations on, 445–448
Dhurjati, Dinakar, 506
Direct access, to arguments, 335–337
Directed acyclic graph (DAG), 404
vulnerable products, 434, 434t
allocated and free memory chunks, structure, 182–183, 183f
buffer overflow
double-free vulnerabilities, 191–195
free list double-linked structure, 183–184, 183f
writing to freed memory, 195–196
DoS. See Denial-of-service (DoS)
Double-free vulnerability(ies), 157, 158, 160, 177–178. See also CVS server double-free
DRAM. See Dynamic random-access memory (DRAM) systems
Dynamic analysis, in race condition detection, 471
Dynamic memory allocator, 146
Dynamic memory management, 145–224
aligned_alloc() function, 146, 148–149, 153
best-fit allocation, 181
handling of allocation failures, 172
calloc() function, 147, 152–154
common errors, 151–162, 172–180
checking return values, 153–155
dereferencing null or invalid pointers, 155–156
freeing memory multiple times, 157–158
improperly paired functions, 172–176
memory leaks, 158
referencing freed memory, 156–157
zero-length allocations, 159–160
consistent conventions for, 212–213
first-fit allocation, 181
free() function, 147
improperly paired memory management functions and, 172–176
incorrect pairing of C and C++ allocation and deallocation functions and, 172–173
incorrect pairing of scalar and array operators and, 174–175
mitigation strategies, 212–222
notable vulnerabilities, 222–224
and randomization, 215
realloc() function, 146, 149, 153
Dynamic random-access memory (DRAM) systems, multicore, DoS attacks in, 399
Dynamic randomized-input functional testing, 513–514
Dynamic storage allocation, 181–182
Dynamic storage duration, 162
Dynamic use of static content, 338–339
E
e-crime. See Cybercrime
Edison Design Group (EDG) compiler, 507
Education
online secure coding course, 481
Effective C++ (Meyers), 341
Effective group ID (EGID), 416–427
Effective user ID (EUID), 415–427
Eiffel, 20
eip register. See Instruction pointer (eip)
ELF (executable and linking format), 127–129
encode_pointer() function, 140–142
Environment(s), supervised, 496
Error conditions
concurrency programming, 362–368
dynamic memory management, 151–162, 172–180
checking return values, 153–155
dereferencing null or invalid pointers, 155–156
freeing memory multiple times, 157–158
improperly paired functions, 172–176
memory leaks, 158
referencing freed memory, 156–157
zero-length allocations, 159–160
integers, 242t, 255t–256t. See also Integer overflow
exceptional condition errors, 256–257, 257t
integer type range errors, 288
nonexceptional integer logic errors, 287–288
truncation errors, 251, 254, 256–257, 257t, 259–260, 285–287, 288
null-termination errors, 48–49
off-by-one errors, 47
string truncation, 49
unbounded string copies, 42–47
Escape sequences, 34
EServ password-protected file access vulnerability, 436
Ettercap version NG-0.7.2, 349
Evans, Jason, 216. See also jemalloc memory manager
Event thread, 380
Exception, definition, 136
Exception handling, 136–139, 206
for new operator, 165
Exec Shield, 346
Executable and linking format (ELF), 127–129
eXecute Disable (XD) bit, 114
eXecute Never (XN) bit, 114
Execution character set, 32
“Exploiting Concurrency Vulnerabilities in System Call Wrappers” (Watson), 400
definition, 16
for IsPasswordOK program, stack smashing, 59–64
proof-of-concept, 16
remote procedure call, Blaster worm and, 3–4
return-oriented programming, 71–72
Extended alignment, 148
Extended base pointer (ebp) register, 56–57
Extended characters, 32
F
Failure Observation Engine (FOE), 514, 514n
Fallon, Elias, 512
False negatives, in static analysis, 507–509, 508t
False positives, 304
in static analysis, 507–509, 508t
__fastcall, 313
fclose() function, 410
fgets() function, 64, 84–86, 87, 89t
File(s)
closing, 217
create without replace, 453–456
using multiple file attributes, 448–450
secure delete, 444
stream, 408
temporary
and appropriate privileges, 460, 461t
create without replace, 460, 461t
creation functions, 459–460, 461t
creation in shared directories, 459–460, 461t
and exclusive access, 460, 461t
and removal before termination, 460, 461t
with unique and unpredictable file names, 459–460, 461t
privilege management functions, 419–421
UNIX file permissions, 413–415
byte input/output functions, 407
in C++, 412
advisory locks, 458
exclusive locks, 458
mandatory locks, 458
shared locks, 458
synchronization primitives, 456–458
synchronizing across processes, 456–458
trusted/untrusted control flows, 450–451
data streams, 408
mitigation strategies, 461–471
atomic operations, 463
checking for symbolic links, 464–467
chroot jail, 470
closing the race window, 462–467
container virtualization, 470
controlling access to race object, 469–471
dynamic analysis tools, 471
eliminating race objects, 467–469
file descriptors versus file names, 468–469
Helgrind tool, 471
mutual exclusion migration, 462
principle of least privilege, 469
race detection tools, 471
secure directories, 470
static analysis tools, 471
Thread Checker, 471
thread-safe functions, 462–463
and synchronizing across processes, 456–458
vulnerabilities
privilege escalation, 418
time of check, time of use (TOCTOU), 451–453, 455
wide-character input/output functions, 408, 412
File lock, 458
advisory, 458
exclusive, 458
mandatory, 458
shared, 458
binding to file objects, 432
unique and unpredictable, for temporary files, 459–460, 461t
using file descriptors instead of, 468–469
distributed, 404
hierarchical, 404
Financial loss(es). See Costs
Finite-state automaton (FSA), 420, 420f
First-fit memory allocation, 181
Flags, 316
FOE (Failure Observation Engine), 514, 514n
foo() function, 57
function prologue for, 58, 58t
Foote, Jonathan, 514
fopen() function, 409–410, 411t
fopen_s() function, 456
Format string(s), 309–310, 314–318
conversion specifications in, 314–315
conversion specifier, 315, 315t–316t
excluding user input from, 338
flags, 316
interpretation, 314
length modifier, 317, 317t–318t
ordinary characters in, 314
precision, 316
width, 316
Format string vulnerability(ies), 319–320, 349–351
brute-forcing, 351
and crashing a program, 321–322
defeating stack randomization and, 332–333
detection, static taint analysis and, 343–344
and direct parameter access memory write, 335–337
heap-based, exploiting, 351
and viewing memory content, 324–326, 325f
and viewing stack content, 322–324, 323f
wide-character, 332
and writing addresses in two words, 334–335
WU-FTP, 319
mitigation strategies, 337–348
C11 Annex K bounds-checking interfaces, 340–341
dynamic use of static content, 338–339
excluding user input from format strings, 338
Exec Shield, 346
iostream versus stdio, 341–342
modifying variadic function implementation, 344–346
restricting bytes written, 339–340
static binary analysis, 347–348
static taint analysis, 343–344
testing, 342
-Wformat flag, 343
-Wformat-nonliteral flag, 343
-Wformat-security flag, 343
variadic functions, 309–313, 344–346
vulnerabilities
direct argument access, 335–337
Ettercap version NG-0.7.2, 349
internationalization, 331
output streams, 321
viewing memory content, 324–326, 325f
viewing stack content, 322–324, 323f
Washington university FTP daemon, 348
wide-character, 332
writing addresses in two words, 334–335
Formatted output functions, 313–319
GCC implementation, 318
limits, 318
Visual C++ implementation, 318–319
length modifier, 319
limits, 319
Forrester, Justin, 514
Fortify, 506
fprintf(), 314
Frame, definition, 56
free() function, 152, 156–157, 162, 173, 181, 181n
FTP session, directory traversal vulnerability, 433–434
Function(s). See specific function
Function pointer(s), 121, 123–124
Function prologue, 58
fwrite() function, 39
G
Gadget(s)
definition, 71
return-oriented programming set of, 71–72, 71f
Turing-complete set of, 71
Garbage collection, 169–172, 212
GCC (GNU Compiler Collection), 26–27, 506
security diagnostics, 507
“The Geometry of Innocent Flesh on the Bone” (Shacham), 72
getdelim() function, 88
GetFileType() function, 448
getline() function, 77, 87–89, 89t
gets() function, 42–43, 46, 51–53, 64, 84
Global offset table (GOT), 128–129
Gloger, Wolfram, 182
GLSA 200506-07, 349
GMP (GNU Multiple-Precision Arithmetic Library), 292
GNU Compiler Collection (GCC), 26–27, 506
GNU libc allocator, 182
GNU Multiple-Precision Arithmetic Library (GMP), 292
GOT (global offset table), 128–129
Group ID (GID), 413
GSWKT (Generic Software Wrappers Toolkit), concurrency vulnerabilities, 400
Guard pages, OpenBSD, 216
Guide to the Software Engineering Body of Knowledge (Bourque and Dupuis), 483–484
Guidelines, for software development, 516
H
Hackers
politically motivated attacks by, 10
Hacker’s Delight (Warren), 299
Happens before, 371
Heap memory
randomization, in Windows, 113
Heap-based exploits, 146. See also Dynamic memory management
Heap-based vulnerabilities
mitigation strategies, 212–222
Helgrind tool, 471
Hi, definition, 30
Horovitz, Oded, 198
Howard, Michael, 298
HP Fortify Static Code Analyzer, 344
Hyperthreading, 354
I
IAT (import address table), 129
Implementation
definition, 22
Import address table (IAT), 129
Independent security reviews, 516–517
Information warriors, as threat, 10
Input validation, 102, 497–498, 500, 518
Insiders, as threat, 9
Instruction pointer (eip), 57
Insure++, 221
int, 232
minimum width, 237
compiler- and platform-specific integral limits, 228, 228t
definition, 225
error conditions, 242t, 255t–256t. See also Integer overflow
exceptional condition errors, 256–257, 257t
integer type range errors, 288
nonexceptional integer logic errors, 287–288
truncation errors, 251, 254, 256–257, 257t, 259–260, 285–287, 288
int, 232
minimum width, 237
intptr_t, 245
long int, 232
minimum width, 237
long long int, 232
minimum width, 237
mitigation strategies, 288–306
arbitrary-precision arithmetic, 292–293
as-if infinitely ranged (AIR) integer model, 303–304
GNU Multiple-Precision Arithmetic Library (GMP), 292
integer type selection, 289–291
Java BigInteger, 292
Microsoft Visual Studio c4244 warning, 305
Microsoft Visual Studio runtime error checks, 106, 300
modwrap semantics, 302
postcondition testing, 297
restricted range usage, 302–303
saturation semantics, 302
secure integer libraries, 297–299
source code audit, 306
type safety, 292
verifiably in-range operations, 301–303
one’s complement, 232, 233, 234–235, 235t
division and remainder, 274–279
and exceptional condition errors, 256–257, 257t
downcast from a larger type, 272–273
postcondition test using status flags, 270–272
precondition test, general, 273–274
postcondition test using status flags, 267–268
operators
that can result in overflow, 239, 239t–240t
that can result in wrapping, 231, 231t
packed, 358
platform-independent types for controlling width, 245
platform-specific types, 245–246
and integer wraparound vulnerability, 284–285
precision, 227
security flaws involving, 225–226, 283
arithmetic (signed), 281, 281f
left shift, 279–281, 280f, 283
short int, 232
minimum width, 237
sign and magnitude, 232, 234–235, 235t
ranges, 235–237, 235t–236t, 236f
minimum width, 237
truncation toward zero, 274
two’s complement, 232–233, 234–235, 234f, 234t, 235t, 239
and unary negation (–), 279
to unsigned conversion, 254, 255f
typedefs, 241
uintptr_t, 245
unary negation (–), 279
to two’s complement conversion, 251, 251f
vulnerabilities, 283–288. See also Integer wraparound
conversion errors, 285
nonexceptional integer logic errors, 287–288
explicit, 246
and loss of sign, 251, 254, 256
and loss of value, 251, 254, 256
from signed types, 253–255, 255t–256t
loss of precision, 253, 255t–256t
to unsigned, 253–255, 255t–256t
from unsigned types, 250–253, 252t
usual arithmetic, 249
Integer overflow, 237–239, 239t–240t, 256–257, 257t, 261, 288
signed
resulting from addition, 261–262
avoiding or detecting, 262–265
downcast from a larger type, 265
postcondition test using status flags, 263–264
precondition test, general, 264–265
precondition test, two’s complement, 264
resulting from division, 274
detecting and avoiding, 276–279
resulting from multiplication, 269
detecting or avoiding, 271–274
resulting from subtraction
avoiding or detecting, 268
precondition test, 268
Integer wraparound, 229–231, 256–257, 257t, 283–285
resulting from addition, 261
avoiding or detecting, 265–267
precondition test, 266
resulting from multiplication, detecting or avoiding, 271–274
resulting from subtraction
avoiding or detecting, 269
postcondition test, 269
postcondition test using status flags, 269
precondition test, 269
Intellectual property, theft of, 9
Interface(s), exploitable, 500–501, 501f
Internationalization, formatted output vulnerability, 331
Internet Security Glossary, version 2, 483
Internet Security Systems Security Advisory, 349
Interprocess communication (IPC) mechanism(s), 459
intptr_t, 245
I/O. See File I/O
iOS, ASLR (address space layout randomization), 116
islower() function, 21
ISO/IEC
9899-1990, 20
9899:1999, 482
14882:2011, 20
24731, 74
TR 24731-2, 76–77, 87–88, 92, 93, 99, 483
TS 17961 C Secure Coding Rules, 15, 217, 483, 509–510
conformance test suite for, 510
security flaw in, 52–53, 53f, 59–64, 62f, 63f
istream class, 46
Iterators, 81
J
Java, 25
Java BigInteger, 292
Java Native Interface (JNI), 25
jemalloc memory manager, 216–217
JIT. See Just-in-time (JIT) compiler
Jones, Richard, 506
JPEG files, comment field, unsigned integer wraparound vulnerability, 283–284
Just-in-time (JIT) compiler, and W^X policy, 114–115
K
Kamp, Poul-Henning, 213. See also phkmalloc
Kelly, Paul, 506
Kerberos
buffer overrun vulnerability, 118
double-free vulnerabilities, 224
Klocwork, 506
K&R. See The C Programming Language
L
Lam, Monica, 506
Last Stage of Delirium (LSD) Research Group, 2
LDRA, 506
Lea, Doug, 146
memory allocator (dlmalloc), 182–191. See also dlmalloc
Least common mechanism, 489, 492
Least privilege, 70, 489–492, 494
Legacy code, C and C++, 24
Lesk, M. E., 309n
Libsafe, 107
libsafe library, 496
Libverify, 107
Linux, 26
address space layout randomization, 112
file systems supported, 404
Livelock, 462
Lo, definition, 30
Load effective address (lea) instruction, 65–66
Locale, 32
Lock guards, 375
long int, 232
minimum width, 237
long long int, 232
minimum width, 237
Look-aside lists, 200, 200f, 212
LSD (Last Stage of Delirium Research Group), 2
M
Mac OS X
ASLR (address space layout randomization), 116
file systems supported, 404
Mail transfer agent (MTA), privilege management, 424
main() function, 43
malloc, return values on success and error, 217, 217t
malloc() function, 151–155, 173, 181
Manadhata, Pratyusa, 517
mbstowcs(), 35
MDAC. See Microsoft Data Access Components (MDAC)
and object size checking, 104–105
memcpy_s() function, 100
memmove() function, 100
memmove_s() function, 100
Memory. See also Dynamic memory management
freed
accessing, 217
freeing, 217
multiple times, 157–158, 176–179, 218
heap
randomization, in Windows, 113
management modes, string-handling functions, 73
process, organization, 54, 55f
data declarations and, 123
read-only, 54
stack, randomization, in Windows, 113
uninitialized, referencing, 218
virtual, Win32 API, 196–197, 197f
zero-length allocations, 159–160
automatic detection of, 158
detection
Insure++, 221
Purify, 218
Valgrind tool, 221
Memory manager(s), 146, 180–182
memset() function, 152
memset_s() function, 152
Message queues, 380
Messier, Matt, 498
Metasploit Project, 3
Meyers, Scott, 341
Microsoft Data Access Components (MDAC), buffer overflow vulnerability, 223
Microsoft Office, vulnerabilities in, SDL and, 474, 475f
Microsoft OpenOffice, vulnerabilities in, SDL and, 474, 475f
Microsoft Security Bulletin
MS02-65, 223
MS03-026, 2
Microsoft Visual Studio. See Visual Studio
Microsoft Windows. See Windows
Miller, Barton, 514
MIT krb5 library, 213
MIT krb5 Security Advisory 2004-002, 224
Mitigation(s), definition, 17
Mitigation pitfalls, concurrency, 384–398
applications, 474
broad, 473
buffer overflow, detection and recovery, 72, 101–102
concurrent code properties, 383–384
happens before, 371
immutable data structures, 383
lock guards, 375
memory barriers (fences), 378–379
message queues, 380
relaxed atomic operations, 371
semaphores, 379
synchronization primitives, 371–374
dynamic memory management, 212–222
atomic operations, 463
checking for symbolic links, 464–467
chroot jail, 470
closing the race window, 462–467
container virtualization, 470
controlling access to race object, 469–471
dynamic analysis tools, 471
eliminating race objects, 467–469
file descriptors versus file names, 468–469
Helgrind tool, 471
mutual exclusion migration, 462
principle of least privilege, 469
race detection tools, 471
secure directories, 470
static analysis tools, 471
Thread Checker, 471
thread-safe functions, 462–463
C11 Annex K bounds-checking interfaces, 340–341
dynamic use of static content, 338–339
excluding user input from format strings, 338
Exec Shield, 346
iostream versus stdio, 341–342
modifying variadic function implementation, 344–346
restricting bytes written, 339–340
static binary analysis, 347–348
static taint analysis, 343–344
testing, 342
-Wformat flag, 343
-Wformat-nonliteral flag, 343
-Wformat-security flag, 343
heap-based vulnerabilities, 212–222
arbitrary-precision arithmetic, 292–293
as-if infinitely ranged (AIR) integer model, 303–304
GNU Multiple-Precision Arithmetic Library (GMP), 292
integer type selection, 289–291
Java BigInteger, 292
Microsoft Visual Studio C4244 warning, 305
Microsoft Visual Studio runtime error checks, 106, 300
modwrap semantics, 302
postcondition testing, 297
restricted range usage, 302–303
saturation semantics, 302
secure integer libraries, 297–299
source code audit, 306
type safety, 292
verifiably in-range operations, 301–303
race conditions, 461
C11 Annex K bounds-checking interfaces, 73–76, 282, 340–341
detection and recovery, 101–102
dynamic allocation functions, 76–80
input validation, 102
invalidating string object references, 81–83
mkstemp function, secure and insecure use of, 461t
mktemp function, secure and insecure use of, 461t
Mode(s), file opening, 409–410
Modula 3, 20
Moore, H. D., 3
Morris worm, 117
msblast.exe, 4
MTA. See Mail transfer agent (MTA)
Multibyte character set, 32. See also UTF-8
Multibyte string, 32
Multiplication operations, 269–274
Mutex(es), 374–375. See also Named mutex object
N
Named pipes, 407
NASA. See National Aeronautics and Space Administration (NASA)
National Aeronautics and Space Administration (NASA), advanced persistent threat attacks against, 10
National Institute of Standards and Technology (NIST), Static Analysis Tool Exposition (SATE), 509
National Vulnerability Database (NVD), vulnerabilities cataloged by, 11, 11f
Negative zero, 234
NEON instructions, 357
NetBSD Security Advisory 2000-002, 284
Network administrators, definition, 13
New expression, 162–163, 172–173, 175
incorrect use, 172
nothrow form, 172
NIST. See National Institute of Standards and Technology (NIST)
No eXecute (NX) bit, 114
NTBS (null-terminated byte string), 36–37
NTMBS (null-terminated multibyte string), 36
Null pointer(s), 212
Null-terminated byte string (NTBS), 36–37
Null-terminated multibyte string (NTMBS), 36
NVD. See National Vulnerability Database (NVD)
NX (No eXecute) bit, 114
O
Object pointer(s), 121, 124–125
Objective-C, 20
Obsolescent feature(s), 162
Off-the-shelf software, 495–496
security options for, 216, 216t
open() function, 410–411, 411t
open_memstream() function, 78
OpenSHH
privilege escalation vulnerability, 418
secure shell implementation, 487–488, 487f
open_wmemstream() function, 78
Operating system(s), 26
and runtime protection strategies, 111–116
detection and recovery, 111–113
operator delete() function, 163, 164, 168–169, 173, 174
operator delete[]() function, 163, 168, 173–175
operator new() function, 163, 164, 173–175
and member new() function, failure to properly pair, 175
operator new[]() function, 163, 173–175
Out-of-bounds store, 304
Overaligned type, 148
P
Page(s), in Win32 virtual memory API, 196
achievable, program structure and, 360, 360f
and performance goals, 359–361
and work-to-span ratio, 360, 361f
passwd program, 422
Path equivalence errors, 435–437
resolution, 432
PCLint, 506
Penetration testing, 513
Permission(s)
definition, 413
on newly created files, 429–432
Pethia, Richard, 4
Phishing, 9
phkmalloc, 213–215. See also OpenBSD
security implications, 214, 214t
Placement new, 163
correct and incorrect use of, 175–176
PLT (procedure linkage table), 129
disguised, and garbage collection, 169–170
decryption, 140
encryption, 140
invalid
formed by library function, 218
to member type, 121
null, 212
out-of-domain, dereferencing, 217
safely derived, 170
to wide string, 34
Pointer subterfuge
definition, 121
mitigation strategies, 139–142
pointer_safety, 170
Portable executable (PE) file, 129, 207, 207n
“A Portable I/O Package” (Lesk), 309n
POSIX
open and close file functions, 410–411
threading library, 368
Preservation, and type safety, 24
Privilege(s)
appropriate, 420
definition, 413
revocation order for, 426
elevated, 418
escalation, 418
management, vulnerabilities associated with, 427–428
Procedure linkage table (PLT), 129
Process, definition, 54
Process environment block (PEB), 198, 199f
Process group IDs, 416
Process memory, organization, 54, 55f
data declarations and, 123
Programmer, definition, 13
Programming language(s)
alternatives to C, 25
popularity
Progress, and type safety, 24
Promotions, integer conversions, 247–249
ProPolice. See Stack-Smashing Protector (ProPolice)
Psychological acceptability, 489, 492–493
Pure binary notation, 39
puts() function, 51
Q
Quality management, software development, 479–480
Quality requirements engineering, 483–485
R
Race conditions, 362–364, 450–461
canonicalization and, 441
change state property, 363, 469
and concurrency property, 363
detection
dynamic analysis tools, 471
static analysis tools, 471
using check-use-check pattern, 465–466
file-related, eliminating, 467–469
from GNU file utilities, 451
and shared directories, 458–461
and shared object property, 363
time of check, time of use (TOCTOU), 451–453, 455
vulnerabilities related to, mitigation strategies, 461
Race object
controlling access to, 469–471
Race window, 451
critical section, 363
definition, 363
identification, 363
RAII. See Resource Acquisition Is Initialization (RAII)
rand() function, 285
Random XOR canaries, 109
Range checking, integers, 293–295
Ranges of integers, 235–237, 235t–236t, 236f
Read-only memory, 54
Real group ID (RGID), 416
realloc, return values on success and error, 217, 217t
realloc() function, 146, 149, 153, 159–162
realpath() function, 440–441, 495–496
Reference-counted smart pointer(s), 178–179
Region(s), in Win32 virtual memory API, 196
Relative path name, 406, 432, 435
Remote procedure call (RPC), buffer overflow vulnerability, 2–3, 2n
Resource Acquisition Is Initialization (RAII), 165–166, 375
Resource-exhaustion attack, 158
Return-oriented programming, 71–72
Risk assessment. See Threat assessment
RPC (remote procedure call), buffer overflow vulnerability, 2–3, 2n
RTL (runtime linker), 129
look-aside lists, 200, 200f, 212
process environment block, 198, 199f
double-free vulnerabilities, 208–211
heap-based vulnerabilities, 196–212
and writing to freed memory, 207–208
Runtime analysis tools, 218–222
Runtime bounds checkers, 106–108, 506
Runtime error checks
compiler-generated, 106, 300–301
Microsoft Visual Studio, 106, 300
Runtime linker (RTL), 129
Runtime protection strategies, 101–117
advances in (future directions for), 116–117
Runtime-constraint handler, 75–76, 299–300
RUS-CERT Advisory 2002-08:02, 284
Ruwase, Olatunji, 506
S
Safe-Secure C/C++ (SSCC), 116–117, 117f, 505–506, 507f
Sanitization, 500. See also Blacklisting; Whitelisting
Saved set-group-ID (SSGID), 416
Saved set-user-ID (SSUID), 415–416
SCADA (supervisory control and data acquisition), terrorist threat to, 10
Scalar registers, 357
SCALe (Source Code Analysis Laboratory), 510–511
Scott, Roger, 512
SDL. See Security Development Lifecycle (SDL)
Secunia Advisory SA15535, 349
Secure design patterns, 488
Secure wrappers, 496
Security
developmental elements, 12
operational elements, 12
Security analyst, definition, 13
Security Development Lifecycle (SDL), 474–480, 474f, 505. See also Simplified SDL
Security flaw(s)
definition, 14
elimination of, 17
and vulnerabilities, 15
Security policy
definition, 14
explicit, 14
implicit, 14
Security quality requirements engineering (SQUARE), 483–485
Security researcher, definition, 14
Security Tracker Alert ID 1014084, 349
Security use/misuse cases, 485, 485t, 486t
SecurityFocus Bugtraq ID 1387, 348
SEH. See Structured exception handling (SEH)
Semaphores, 379. See also Named semaphores
Sendmail, vulnerabilities, 428
Separation of privilege, 489, 490
SESS (Summit on Education in Secure Software), 480–481
Setgid programs, 422
setgid() function, 425
setlocale() function, 32
setresgid() function, 425
setresuid() function, 419, 421
Set-user-ID-root program, 422–424
Shacham, Hovav, 72
Shannon, Gregory E., 11
Shellcode, 64
injected, location of, 69
Shift state(s)
initial, 32
locale-specific, 32
short int, 232
minimum width, 237
Shortcuts, 453
Signal(s), in management of division errors, 278–279
Signal handler(s), concurrency issues and, 354–355
signed char, 37–38, 232, 240–241
minimum width, 237
Signed integer(s), 231–235, 240–241
ranges, 235–237, 235t–236t, 236f
Simplified Implementation of the Microsoft SDL, 475
Simplified SDL, mapping of resources and tools to, 475, 475t–476t
Single instruction, multiple data (SIMD) computing, 148–149, 357
slprint() function, 340
snprintf() function, 45, 314, 339–340
Sockets, 407
Software, off-the-shelf, 495–496
Software components, 12
definition, 14
per thousand lines of code, 27
static analysis, 512
architecture and design, 486–503
code audits, 515
data sanitization, 500
guidelines and checklists, 516
independent security reviews in, 516–517
penetration testing, 513
secure wrappers, 496
complete mediation, 488–489, 490f
least common mechanism, 489, 492
psychological acceptability, 489, 492–493
separation of privilege, 489, 490
testing, 503
validation, 500
and vulnerabilities in existing code, 495–496
Software security, threats to, 11–12
audits, 515
for integer range errors, 306
Source Code Analysis Laboratory (SCALe), 510–511
Spies, corporate. See Competitive intelligence professionals
Splint, 305
sprintf() function, 43, 45–47, 77, 309, 314, 339–340
SQUARE. See Security quality requirements engineering (SQUARE)
sscanf() function, 77
SSCC. See Safe-Secure C/C++ (SSCC)
SSE. See Streaming SIMD Extensions (SSE)
SSP. See Stack-Smashing Protector (ProPolice)
StackShield, 143
Stack(s)
and calling a subroutine, 55–56, 56f
nonexecutable, 113
Exec Shield and, 346
smashing, 59, 60f, 61f. See also Stack-Smashing Protector (ProPolice)
Stack-Smashing Protector (ProPolice) and, 110, 111f
Stack buffer overrun detection, 108–109
Stack memory, randomization, in Windows, 113
Stack pointer, 57
StackGap, 116
Stack-Smashing Protector (ProPolice), 108, 110, 111f
Standard library error, detection and handling of, 217
Standard template library (STL), checked implementation, 82
Standards, secure coding, 481–483
State-dependent encoding, 32
Static analysis, 217–218, 304–305
for format string vulnerabilities, 343–344
in race condition detection, 471
and verification, 512
Static assertion, 273
Static binary analysis, 347–348
-std flag, 27
std::bad_array_new_length, 166–167
std::basic_string, 36
__stdcall, 313
std::stream class, 46
Sticky bit, 415
STL (standard template library), checked implementation, 82
allocated, 147
dynamic, 162
strcat() function, 43, 49, 73, 89, 93t, 94
strcat_s() function, 73, 90–92, 93t
strcpy() function, 43–44, 48, 66–67, 67t–68t, 73, 89–90, 92t, 94
and object size checking, 104–105
strcpy_s() function, 73, 90–92, 92t
strdup() function, 45, 92, 92t
Stream
associated with memory buffer, 77–78
opening, to write to memory, 78–79
Stream files, 408
Streaming SIMD Extensions (SSE), 148–149, 357
Strictly conforming program, 23
concatenation functions, 89–93, 93t
definition, 30
null-termination errors, 48–49
off-by-one errors, 47
string truncation, 49
unbounded string copies, 42–47
definition, 31
C11 Annex K bounds-checking interfaces, 73–76, 282, 340–341
detection and recovery, 101–102
dynamic allocation functions, 76–80
input validation, 102
invalidating string object references, 81–83
multibyte, 32
definition, 31
pointer to, 30
storage for, 76
symbolic verification technique (Yu et al.), 306
truncating concatenation functions, 93–99, 99t
truncating copy functions, 93–99, 99t
truncation, 49
value of, 30
vulnerabilities and exploits, 50–72, 117–118
String-handling functions, 73, 84–101
strlcat() function, 90, 93t, 98, 99t
strlcpy() function, 90, 92t, 96, 99t
strlen() function, 31, 37, 40–41, 44, 48, 100–101
strncat() function, 49, 73, 93–95, 93t, 98, 99t
strncat_s() function, 73, 95, 97–98, 99t
strncpy() function, 48–49, 73, 90, 92t, 93–95, 96, 99t
strncpy_s() function, 73, 95–98, 99t
strnlen() function, 101
strtok() function, 49
Structured exception handling (SEH), 136–139, 277–278
Subobject(s), 148
Subroutine, calling, 55–56, 56f
Summit on Education in Secure Software (SESS), 480–481
Sun tarball vulnerability, 152
Supervised environments, 496
Supervisory control and data acquisition (SCADA), terrorist threat to, 10
Supplementary group IDs, 416, 426–427
svchost.exe, 4
Symbolic links, 406, 437–439, 437f, 452–453
symlink() system call, 437
syslog() function, 314
System administrator, definition, 13
System call wrappers, concurrency vulnerabilities, 400–401
System default exception handling, 136–137, 139
System integrator, definition, 13
Systrace, 496
concurrency vulnerabilities, 400
T
Tainted value(s), 51
tar utility, 152
Target(s), analysis and reduction, 494–495
Target size, definition, 31
Team Software Process for Secure Software Development (TSP-Secure), 477–480
TEBs. See Thread environment blocks (TEBs)
Temporary file(s)
and appropriate privileges, 460, 461t
create without replace, 460, 461t
creation functions, 459–460, 461t
creation in shared directories, 459–460, 461t
and exclusive access, 460, 461t
and removal before termination, 460, 461t
with unique and unpredictable file names, 459–460, 461t
Terrorists. See also Attackers
as threat, 10
Thread Checker, 471
Thread environment blocks (TEBs), 198
Thread safety, 368–370, 383–384
Thread support, 368
Thread usage policies, 380–381
Thread-safe functions, 462–463
Threat(s)
competitive intelligence professionals as, 9–10
criminals as, 9
definition, 8
information warriors as, 10
insiders as, 9
terrorists as, 10
Threat Modeling Tool, 494, 494n
Time of check, time of use (TOCTOU), 401, 451–453, 455
Time-of-audit-to-time-of-use (TOATTOU), 401
Time-of-check-to-time-of-use (TOCTTOU), 401
Time-of-replacement-to-time-of-use (TORTTOU), 401
TIS. See Tool Interface Standards committee (TIS)
tmpfile function, secure and insecure use of, 461t
tmpfile_s function, secure and insecure use of, 461t
tmpnam function, secure and insecure use of, 461t
tmpnam_s function, secure and insecure use of, 461t
TOATTOU. See Time-of-audit-to-time-of-use (TOATTOU)
TOCTOU. See Time of check, time of use (TOCTOU)
TOCTTOU. See Time-of-check-to-time-of-use (TOCTTOU)
TooFar, definition, 30
Tool Interface Standards committee (TIS), 127–128, 128n
TORTTOU. See Time-of-replacement-to-time-of-use (TORTTOU)
Training, in secure coding, 480–481
Truncation toward zero, 274
Trust boundaries, 498–501, 499f
Tsize, definition, 31
Type safety, 24
preservation and, 24
progress and, 24
typedefs, 241
U
Uadd() function, 298
UFS. See UNIX file system (UFS)
Unhandled exception filter, 206–207
Unicode, wide-character format string vulnerability, 332
Uniform resource locator. See URL
UNIX
file permissions, 413–415, 414f
process memory organization, 54, 55f
data declarations and, 123
UNIX file system (UFS), 404–405
unsigned char, 37–39, 232, 240–241
Unsigned integer(s), 227–229, 240–241
to two’s complement conversion, 251, 251f
URL, host and path name in, 435
Usability problems, 489, 492–493
US-CERT
Technical Cyber Security Alert
TA04-147A, 222
TA04-247A, 224
Vulnerability Note, VU#132110, 390
Use/misuse cases, 485, 485t, 486t
User ID (UID), 413
User name, 413
decoders, as security hole, 33
UTF-16, 40
V
Validation, 500. See also Input validation
Variable-length arrays (VLAs), 150–151
Variadic functions, 309–313, 344–346
vasprintf() function, 340
Vectored exception handling (VEH), 136–137
Vectorization, 358
VEH. See Vectored exception handling (VEH)
vfprintf() function, 314
Viega, John, 498
Virtual function table (VTBL), 132–133, 132f
Virtual pointer (VPTR), 132–133, 132f
Visibility, and thread safety, 370
Visual C++, 26
/GS and function protection, 108–109
security diagnostics, 507
stack canary implementation, 108
Visual C++ 2012
loop pragma, 358
/Qpar compiler switch, 358
C4244 warning, 305
compiler-generated runtime checks, 106, 300
/sdl switch, 505
stack buffer overrun detection, 108–109
Visual Studio 2010, formatted output vulnerability, 326n
VLAs. See Variable-length arrays (VLAs)
volatile type qualifier, 366–368
vprintf() function, 314
VPTR (virtual pointer), 132–133, 132f
vsnprintf() function, 314, 339–340
vsprintf() function, 314
VTBL (virtual function table), 132–133, 132f
Vulnerability(ies), 21
in ActiveX controls, 515
DoS attacks in multicore DRAM systems, 399
in system call wrappers, 400–401
time-of-audit-to-time-of-use (TOATTOU), 401
time-of-check-to-time-of-use (TOCTTOU), 401
time-of-replacement-to-time-of-use (TORTTOU), 401
definition, 15
disclosure of, by hackers, 8–9
double-free, 157, 158, 160, 177–178. See also CVS server double-free
dynamic memory management, 222–224
file I/O
privilege escalation, 418
time of check, time of use (TOCTOU), 451–453, 455
filtering out, in software development, 479–480
format string. See Format string vulnerability(ies)
formatted output
direct argument access, 335–337
Ettercap version NG-0.7.2, 349
internationalization, 331
output streams, 321
viewing memory content, 324–326, 325f
viewing stack content, 322–324, 323f
Washington University FTP daemon, 348
wide-character, 332
writing addresses in two words, 334–335
mitigation strategies, 212–222
integer, 283–288. See also Integer wraparound
conversion errors, 285
nonexceptional integer logic errors, 287–288
intentional, 16
in Microsoft Office versus OpenOffice, 474, 475f
in programs, versus in systems and networks, 16
security flaws and, 15
Vulnerability analyst, definition, 13
Vulnerability reports, sources of, 11
W
W xor X. See W^X policy
wall program, 422
Warren, Henry S., 299
Washington University FTP daemon, 348
Watson, Robert, 400
W32.Blaster.Worm, 1–5, 2f, 117
flawed logic exploited by, 5, 5f
wcslen() function, 41
-Wformat flag, 343
-Wformat-nonliteral flag, 343
-Wformat-security flag, 343
Wide-character input/output functions, 408, 412
Wide-character vulnerability, 332
Widening-multiplication instruction, 271
Win32
CRT memory functions, 197–198, 197f
local, global memory API, 197, 197f
memory management APIs, 196, 197f
memory-mapped file API, 197f, 198
virtual memory API, 196–197, 197f
Windows, 26
address space layout randomization, 112–113
process memory organization, 54, 55f
data declaration and, 123
Wing, Jeannette, 517
Worms, damage potential of, 4
Wrappers, secure, 496
Writing addresses in two words, 334–335
Writing to freed memory
WU-FTP, format string vulnerability, 319
wu-ftpd vunerability, 348
X
XD (eXecute Disable) bit, 114
Xfocus, 3
XN (eXecute Never) bit, 114
Y
Yu, Fang, et al., symbolic string verification technique, 306