Contents

Foreword

Preface

Acknowledgments

About the Author

Chapter 1 Running with Scissors

1.1 Gauging the Threat

What Is the Cost?

Who Is the Threat?

Software Security

1.2 Security Concepts

Security Policy

Security Flaws

Vulnerabilities

Exploits

Mitigations

1.3 C and C++

A Brief History

What Is the Problem with C?

Legacy Code

Other Languages

1.4 Development Platforms

Operating Systems

Compilers

1.5 Summary

1.6 Further Reading

Chapter 2 Strings

2.1 Character Strings

String Data Type

UTF-8

Wide Strings

String Literals

Strings in C++

Character Types

Sizing Strings

2.2 Common String Manipulation Errors

Improperly Bounded String Copies

Off-by-One Errors

Null-Termination Errors

String Truncation

String Errors without Functions

2.3 String Vulnerabilities and Exploits

Tainted Data

Security Flaw: IsPasswordOK

Buffer Overflows

Process Memory Organization

Stack Management

Stack Smashing

Code Injection

Arc Injection

Return-Oriented Programming

2.4 Mitigation Strategies for Strings

String Handling

C11 Annex K Bounds-Checking Interfaces

Dynamic Allocation Functions

C++ std::basic_string

Invalidating String Object References

Other Common Mistakes in basic_string Usage

2.5 String-Handling Functions

gets()

C99

C11 Annex K Bounds-Checking Interfaces: gets_s()

Dynamic Allocation Functions

strcpy() and strcat()

C99

strncpy() and strncat()

memcpy() and memmove()

strlen()

2.6 Runtime Protection Strategies

Detection and Recovery

Input Validation

Object Size Checking

Visual Studio Compiler-Generated Runtime Checks

Stack Canaries

Stack-Smashing Protector (ProPolice)

Operating System Strategies

Detection and Recovery

Nonexecutable Stacks

W^X

PaX

Future Directions

2.7 Notable Vulnerabilities

Remote Login

Kerberos

2.8 Summary

2.9 Further Reading

Chapter 3 Pointer Subterfuge

3.1 Data Locations

3.2 Function Pointers

3.3 Object Pointers

3.4 Modifying the Instruction Pointer

3.5 Global Offset Table

3.6 The .dtors Section

3.7 Virtual Pointers

3.8 The atexit() and on_exit() Functions

3.9 The longjmp() Function

3.10 Exception Handling

Structured Exception Handling

System Default Exception Handling

3.11 Mitigation Strategies

Stack Canaries

W^X

Encoding and Decoding Function Pointers

3.12 Summary

3.13 Further Reading

Chapter 4 Dynamic Memory Management

4.1 C Memory Management

C Standard Memory Management Functions

Alignment

alloca() and Variable-Length Arrays

4.2 Common C Memory Management Errors

Initialization Errors

Failing to Check Return Values

Dereferencing Null or Invalid Pointers

Referencing Freed Memory

Freeing Memory Multiple Times

Memory Leaks

Zero-Length Allocations

DR #400

4.3 C++ Dynamic Memory Management

Allocation Functions

Deallocation Functions

Garbage Collection

4.4 Common C++ Memory Management Errors

Failing to Correctly Check for Allocation Failure

Improperly Paired Memory Management Functions

Freeing Memory Multiple Times

Deallocation Function Throws an Exception

4.5 Memory Managers

4.6 Doug Lea’s Memory Allocator

Buffer Overflows on the Heap

4.7 Double-Free Vulnerabilities

Writing to Freed Memory

RtlHeap

Buffer Overflows (Redux)

4.8 Mitigation Strategies

Null Pointers

Consistent Memory Management Conventions

phkmalloc

Randomization

OpenBSD

The jemalloc Memory Manager

Static Analysis

Runtime Analysis Tools

4.9 Notable Vulnerabilities

CVS Buffer Overflow Vulnerability

Microsoft Data Access Components (MDAC)

CVS Server Double-Free

Vulnerabilities in MIT Kerberos 5

4.10 Summary

Chapter 5 Integer Security

5.1 Introduction to Integer Security

5.2 Integer Data Types

Unsigned Integer Types

Wraparound

Signed Integer Types

Signed Integer Ranges

Integer Overflow

Character Types

Data Models

Other Integer Types

5.3 Integer Conversions

Converting Integers

Integer Conversion Rank

Integer Promotions

Usual Arithmetic Conversions

Conversions from Unsigned Integer Types

Conversions from Signed Integer Types

Conversion Implications

5.4 Integer Operations

Assignment

Addition

Subtraction

Multiplication

Division and Remainder

Shifts

5.5 Integer Vulnerabilities

Vulnerabilities

Wraparound

Conversion and Truncation Errors

Nonexceptional Integer Logic Errors

5.6 Mitigation Strategies

Integer Type Selection

Abstract Data Types

Arbitrary-Precision Arithmetic

Range Checking

Precondition and Postcondition Testing

Secure Integer Libraries

Overflow Detection

Compiler-Generated Runtime Checks

Verifiably In-Range Operations

As-If Infinitely Ranged Integer Model

Testing and Analysis

5.7 Summary

Chapter 6 Formatted Output

6.1 Variadic Functions

6.2 Formatted Output Functions

Format Strings

GCC

Visual C++

6.3 Exploiting Formatted Output Functions

Buffer Overflow

Output Streams

Crashing a Program

Viewing Stack Content

Viewing Memory Content

Overwriting Memory

Internationalization

Wide-Character Format String Vulnerabilities

6.4 Stack Randomization

Defeating Stack Randomization

Writing Addresses in Two Words

Direct Argument Access

6.5 Mitigation Strategies

Exclude User Input from Format Strings

Dynamic Use of Static Content

Restricting Bytes Written

C11 Annex K Bounds-Checking Interfaces

iostream versus stdio

Testing

Compiler Checks

Static Taint Analysis

Modifying the Variadic Function Implementation

Exec Shield

FormatGuard

Static Binary Analysis

6.6 Notable Vulnerabilities

Washington University FTP Daemon

CDE ToolTalk

Ettercap Version NG-0.7.2

6.7 Summary

6.8 Further Reading

Chapter 7 Concurrency

7.1 Multithreading

7.2 Parallelism

Data Parallelism

Task Parallelism

7.3 Performance Goals

Amdahl’s Law

7.4 Common Errors

Race Conditions

Corrupted Values

Volatile Objects

7.5 Mitigation Strategies

Memory Model

Synchronization Primitives

Thread Role Analysis (Research)

Immutable Data Structures

Concurrent Code Properties

7.6 Mitigation Pitfalls

Deadlock

Prematurely Releasing a Lock

Contention

The ABA Problem

7.7 Notable Vulnerabilities

DoS Attacks in Multicore Dynamic Random-Access Memory (DRAM) Systems

Concurrency Vulnerabilities in System Call Wrappers

7.8 Summary

Chapter 8 File I/O

8.1 File I/O Basics

File Systems

Special Files

8.2 File I/O Interfaces

Data Streams

Opening and Closing Files

POSIX

File I/O in C++

8.3 Access Control

UNIX File Permissions

Process Privileges

Changing Privileges

Managing Privileges

Managing Permissions

8.4 File Identification

Directory Traversal

Equivalence Errors

Symbolic Links

Canonicalization

Hard Links

Device Files

File Attributes

8.5 Race Conditions

Time of Check, Time of Use (TOCTOU)

Create without Replace

Exclusive Access

Shared Directories

8.6 Mitigation Strategies

Closing the Race Window

Eliminating the Race Object

Controlling Access to the Race Object

Race Detection Tools

8.7 Summary

Chapter 9 Recommended Practices

9.1 The Security Development Lifecycle

TSP-Secure

Planning and Tracking

Quality Management

9.2 Security Training

9.3 Requirements

Secure Coding Standards

Security Quality Requirements Engineering

Use/Misuse Cases

9.4 Design

Secure Software Development Principles

Threat Modeling

Analyze Attack Surface

Vulnerabilities in Existing Code

Secure Wrappers

Input Validation

Trust Boundaries

Blacklisting

Whitelisting

Testing

9.5 Implementation

Compiler Security Features

As-If Infinitely Ranged (AIR) Integer Model

Safe-Secure C/C++

Static Analysis

Source Code Analysis Laboratory (SCALe)

Defense in Depth

9.6 Verification

Static Analysis

Penetration Testing

Fuzz Testing

Code Audits

Developer Guidelines and Checklists

Independent Security Review

Attack Surface Review

9.7 Summary

9.8 Further Reading

References

Acronyms

Index