Secure coding

Buffer overflows, a common software security vulnerability, happen when a process tries to store data beyond a fixed-length buffer. For example, if there are 8 slots to store items in, there will be a problem if there is an attempt to store 9 items. In computer memory the overflowed data may overwrite data in the next location which can result in a security vulnerability (stack smashing) or program termination (segmentation fault).[1]

An example of a C program prone to a buffer overflow is

int vulnerable_function(char * large_user_input) {
	char dst[SMALL];
	strcpy(dst, large_user_input);
}

If the user input is larger than the destination buffer, a buffer overflow will occur. To fix this unsafe program, use strncpy to prevent a possible buffer overflow.

int secure_function(char * user_input) {
	char dst[BUF_SIZE];
    // copy a maximum of BUF_SIZE bytes
	strncpy(dst, user_input,BUF_SIZE);
}

Another secure alternative is to dynamically allocate memory on the heap using malloc.

char * secure_copy(char * src) {
	size_t len = strlen(src);
	char * dst = (char *) malloc(len + 1);
	if (dst != NULL) {
		strncpy(dst, src, len);
		// append null terminator 
	    dst[len] = '\0';
	}
	return dst;
}

In the above code snippet, the program attempts to copy the contents of src into dst, while also checking the return value of malloc to ensure that enough memory was able to be allocated for the destination buffer.

A Format String Attack is when a malicious user supplies specific inputs that will eventually be entered as an argument to a function that performs formatting, such as printf(). The attack involves the adversary reading from or writing to the stack.

The C printf function writes output to stdout. If the parameter of the printf function is not properly formatted, several security bugs can be introduced. Below is a program that is vulnerable to a format string attack.

int vulnerable_print(char * malicious_input) {
	printf(malicious_input);
}

A malicious argument passed to the program could be “%s%s%s%s%s%s%s”, which can crash the program from improper memory reads.

Integer overflow occurs when an arithmetic operation results in an integer too large to be represented within the available space. A program which does not properly check for integer overflow introduces potential software bugs and exploits.

Below is a function in C++ which attempts to confirm that the sum of x and y is less than or equal to a defined value MAX:

bool sumIsValid_flawed(unsigned int x, unsigned int y) {
	unsigned int sum = x + y;
	return sum <= MAX;
}

The problem with the code is it does not check for integer overflow on the addition operation. If the sum of x and y is greater than the maximum possible value of an unsigned int, the addition operation will overflow and perhaps result in a value less than or equal to MAX, even though the sum of x and y is greater than MAX.

Below is a function which checks for overflow by confirming the sum is greater than or equal to both x and y. If the sum did overflow, the sum would be less than x or less than y.

bool sumIsValid_secure(unsigned int x, unsigned int y) {
	unsigned int sum = x + y;
	return sum >= x && sum >= y && sum <= MAX;
}

• Defensive programming
• Security bug

• Taylor, Art; Brian Buege; Randy Layman (2006). Hacking Exposed J2EE & Java. McGraw-Hill Primis. p. 426. ISBN 0-390-59975-1.