Christoph Brauer
December 6, 2012
Table of Contents
1 Preface
4 Security concerns
5 Literature
6 Discussion
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Preface
1 / 53
Introduction to C buffers and storage
variants
Introduction to C buffers and storage variants Denition
What is a C buffer ?
2 / 53
Introduction to C buffers and storage variants Denition
What is a C buffer ?
A C buffer is ...
2 / 53
Introduction to C buffers and storage variants Denition
What is a C buffer ?
A C buffer is ...
a continuous area of general computer memory ...
2 / 53
Introduction to C buffers and storage variants Denition
What is a C buffer ?
A C buffer is ...
a continuous area of general computer memory ...
that is assigned data of the same type
2 / 53
Introduction to C buffers and storage variants Denition
What is a C buffer ?
A C buffer is ...
a continuous area of general computer memory ...
that is assigned data of the same type
and allocated using the C programming language
2 / 53
Introduction to C buffers and storage variants Denition
What is a C buffer ?
A C buffer is ...
a continuous area of general computer memory ...
that is assigned data of the same type
and allocated using the C programming language
2 / 53
Introduction to C buffers and storage variants One simple buffer
3 / 53
Introduction to C buffers and storage variants One simple buffer
Program output
Greetings, Professor Falken.
3 / 53
Introduction to C buffers and storage variants One simple buffer
Program output
Greetings, Professor Falken.
3 / 53
Introduction to C buffers and storage variants One simple verbose buffer
4 / 53
Introduction to C buffers and storage variants One simple verbose buffer
Program output
Address of myBufferPtr : 0x00007fffffffe228
Content of myBufferPtr : 0x0000000000400690
Size of myBufferPtr : 8
Size of buffer : 30
Content of buffer : Greetings, Professor Falken.
4 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
Program output
Address of myBufferPtr : 0x00007fffffffe228
Content of myBufferPtr : 0x0000000000400690
Size of myBufferPtr : 8
Size of buffer : 30
Content of buffer : Greetings, Professor Falken.
5 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
Program output
Address of myBufferPtr : 0x00007fffffffe228
Content of myBufferPtr : 0x0000000000400690
Size of myBufferPtr : 8
Size of buffer : 30
Content of buffer : Greetings, Professor Falken.
5 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
6 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
The pointer is a variable that contains the address of the lowest byte
occupied by the buffer
6 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
The pointer is a variable that contains the address of the lowest byte
occupied by the buffer
The buffer forms a compound area in memory
6 / 53
Introduction to C buffers and storage variants One simple verbose buffer illustrated
The pointer is a variable that contains the address of the lowest byte
occupied by the buffer
The buffer forms a compound area in memory
Buffers and pointers are two very different things, though its fairly easy to
mix them up
6 / 53
Introduction to C buffers and storage variants Various buffers
7 / 53
Introduction to C buffers and storage variants Various buffers
7 / 53
Introduction to C buffers and storage variants Various buffers
8 / 53
Introduction to C buffers and storage variants Various buffers
Some buffers are located at the bottom of the memory and just several
bytes away from each other ...
8 / 53
Introduction to C buffers and storage variants Various buffers
Some buffers are located at the bottom of the memory and just several
bytes away from each other ...
... some others are at the top of the memory and distanced several
terabytes
8 / 53
Introduction to C buffers and storage variants Various buffers
Some buffers are located at the bottom of the memory and just several
bytes away from each other ...
... some others are at the top of the memory and distanced several
terabytes
Could it probably be that ...
8 / 53
Introduction to C buffers and storage variants Various buffers
Some buffers are located at the bottom of the memory and just several
bytes away from each other ...
... some others are at the top of the memory and distanced several
terabytes
Could it probably be that ...
buffers with similar characteristics are allocated in the very same
memory area?
8 / 53
Introduction to C buffers and storage variants Various buffers
Some buffers are located at the bottom of the memory and just several
bytes away from each other ...
... some others are at the top of the memory and distanced several
terabytes
Could it probably be that ...
buffers with similar characteristics are allocated in the very same
memory area?
or even the other way round : the memory areas, in which buffers are
allocated, determine their characteristics?
8 / 53
Introduction to C buffers and storage variants Excursion - Linux Virtual Memory
9 / 53
Introduction to C buffers and storage variants Excursion - Linux Virtual Memory
How can we nd out which sections our program uses and where those are
located in virtual memory ?
10 / 53
Introduction to C buffers and storage variants Excursion - Linux Virtual Memory
How can we nd out which sections our program uses and where those are
located in virtual memory ?
There is a pmap command to display the current memory map of a running
process ( Linux, Net/Open/FreeBSD, SunOS ... )
10 / 53
Introduction to C buffers and storage variants Excursion - Linux Virtual Memory
How can we nd out which sections our program uses and where those are
located in virtual memory ?
There is a pmap command to display the current memory map of a running
process ( Linux, Net/Open/FreeBSD, SunOS ... )
10 / 53
Introduction to C buffers and storage variants Buffer to section mapping
11 / 53
Introduction to C buffers and storage variants Section properties
Address space
12 / 53
Introduction to C buffers and storage variants Section properties
Address space
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
12 / 53
Introduction to C buffers and storage variants Section properties
13 / 53
Runtime allocation eciency Eciency scope
13 / 53
Runtime allocation eciency Eciency scope
13 / 53
Runtime allocation eciency Eciency scope
13 / 53
Runtime allocation eciency Eciency scope
13 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
14 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Stack
16 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
17 / 53
Runtime allocation eciency The Heap
Heap ( malloc )
18 / 53
Runtime allocation eciency The Heap
Heap ( malloc )
char *firstPtr = malloc ( 2048 ) ;
19 / 53
Runtime allocation eciency The Heap
Heap ( malloc )
free ( firstPtr ) ;
20 / 53
Runtime allocation eciency The Heap
Heap ( malloc )
free ( firstPtr ) ;
20 / 53
Runtime allocation eciency The Heap
Heap ( malloc )
free ( firstPtr ) ;
20 / 53
Runtime allocation eciency The Heap
21 / 53
Runtime allocation eciency The Heap
If you want to see malloc in action requesting OS memory, try the strace
program and watch for execution of brk / mmap functions
22 / 53
Runtime allocation eciency The Heap
If you want to see malloc in action requesting OS memory, try the strace
program and watch for execution of brk / mmap functions
Allocated data has no lifetime restrictions
22 / 53
Runtime allocation eciency The Heap
If you want to see malloc in action requesting OS memory, try the strace
program and watch for execution of brk / mmap functions
Allocated data has no lifetime restrictions
Allocation process suffers eciency issues in terms of
22 / 53
Runtime allocation eciency The Heap
If you want to see malloc in action requesting OS memory, try the strace
program and watch for execution of brk / mmap functions
Allocated data has no lifetime restrictions
Allocation process suffers eciency issues in terms of
speed for maintaining a doubly linked list
22 / 53
Runtime allocation eciency The Heap
If you want to see malloc in action requesting OS memory, try the strace
program and watch for execution of brk / mmap functions
Allocated data has no lifetime restrictions
Allocation process suffers eciency issues in terms of
speed for maintaining a doubly linked list
size due to fragmentation and extra management chunks added to the
heap
22 / 53
Runtime allocation eciency Assumptions
Now that we have an idea about how several allocation mechanism might
perform, lets see if reality proves it right
23 / 53
Runtime allocation eciency Static vs. Stack
24 / 53
Runtime allocation eciency Static vs. Stack
24 / 53
Runtime allocation eciency Static vs. Stack
gprof results
1 % cumulative self self total
2 time seconds seconds calls ns / call ns / call name
3 76.11 29.42 29.42 2000000000 14.71 14.71 fillBufferFromStack
4 11.05 33.69 4.27 2000000000 2.14 2.14 fillBufferFromStatic
24 / 53
Runtime allocation eciency Stack vs. Heap
25 / 53
Runtime allocation eciency Stack vs. Heap
25 / 53
Runtime allocation eciency Stack vs. Heap
gprof results
1 % cumulative self self total
2 time seconds seconds calls ns / call ns / call name
3 28.04 8.10 3.17 1000000000 3.17 3.17 allocateHeap
4 19.69 10.33 2.23 1000000000 2.23 2.23 allocateStack
25 / 53
Runtime allocation eciency Malloc space consumption
26 / 53
Runtime allocation eciency Malloc space consumption
26 / 53
Runtime allocation eciency Malloc space consumption
26 / 53
Runtime allocation eciency Malloc space consumption
26 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Malloc space consumption
27 / 53
Runtime allocation eciency Slice allocator
Slice illustration
28 / 53
Runtime allocation eciency Slice allocator
Slice illustration
28 / 53
Runtime allocation eciency Slice allocator
Slice illustration
28 / 53
Runtime allocation eciency Slice allocator
Slice illustration
28 / 53
Runtime allocation eciency Slice allocator
Slice illustration
28 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
29 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
29 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
29 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
29 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
What about the time?
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
What about the time?
Code for the upcoming stats is not quoted here, though its available for
download ( heapsizeloop.c / slicesizeloop.c )
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
What about the time?
Code for the upcoming stats is not quoted here, though its available for
download ( heapsizeloop.c / slicesizeloop.c )
Allocating 1024*128 single buffers with an size of 32 bytes done 1024*16
times takes
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
What about the time?
Code for the upcoming stats is not quoted here, though its available for
download ( heapsizeloop.c / slicesizeloop.c )
Allocating 1024*128 single buffers with an size of 32 bytes done 1024*16
times takes
malloc 3 minutes, 24 seconds
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
So far weve seen that g_slice_alloc can very well outperform malloc in terms
of space overhead
What about the time?
Code for the upcoming stats is not quoted here, though its available for
download ( heapsizeloop.c / slicesizeloop.c )
Allocating 1024*128 single buffers with an size of 32 bytes done 1024*16
times takes
malloc 3 minutes, 24 seconds
g_slice_alloc 1 minutes, 52 seconds
30 / 53
Runtime allocation eciency Glib slice allocator vs. malloc
31 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Runtime allocation eciency Conclusion and outlook
Tradeoff
32 / 53
Security concerns
Security concerns Know your enemy
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles.
33 / 53
Security concerns Overow caused program crash
34 / 53
Security concerns Overow caused program crash
35 / 53
Security concerns Overow caused program crash
Program execution
$ echo "Joshua" | ./basicoverflow.elf
35 / 53
Security concerns Overow caused program crash
Program execution
$ echo "Joshua" | ./basicoverflow.elf
Program output
Please enter your name : Hello Joshua
35 / 53
Security concerns Overow caused program crash
36 / 53
Security concerns Overow caused program crash
Program execution
$ echo "Lord Vader" | ./basicoverflow.elf
36 / 53
Security concerns Overow caused program crash
Program execution
$ echo "Lord Vader" | ./basicoverflow.elf
Program output
Please enter your name : Hello Lord Vader
36 / 53
Security concerns Overow caused program crash
37 / 53
Security concerns Overow caused program crash
Program execution
$ python -c "print \"x\"*23" | ./basicoverflow.elf
37 / 53
Security concerns Overow caused program crash
Program execution
$ python -c "print \"x\"*23" | ./basicoverflow.elf
Program output
Please enter your name : Hello xxxxxxxxxxxxxxxxxxxxxxx
37 / 53
Security concerns Overow caused program crash
38 / 53
Security concerns Overow caused program crash
Program execution
$ python -c "print \"x\"*24" | ./basicoverflow.elf
38 / 53
Security concerns Overow caused program crash
Program execution
$ python -c "print \"x\"*24" | ./basicoverflow.elf
38 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow caused program crash
39 / 53
Security concerns Overow based program ow alteration
40 / 53
Security concerns Overow based program ow alteration
40 / 53
Security concerns Overow based program ow alteration
40 / 53
Security concerns Overow based program ow alteration
40 / 53
Security concerns Overow based program ow alteration
40 / 53
Security concerns Overow based program ow alteration
41 / 53
Security concerns Overow based program ow alteration
41 / 53
Security concerns Overow based program ow alteration
41 / 53
Security concerns Overow based program ow alteration
42 / 53
Security concerns Overow based program ow alteration
Program execution
$ python -c "print x*24+\xfc\x05\x40"|./knownpointeroverflow.elf
42 / 53
Security concerns Overow based program ow alteration
Program execution
$ python -c "print x*24+\xfc\x05\x40"|./knownpointeroverflow.elf
Program output
Please enter your name : Hello xxxxxxxxxxxxxxxxxxxxxxxx..
Hello admin!
Bus error
42 / 53
Security concerns Overow code injection
Nice one, but how can I execute my own precious code instead of whats
already there?
43 / 53
Security concerns Overow code injection
Nice one, but how can I execute my own precious code instead of whats
already there?
Just the way we wrote x and new pointers on the stack we can write
machine opcodes there and return to them the way we did before
43 / 53
Security concerns Overow code injection
Nice one, but how can I execute my own precious code instead of whats
already there?
Just the way we wrote x and new pointers on the stack we can write
machine opcodes there and return to them the way we did before
To get these machine opcodes, write them yourself using assembler and
compile it, or disassemble some C code and use the portions you need
43 / 53
Security concerns Overow code injection
Nice one, but how can I execute my own precious code instead of whats
already there?
Just the way we wrote x and new pointers on the stack we can write
machine opcodes there and return to them the way we did before
To get these machine opcodes, write them yourself using assembler and
compile it, or disassemble some C code and use the portions you need
Lets do a kernel function call using C ...
43 / 53
Security concerns Overow code injection
Nice one, but how can I execute my own precious code instead of whats
already there?
Just the way we wrote x and new pointers on the stack we can write
machine opcodes there and return to them the way we did before
To get these machine opcodes, write them yourself using assembler and
compile it, or disassemble some C code and use the portions you need
Lets do a kernel function call using C ...
43 / 53
Security concerns Overow code injection
44 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
45 / 53
Security concerns Overow code injection
46 / 53
Security concerns Overow code injection
Program output
$ ./asmwrite.elf
Joshua
Segmentation fault
46 / 53
Security concerns Overow code injection
46 / 53
Security concerns Overow code injection
Though this code works as expected when executed in a shell, we cant use
this directly to ll our stack buffer
46 / 53
Security concerns Overow code injection
Though this code works as expected when executed in a shell, we cant use
this directly to ll our stack buffer
Why ?
46 / 53
Security concerns Overow code injection
Though this code works as expected when executed in a shell, we cant use
this directly to ll our stack buffer
Why ?
Most string input routines stop reading any further upon the occurence of a
0x00 or 0x0a character, so we must rewrite our code accordingly
46 / 53
Security concerns Overow code injection
47 / 53
Security concerns Overow code injection
47 / 53
Security concerns Overow code injection
47 / 53
Security concerns Overow code injection
47 / 53
Security concerns Overow code injection
48 / 53
Security concerns Overow code injection
This victim is so kind to tell us that the address of the buffer were seeking to
overow is 0x007fffffffe1e0 so we dont have to use our debugger.
48 / 53
Security concerns Overow code injection
49 / 53
Security concerns Overow code injection
49 / 53
Security concerns Countermeasures
OS / Linux
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
Compiler / gcc
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
Compiler / gcc
gccs stack protector ( -fstack-protector ) inserts randomly chosen magic
values ( so-called canaries ) into function stack frames
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
Compiler / gcc
gccs stack protector ( -fstack-protector ) inserts randomly chosen magic
values ( so-called canaries ) into function stack frames
Enabled by default
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
Compiler / gcc
gccs stack protector ( -fstack-protector ) inserts randomly chosen magic
values ( so-called canaries ) into function stack frames
Enabled by default
gcc marks stack sections as not-executable by default, OS support
required
50 / 53
Security concerns Countermeasures
OS / Linux
Address Space Layout Randomization ( ASLR ) changes section locations
randomly each program run
Most often enabled by default
Check /proc/sys/kernel/randomize_va_space
NX Bit prevents execution of writeable sections
Available on AMD64, check BIOS settings
Compiler / gcc
gccs stack protector ( -fstack-protector ) inserts randomly chosen magic
values ( so-called canaries ) into function stack frames
Enabled by default
gcc marks stack sections as not-executable by default, OS support
required
Enabled by default, check using execstack
50 / 53
Security concerns Countermeasures
Your code
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
strncpy
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
strncpy
strncat
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
strncpy
strncat
snprintf
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
strncpy
strncat
snprintf
fgets ...
51 / 53
Security concerns Countermeasures
Your code
Avoid functions missing boundary checks such as
strcpy
strcat
sprintf
vsprintf
gets ...
Instead use less insecure variants
strncpy
strncat
snprintf
fgets ...
There is no such thing as unbreakable security
51 / 53
Literature
Any questions?
53 / 53