When good code goes bad
Download as PPT, PDF0 likes546 views
The document discusses common programming vulnerabilities, focusing on stack overflow, format string bugs, and dangerous integers, illustrating their real-world implications. It highlights that these issues persist even in modern coding, despite advances in static code analysis and managed code. The talk emphasizes that no vendor is immune to defects, stressing the need for robust security practices in software development.
![Super Simple Explanation.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }](https://image.slidesharecdn.com/2006-issa06-sensepost-111207010019-phpapp02/85/When-good-code-goes-bad-5-320.jpg)
![Typical Attack.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }](https://image.slidesharecdn.com/2006-issa06-sensepost-111207010019-phpapp02/85/When-good-code-goes-bad-6-320.jpg)
![Questions ? [email_address] [email_address]](https://image.slidesharecdn.com/2006-issa06-sensepost-111207010019-phpapp02/85/When-good-code-goes-bad-18-320.jpg)
When good code goes bad
- 1. WHEN GOOD CODE GOES BAD! A SHOWCASE OF MODERN PROGRAMMING MISHAPS (SensePost 2006)
- 2. Introduction Who we are.. (SensePost) Who we are.. (charl && haroon) What this talk is about.. Answer some of those questions you never ask.. Some real world examples (of shocking code) Some real world repercussions Mind the Gap Constraints…
- 3. Agenda What is this stack overflow stuff? Then what’s a format string vulnerability? Hmmm.. What’s all this about dangerous Integers? What happens if we fix all the code? Questions..
- 4. What’s this Stack Overflow stuff? This is really old news.. (Morris Worm 1988) Is it even still a problem? Super simple explanation: The Stack.. Dangerous functions
- 5. Super Simple Explanation.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
- 6. Typical Attack.. void foo(int a, int b) { char buf1[8]; char buf2[8]; gets(buf2); } int main(void) { foo(1,2); printf(“All done!”) }
- 7. What’s this Stack Overflow stuff? This is really old news.. (Morris Worm 1988) Is it even still a problem? Super simple explanation: The Stack.. Dangerous functions Who would make such a silly mistake? Everyone… How easy is this to take advantage of? Today? Point & Click ownage!
- 8. Then what’s a format string bug? Spot the bug ? “Safe Version” See it yet? void syslog(char *buff) { printf(buff) } void syslog(char *buff) { printf(“%s”, buff) }
- 9. Then what’s a format string bug? printf(“%s”, buff); printf(buff);
- 10. Then what’s a format string bug? printf(“%s”, buff); buff = “%s”; printf(buff); C:\> issa_format.exe
- 11. What’s a dangerous Integer?
- 12. What’s a dangerous Integer? Same size as a pointer Fixed size (32 bits for our purposes) MAXINT + 1 == ? ISO C99 “Causes Undefined Behavior” 0xffffffff + 0x1 == 0 {Integer Wrap Around} Why is this dangerous ?
- 13. Ugly Pseudo-Code 1.) get data from user (buffer) 2.) add trailing \0 character 3.) add 1 to length of buffer (for our \0) 4.) If(length > 80) 5.) { 6.) printf(“Sorry your buffer is too long!”; 7.) exit -1 8.) } 9.) else 0.) { copy(other_buffer, buffer); }
- 14. What happens if we fix all the code? The proliferation of “Managed Code” Better and better static code analysis.. Is the end in sight for bug hunters? RealVNC Authentication Bypass ActiveX Control
- 15. RealVNC Authentication Bypass Discovered by Steve Wiseman of intelliadmin.com (by mistake)
- 16. RealVNC Authentication Bypass “ show us”
- 17. What does this mean? Vendors: There are lots of defects that tools can not easily detect.. (There are lots of defects they can!) No vendor is safe just because they have deeper pockets (or “more eyeballs”) ISO’s: Defense in Depth.. End-point-security.. Patch Management ? If it can happen to Microsoft …
- 18. Questions ? [email_address] [email_address]