Re: safe strcpy()?

From: Crispin Cowan (crispinat_private)
Date: Mon Jan 27 2003 - 23:57:37 PST

Next message: Jason Coombs: "RE: malicious code"

Previous message: listsat_private: "Re: malicious code"
In reply to: Ed Carp: "safe strcpy()?"
Next in thread: Michal Zalewski: "Re: safe strcpy()?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ed Carp wrote:

>start looking for a way to figure out how to determine how 
>much space was allocated to a string.  I was rather surprised to find that 
>I couldn't find such an animal!  Am I missing something here?
>
>Consider the simple case of:
>
>my_strcpy (char *to, char *from)
>{
>while(*from)
>{
>*to = *from;
>to++;
>from++;
>}
>return (from);
>}
>
>The problem arises if the memory allocation for from exceeds that for to. 
>
No, there is no way for the string copy function itself to determine the 
size of the destination buffer. All such computation has to be done at 
the call site, not in the copy function. This is an inherent safety 
limitation of the C language.

There are two compiler enhancements for GCC that provide full bounds 
checking on arrays (Bounded Pointers 
<http://gcc.gnu.org/projects/bp/main.html>, and the other nameless 
project by Jones&Kelly 
<http://www.doc.ic.ac.uk/%7Ephjk/BoundsChecking.html>, and ten Bruggee 
<http://web.inter.nl.net/hcc/Haj.Ten.Brugge/>). However, IIRC, both of 
these enhancements just cause the program to die if the buffer 
overflows. The other response would be to just ignore writes to arrays 
beyond the bounds of the array, which is very likely to cause 
"surprising" incorrect behavior.

More generally, you can read my survey of buffer overflow attacks and 
defenses here:

    "Buffer Overflows:  Attacks and Defenses for the Vulnerability of
    the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
    and Jonathan Walpole. DARPA Information Survivability Conference and
    Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head
    Island SC, January 2000. Also presented as an invited talk at SANS
    2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March
    2000.  PDF <http://wirex.com/%7Ecrispin/discex00.pdf>.

It's now a little dated, in that PAX <http://pageexec.virtualave.net/>, 
libsafe <http://www.research.avayalabs.com/project/libsafe/>, and 
StackGhost <http://stackghost.cerias.purdue.edu/> came out since I wrote 
that paper. A more recent and comprehensive survey of open source 
security will appear shortly in the new IEEE Security&Privacy Magazine 
<http://www.computer.org/security/>.

Oh yeah, and there's StackGuard <http://immunix.org/stackguard.html> :-)

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

application/pgp-signature attachment: stored

Next message: Jason Coombs: "RE: malicious code"
Previous message: listsat_private: "Re: malicious code"
In reply to: Ed Carp: "safe strcpy()?"
Next in thread: Michal Zalewski: "Re: safe strcpy()?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 00:07:45 PST