Re: safe strcpy()?

From: Crispin Cowan (crispinat_private)
Date: Mon Jan 27 2003 - 23:57:37 PST

  • Next message: Jason Coombs: "RE: malicious code"

    Ed Carp wrote:
    
    >start looking for a way to figure out how to determine how 
    >much space was allocated to a string.  I was rather surprised to find that 
    >I couldn't find such an animal!  Am I missing something here?
    >
    >Consider the simple case of:
    >
    >my_strcpy (char *to, char *from)
    >{
    >while(*from)
    >{
    >*to = *from;
    >to++;
    >from++;
    >}
    >return (from);
    >}
    >
    >The problem arises if the memory allocation for from exceeds that for to. 
    >
    No, there is no way for the string copy function itself to determine the 
    size of the destination buffer. All such computation has to be done at 
    the call site, not in the copy function. This is an inherent safety 
    limitation of the C language.
    
    There are two compiler enhancements for GCC that provide full bounds 
    checking on arrays (Bounded Pointers 
    <http://gcc.gnu.org/projects/bp/main.html>, and the other nameless 
    project by Jones&Kelly 
    <http://www.doc.ic.ac.uk/%7Ephjk/BoundsChecking.html>, and ten Bruggee 
    <http://web.inter.nl.net/hcc/Haj.Ten.Brugge/>). However, IIRC, both of 
    these enhancements just cause the program to die if the buffer 
    overflows. The other response would be to just ignore writes to arrays 
    beyond the bounds of the array, which is very likely to cause 
    "surprising" incorrect behavior.
    
    More generally, you can read my survey of buffer overflow attacks and 
    defenses here:
    
        "Buffer Overflows:  Attacks and Defenses for the Vulnerability of
        the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
        and Jonathan Walpole. DARPA Information Survivability Conference and
        Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head
        Island SC, January 2000. Also presented as an invited talk at SANS
        2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March
        2000.  PDF <http://wirex.com/%7Ecrispin/discex00.pdf>.
    
    It's now a little dated, in that PAX <http://pageexec.virtualave.net/>, 
    libsafe <http://www.research.avayalabs.com/project/libsafe/>, and 
    StackGhost <http://stackghost.cerias.purdue.edu/> came out since I wrote 
    that paper. A more recent and comprehensive survey of open source 
    security will appear shortly in the new IEEE Security&Privacy Magazine 
    <http://www.computer.org/security/>.
    
    Oh yeah, and there's StackGuard <http://immunix.org/stackguard.html> :-)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 00:07:45 PST