Chapter 6 - C Language Issues
blog December 19th, 2006
Overview
This chapter (available for free here) was one of the most fun to write, and it was actually the first one we tackled, sometime back in 2004. We basically sat down with the C standards and tried to do two things: explain the type conversion rules of C and how they factor into the whole class of integral security issues, and look for corner cases and nuances that could lead to fun, subtle security exposures.
External Resources
The C99 standard.
The accompanying C99 Rationale document.
Peter Van der Linden’s Expert C Programming.
K&R’s The C Programming Language.
The ANSI web site.
External References
Leblanc’s "Another Look at the SafeInt Class." (Page 235)
Example of vulnerable libc toupper( ) function from ancient BSD. (Page 255)
Sendmail Prescan Advisory. (Page 256)
Old-school NFS truncation vulnerability. (Page 260)
CORE-SDI’s SSH Insertion Attack Advisory. (Page 260)
Mirrored Software
OpenSSH 3.1 - Listing 6-3, page 216
OpenSSL-0.9.6l - Listing 6-6, page 222
Antisniff Research Version 1.0 - Listing 6-8, page 250
Antisniff Research Version 1.1 - Listing 6-9, page 251
Antisniff Research Version 1.1.1 - Listing 6-10, page 252
Antisniff Research Version 1.1.2 - Listing 6-11, page 253
Sendmail 8.12.3 - Listing 6-13, page 256
OpenSSH 2.2.0 - Listing 6-19, page 262
PHP Apache module 4.3.4 - Listing 6-23, page 269
Relevant Blog Posts
Zalewski-vision
By "synonymous," I meant "I’m an idiot"
Copy editors are scary
Spreekt u Nederlands?
Signed bit-fields
Further Reading and Discussion
Seacord’s Secure Coding in C and C++ has one of the best write-ups of integral and type-conversion issues we’ve seen out there. We would definitely have referenced his book, but we didn’t become aware of it until we were already in layout. He takes a slightly different perspective in his analysis, focusing on secure coding, but it’s super-technical and really well done. His chapter on integral issues is available for free here.
Leblanc is also a master of integral magic, and the articles (here and here) accompanying his SafeInt class are great reads. IIRC, Neel’s write-up in Shellcoder’s Handbook and Leblanc’s chapter in 19 Deadly Sins are informative as well, but I don’t have them handy to give you page numbers.
Micheal Howard had a good blog post a while back about Safe Integer Arithmetic in C. This references Seacord’s sample chapter, Leblanc’s articles, and Howard’s article on Reviewing Code for Integer Manipulation Vulnerabilities.
Here’s a random article on 64-bit type systems.
Ilja’s Unusual Bugs presentation has some fun C vulnerabilities that should get you thinking.
Finally, the CERT C Programming Language Secure Coding Standard is really cool. We haven’t had the chance to fully absorb everything in here, but expect a larger blog post about it soon.
