503 Internet. |
503 Internet. |
504 |
504 |
505 While the program above contains clearly a programming |
505 While the program above contains clearly a programming |
506 mistake (forgotten format string), things are not as simple |
506 mistake (forgotten format string), things are not as simple |
507 when the application reads data from the user and prompts |
507 when the application reads data from the user and prompts |
508 responses containing the user input. |
508 responses containing the user input. Consider the slight |
509 |
509 variant of the program above |
510 \subsubsection*{Caveats} |
510 |
|
511 \lstinputlisting[language=C]{../progs/C5.c} |
|
512 |
|
513 \noindent Here the programmer actually to take extra care to |
|
514 not fall pray to a buffer overflow attack, but in the process |
|
515 made the program susceptible to a format string attack. |
|
516 Clearly the \pcode{printf} function in Line 7 contains now |
|
517 an explicit format string, but because the commandline |
|
518 input is copied using the function \pcode{snprintf} the |
|
519 result will be the same---the string can be exploited |
|
520 by embedding format strings into the user input. Here the |
|
521 programmer really cannot be blamed (much) because by using |
|
522 \pcode{snprintf} he or she tried to make sure only 10 |
|
523 characters get copied into the local buffer---in this way |
|
524 avoiding the obvious buffer overflow attack. |
|
525 |
|
526 \subsubsection*{Caveats and Defences} |
|
527 |
|
528 How can we defend against these attacks? Well, a reflex could |
|
529 be to blame programmers. Precautions should be taken that |
|
530 buffers cannot been overfilled and format strings should not |
|
531 be forgotten. |
511 |
532 |
512 \bigskip\bigskip |
533 \bigskip\bigskip |
513 \subsubsection*{A Crash-Course for GDB} |
534 \subsubsection*{A Crash-Course for GDB} |
514 |
535 |
515 \begin{itemize} |
536 \begin{itemize} |