# HG changeset patch # User Christian Urban # Date 1412942946 -3600 # Node ID 40efc28963af9403ec4595993b92fcd1dfe8b265 # Parent 75e32cd57ef0fed1fa1c61abd7927d9da61c3e0e updated diff -r 75e32cd57ef0 -r 40efc28963af handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 75e32cd57ef0 -r 40efc28963af handouts/ho03.tex --- a/handouts/ho03.tex Fri Oct 10 12:44:36 2014 +0100 +++ b/handouts/ho03.tex Fri Oct 10 13:09:06 2014 +0100 @@ -505,9 +505,30 @@ While the program above contains clearly a programming mistake (forgotten format string), things are not as simple when the application reads data from the user and prompts -responses containing the user input. +responses containing the user input. Consider the slight +variant of the program above + +\lstinputlisting[language=C]{../progs/C5.c} -\subsubsection*{Caveats} +\noindent Here the programmer actually to take extra care to +not fall pray to a buffer overflow attack, but in the process +made the program susceptible to a format string attack. +Clearly the \pcode{printf} function in Line 7 contains now +an explicit format string, but because the commandline +input is copied using the function \pcode{snprintf} the +result will be the same---the string can be exploited +by embedding format strings into the user input. Here the +programmer really cannot be blamed (much) because by using +\pcode{snprintf} he or she tried to make sure only 10 +characters get copied into the local buffer---in this way +avoiding the obvious buffer overflow attack. + +\subsubsection*{Caveats and Defences} + +How can we defend against these attacks? Well, a reflex could +be to blame programmers. Precautions should be taken that +buffers cannot been overfilled and format strings should not +be forgotten. \bigskip\bigskip \subsubsection*{A Crash-Course for GDB} diff -r 75e32cd57ef0 -r 40efc28963af progs/C5.c --- a/progs/C5.c Fri Oct 10 12:44:36 2014 +0100 +++ b/progs/C5.c Fri Oct 10 13:09:06 2014 +0100 @@ -2,7 +2,7 @@ #include int main(int argc, char **argv) -{ char buf [10]; - snprintf(buf, sizeof buf, argv [1]); +{ char buf[10]; + snprintf(buf, sizeof buf, argv[1]); printf ("Input: %s \n", buf); }