updated
authorChristian Urban <christian dot urban at kcl dot ac dot uk>
Fri, 10 Oct 2014 13:09:06 +0100
changeset 236 40efc28963af
parent 235 75e32cd57ef0
child 237 b784175a69dc
updated
handouts/ho03.pdf
handouts/ho03.tex
progs/C5.c
Binary file handouts/ho03.pdf has changed
--- a/handouts/ho03.tex	Fri Oct 10 12:44:36 2014 +0100
+++ b/handouts/ho03.tex	Fri Oct 10 13:09:06 2014 +0100
@@ -505,9 +505,30 @@
 While the program above contains clearly a programming 
 mistake (forgotten format string), things are not as simple
 when the application reads data from the user and prompts
-responses containing the user input. 
+responses containing the user input. Consider the slight
+variant of the program above
+
+\lstinputlisting[language=C]{../progs/C5.c}
 
-\subsubsection*{Caveats}
+\noindent Here the programmer actually to take extra care to
+not fall pray to a buffer overflow attack, but in the process
+made the program susceptible to a format string attack.
+Clearly the \pcode{printf} function in Line 7 contains now
+an explicit format string, but because the commandline
+input is copied using the function \pcode{snprintf} the
+result will be the same---the string can be exploited 
+by embedding format strings into the user input. Here the
+programmer really cannot be blamed (much) because by using
+\pcode{snprintf} he or she tried to make sure only 10
+characters get copied into the local buffer---in this way
+avoiding the obvious buffer overflow attack.
+
+\subsubsection*{Caveats and Defences}
+
+How can we defend against these attacks? Well, a reflex could 
+be to blame programmers. Precautions should be taken that 
+buffers cannot been overfilled and format strings should not
+be forgotten. 
 
 \bigskip\bigskip
 \subsubsection*{A Crash-Course for GDB}
--- a/progs/C5.c	Fri Oct 10 12:44:36 2014 +0100
+++ b/progs/C5.c	Fri Oct 10 13:09:06 2014 +0100
@@ -2,7 +2,7 @@
 #include<string.h>
 
 int main(int argc, char **argv)
-{  char buf [10];
-   snprintf(buf, sizeof buf, argv [1]);
+{  char buf[10];
+   snprintf(buf, sizeof buf, argv[1]);
    printf ("Input: %s \n", buf);
 }