mykhailo zarai "be careful when dealing with c++" at rivne it talks
TRANSCRIPT
Be careful when dealing with C/C++
Think Twice, Code Once
Mykhailo Zarai (April 2017)
Why do we care?Almost every day we hear about :•vulnerabilities•data breech
Vulnerabilities examples•Windows Remote Code execution (MS15-115)•NDIS Privilege of Elevation (MS15-17)•Kernel-Mode Drivers Privilege (MS15-135)
Data breach 2016•Apple Health Medicaid•Central Coast Credit Union•Commission on Elections•Department of Homeland Security
What we are going to do?•Talk about secure programming•Programming toolbox•Some references and recommendations
Common Vulnerabilities•Buffer overflow• Integers•Null pointer dereferencingHomework:• Strings•Arrays• Exceptions
Look inside buffer overflow problem
Return Address
ESP - Extended Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base Pointer (base)
Char *bar
Char c[12]
Stac
k Gr
owth
Mem
ory Addresses
The data is put on reverse order onto buffer
Return Address
ESP - Extended Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base Pointer (base)
Char *bar
Char c[12]
Stac
k Gr
owth
Mem
ory AddressesH E L L O
H E L L O
H E L L O
H E L L O
H E L L O
BOOM!Buffer Overflow!
H E L L O
Return Address
ESP - Extended Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base Pointer (base)
Char *bar
Char c[12]
Stac
k Gr
owth
Mem
ory Addresses
Canary Word
Integers – Unsigned integer WrapMust not be allowed to wrap:• Integer operands of any point arithmetic and
array indexing• The assignment expression for declaration of a
variable length array• The postfix expression preceding square
brackets []• Function arguments of type size_t or rsize_t• In security-critical code
Integers – Unsigned integer WrapOperator
Wrap Operator
Wrap Operator
Wrap Operator
Wrap
+ Yes -= Yes << Yes < No
- Yes *= Yes >> No > No
* Yes /= No & No >= No
/ No %= No | No <= No
% No <<= Yes ^ No == No
++ Yes >>= No ~ No != No
-- Yes &= No ! No && No
= No |= No un + No || No
+= Yes ^= No un - Yes ?: No
Unsigned integer operation shouldn't wrap
Heap Buffer overflow in Mozilla SVGMultiplication of the signed int pen->num_vertices and the size_t value:
Heap Buffer overflow in Mozilla SVGCompliant solution:
Converting a pointer to integer or integer to pointerDo not convert a pointer type to an integer type if the result cannot be represented in the integer type (undefined behavior)
Converting a pointer to integer or integer to pointerCompliant solution: any valid pointer to void can be converted to intptr_t or uintptr_t and back with no change in value.
Null pointer dereferencing (CWE-476)
std::string::c_str() is being called on a temporary std::string object. The resulting pointer will point to released memory at the end of the assignment expression. Result is undefined behavior when accessing elements on that pointer
In the compliant solution, a local copy of the string returned by str_func() is made to ensure that string str will be valid when the call display_string() is made.
null pointer dereferencing
The operand of the unary & operator shall be either a function designator, the result of a [] or unary * operator, or an lvalue that designates an object that is not a bit-field and not declared with the register storage-class specifier.
MS C++ Security Features• /guard (Enable Control Flow Guard)• /GS (Buffer Security Check)• /SAFESEH (Image has Safe Exception
Handlers)• /NXCOMPAT (Data execution prevention
support)• /DYNAMICBASE (Use address space layout
randomization)(ASLR)
GCC & Clang Security Features
Universal solution?
Toolbox• External code analysis tools:• PVS Studio• Cpp-Check• clang
•Windows application verifier•Reversing:• Radare2• IDA Pro
Application Verifier• Exceptions Stop Details - Ensures that applications do not hide access violations
using structured exception handling• Handles Stop Details - Tests to ensure the application is not attempting to use
invalid handles• Heaps Stop Details - Checks for memory corruptions issues in the heap• Input/Output Stop Details - Monitors the execution of asynchronous IO, and
performs various validations• Leak Stop Details - Detects leaks by tracking the resources made by a dll that
are not freed by the time the dll was unloaded• Locks Stop Details - Verifies the correct usage for critical sections• Memory Stop Details - Ensures APIs for virtual space manipulations are used
correctly (for example, VirtualAlloc, MapViewOfFile)• TLS Stop Details - Ensures that Thread Local Storage APIs are used correctly• Threadpool Stop Details - Ensures correct usage of threadpool APIs and
enforces consistency checks on worker-thread-states after a callback
References - Double Agent• Attacking Antivirus & Next Generation Antivirus – Taking full control of any
antivirus by injecting code into it while bypassing all of its self-protection mechanism. The attack has been verified and works on all the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro.
• Installing Persistent Malware – Installing malware that can “survive” reboots and are automatically executed once the operating system boots.
• Hijacking Permissions – Hijacking the permissions of an existing trusted process to perform malicious operations in disguise of the trusted process. e.g. Exfiltrating data, C&C communication, lateral movement, stealing and encrypting sensitive data.
• Altering Process Behavior – Modifying the behavior of the process. e.g. Installing backdoors, weakening encryption algorithms, etc.
• Attacking Other Users/Sessions – Injecting code to processes of other users/sessions (SYSTEM/Admin/etc.).
Application Verifier - Double AgentZero-Day Code Injection and Persistence Technique
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
ReferencesSEI CERT C++ Coding Standardhttps://www.securecoding.cert.org
ReferencesSecure Programming Cookbook for C and C++ Recipes for Cryptography, Authentication, Input Validation & MoreBy John Viega, Matt Messier
ReferencesSecure Coding in C and C++ (2nd Edition) (SEI Series in Software Engineering) 2nd Edition by Robert C. Seacord
You can avoid all this painAsk this guy how to do it