Professional Documents
Culture Documents
Outline
Objective
Bug classes
Memory corruption
Integer overflows/underflows
Type conversion
Others
Resources
Objective
Secure Coding
Secure
Reliable
Extendable
Save $$$
Memory Corruption
Common Culprits
strcpy
strcat
sprintf
etc.
More than 15
bytes of data
...
EBP
buff
15 bytes
strcpy will
continue
writing down
the stack
arguments
previous stack frame
Stack frame
strncpy
strncat
snprintf
strcpy(dest, source)
buff3
src2
buff2
buff1
EBP
EBP
RET
arguments
previous stack frame
Stack frame
If src2 is 512
bytes like buff2,
it will not be
null terminated
src3
src2
buff3
buff2
buff1
EBP
EBP
RET
arguments
previous stack frame
Stack frame
If src3 is 512
bytes like buff3,
it will not be
null terminated
The size of
buff3 is now
1024 bytes
src3
src2
buff3
buff2
buff1
EBP
EBP
RET
arguments
previous stack frame
Stack frame
Any string
operation on
buff3 will now
operate on at
least 1024 bytes,
because no null
bytes are in buff3
and buff2
Integer Overflows/Underflows
Inter Overflows/Underflows...
Overflow + allocation
Underflow
Rolls around to a
very large number
Type Conversion
Type Conversion...
Others
Format strings
Off-by-one
etc.
Actually...
Security researchers
Code auditors
career
Scope
Sources of input
Resources
https://www.fortify.com/vulncat/en/vulncat/index.
html