The document discusses secure coding practices for C and C++. It warns about common vulnerabilities like buffer overflows, integer overflows, and null pointer dereferencing. It provides examples of these issues and secure coding techniques to address them. The document recommends using tools like Application Verifier and external code analysis tools to detect issues. It lists references on secure coding standards and techniques to help programmers write more robust code.
8. Return Address
ESP - Extended
Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base
Pointer (base)
Char *bar
Char c[12]
StackGrowth
MemoryAddresses
The data is put on
reverse order onto buffer
9. Return Address
ESP - Extended
Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base
Pointer (base)
Char *bar
Char c[12]
StackGrowth
MemoryAddresses
H E L L O
H E L L O
H E L L O
H E L L O
H E L L O
BOOM!
Buffer Overflow!
H E L L O
11. Integers – Unsigned integer
Wrap
Must not be allowed to wrap:
• Integer operands of any point arithmetic and
array indexing
• The assignment expression for declaration of a
variable length array
• The postfix expression preceding square
brackets []
• Function arguments of type size_t or rsize_t
• In security-critical code
12. Integers – Unsigned integer
Wrap
Operat
or
Wrap Operat
or
Wrap Operat
or
Wrap Operat
or
Wrap
+ Yes -= Yes << Yes < No
- Yes *= Yes >> No > No
* Yes /= No & No >= No
/ No %= No | No <= No
% No <<= Yes ^ No == No
++ Yes >>= No ~ No != No
-- Yes &= No ! No && No
= No |= No un + No || No
+= Yes ^= No un - Yes ?: No
16. Converting a pointer to
integer or integer to pointer
Do not convert a pointer type to an
integer type if the result cannot be
represented in the integer type
(undefined behavior)
17. Converting a pointer to
integer or integer to pointer
Compliant solution: any valid pointer to
void can be converted to intptr_t or
uintptr_t and back with no change in
value.
19. std::string::c_str() is being called on a
temporary std::string object. The
resulting pointer will point to released
memory at the end of the assignment
expression. Result is undefined behavior
when accessing elements on that pointer
20. In the compliant solution, a local copy of
the string returned by str_func() is made
to ensure that string str will be valid
when the call display_string() is made.
21. null pointer dereferencing
The operand of the unary & operator shall be
either a function designator, the result of a [] or
unary * operator, or an lvalue that designates
an object that is not a bit-field and not declared
with the register storage-class specifier.
22. MS C++ Security Features
•/guard (Enable Control Flow Guard)
•/GS (Buffer Security Check)
•/SAFESEH (Image has Safe Exception
Handlers)
•/NXCOMPAT (Data execution prevention
support)
•/DYNAMICBASE (Use address space
layout randomization)(ASLR)
25. Toolbox
•External code analysis tools:
• PVS Studio
• Cpp-Check
• clang
•Windows application verifier
•Reversing:
• Radare2
• IDA Pro
26. Application Verifier
• Exceptions Stop Details - Ensures that applications do not hide access violations
using structured exception handling
• Handles Stop Details - Tests to ensure the application is not attempting to use invalid
handles
• Heaps Stop Details - Checks for memory corruptions issues in the heap
• Input/Output Stop Details - Monitors the execution of asynchronous IO, and
performs various validations
• Leak Stop Details - Detects leaks by tracking the resources made by a dll that are not
freed by the time the dll was unloaded
• Locks Stop Details - Verifies the correct usage for critical sections
• Memory Stop Details - Ensures APIs for virtual space manipulations are used
correctly (for example, VirtualAlloc, MapViewOfFile)
• TLS Stop Details - Ensures that Thread Local Storage APIs are used correctly
• Threadpool Stop Details - Ensures correct usage of threadpool APIs and enforces
consistency checks on worker-thread-states after a callback
27. References - Double Agent
• Attacking Antivirus & Next Generation Antivirus – Taking full control of
any antivirus by injecting code into it while bypassing all of its self-
protection mechanism. The attack has been verified and works on all
the major antiviruses including but not limited to: Avast, AVG, Avira,
Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes,
McAfee, Norton, Panda, Quick Heal and Trend Micro.
• Installing Persistent Malware – Installing malware that can “survive”
reboots and are automatically executed once the operating system
boots.
• Hijacking Permissions – Hijacking the permissions of an existing trusted
process to perform malicious operations in disguise of the trusted
process. e.g. Exfiltrating data, C&C communication, lateral movement,
stealing and encrypting sensitive data.
• Altering Process Behavior – Modifying the behavior of the process. e.g.
Installing backdoors, weakening encryption algorithms, etc.
• Attacking Other Users/Sessions – Injecting code to processes of other
users/sessions (SYSTEM/Admin/etc.).