Re: safe strcpy()?

• Previous message: lists@notatla.demon.co.uk: "Re: malicious code"
• In reply to: Ed Carp: "safe strcpy()?"
• Next in thread: Michal Zalewski: "Re: safe strcpy()?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Jan 2003 23:57:37 -0800
From: Crispin Cowan <crispin@wirex.com>
To: Ed Carp <erc@pobox.com>

Ed Carp wrote:

>start looking for a way to figure out how to determine how
>much space was allocated to a string. I was rather surprised to find that
>I couldn't find such an animal! Am I missing something here?
>
>Consider the simple case of:
>
>my_strcpy (char *to, char *from)
>{
>while(*from)
>{
>*to = *from;
>to++;
>from++;
>}
>return (from);
>}
>
>The problem arises if the memory allocation for from exceeds that for to.
>
No, there is no way for the string copy function itself to determine the
size of the destination buffer. All such computation has to be done at
the call site, not in the copy function. This is an inherent safety
limitation of the C language.

There are two compiler enhancements for GCC that provide full bounds
checking on arrays (Bounded Pointers
<http://gcc.gnu.org/projects/bp/main.html>, and the other nameless
project by Jones&Kelly
<http://www.doc.ic.ac.uk/%7Ephjk/BoundsChecking.html>, and ten Bruggee
<http://web.inter.nl.net/hcc/Haj.Ten.Brugge/>). However, IIRC, both of
these enhancements just cause the program to die if the buffer
overflows. The other response would be to just ignore writes to arrays
beyond the bounds of the array, which is very likely to cause
"surprising" incorrect behavior.

More generally, you can read my survey of buffer overflow attacks and
defenses here:

    "Buffer Overflows: Attacks and Defenses for the Vulnerability of
    the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
    and Jonathan Walpole. DARPA Information Survivability Conference and
    Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head
    Island SC, January 2000. Also presented as an invited talk at SANS
    2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March
    2000. PDF <http://wirex.com/%7Ecrispin/discex00.pdf>.

It's now a little dated, in that PAX <http://pageexec.virtualave.net/>,
libsafe <http://www.research.avayalabs.com/project/libsafe/>, and
StackGhost <http://stackghost.cerias.purdue.edu/> came out since I wrote
that paper. A more recent and comprehensive survey of open source
security will appear shortly in the new IEEE Security&Privacy Magazine
<http://www.computer.org/security/>.

Oh yeah, and there's StackGuard <http://immunix.org/stackguard.html> :-)

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

• application/pgp-signature attachment: stored

• Next message: Jason Coombs: "RE: malicious code"
• Previous message: lists@notatla.demon.co.uk: "Re: malicious code"
• In reply to: Ed Carp: "safe strcpy()?"
• Next in thread: Michal Zalewski: "Re: safe strcpy()?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]