logo

Common Programming Errors and Security Measures

Identifying buffer length checking errors in a C program and writing a C program to prompt for a positive number less than a given value.

9 Pages2871 Words70 Views
   

Added on  2023-02-01

About This Document

This document discusses common programming errors and security measures to protect code and data. It covers topics such as buffer length checking errors, memory leaks, handling user input securely, and implementing security patches. The document also provides insights on threat modeling and risk assessment.

Common Programming Errors and Security Measures

Identifying buffer length checking errors in a C program and writing a C program to prompt for a positive number less than a given value.

   Added on 2023-02-01

ShareRelated Documents
1.
Line Number : 2, 3, 4, 8 causing buffer length checking error.
Fixed Program -
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
int main( void ) {
int YourNumber=0;
YourNumber = 17062267 % 1024;
char in1[YourNumber];
char in2[YourNumber];
char out[2*YourNumber-1];
printf("enter your string");
gets(in1);
printf("enter your string");
gets(in2);
strcpy(out,in1);
int index = strlen(in1);
while(index < 2*YourNumber-1) {
out[index] = in2[index-strlen(in1)];
index = index + 1;
}
printf("Output %s", out);
return 0;
}
Common Programming Errors and Security Measures_1
2.
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
int main( void ) {
int YourNumber=0,num,c=0,number=0;
YourNumber = 17062267 % 1024;
printf("YOUR NUMBER IS %d " ,YourNumber);
do{
printf("Please enter number less than YOUR NUMBER");
scanf("%d", &num);
number = number + num;
c++;
}
while(num > -1);
int average = number/c;
printf("Your Average is %d",average);
return 0;
}
3.
Line [3] of the given program results in heap overflow. Client input 'argv[1]' is replicated to stack cushion
'first' with no size limitation. Henceforth when the client input is more prominent than 666 bytes, its
limited to overwrite lump header of the following piece. This flood prompts subjective code execution.
Common Programming Errors and Security Measures_2
The principle thought of this method is to trap 'glibc malloc' to unlink the 'second' lump. While unlinking
GOT section of free would get overwritten with shellcode address. After effective overwrite, presently
when free is called by helpless program at line [5], shellcode would get executed.
Without aggressor impact, free at line [4] does the following : For non maped lumps, combine in reverse
as well as forward. Find if past piece is free – Previous lump is free, if current liberated lump's
PREV_INUSE (P) bit is disconnected. In any case, for our situation, past lump is assigned since 'first"s
PREV_INUSE bit is set, of course piece past to the absolute first piece of pile memory is distributed
(eventhough it doesnt exists).
Assuming free, unlink (expel) the past piece from its binlist, add past lump size to current size and
change the lump pointer to point to past piece. Be that as it may, for our situation past lump is
distributed, henceforth unlink isnt summoned. Subsequently at present liberated lump 'first' cannot be
merged in reverse. Find if next piece is free – Next lump is free, if by next piece's (from as of now
liberated lump) PREV_INUSE (P) bit is disconnected. To explore to by next lump, add at present liberated
piece's size to its lump pointer, at that point add next lump's size to next lump pointer. For our situation
alongside next piece to as of now liberated 'first' lump is top lump and its PREV_INUSE bit is set.
Therefore next lump 'second' piece isn't free.
Assuming free, merge unlink (expel) the following piece from its binlist and add next lump size to current
size. Yet, for our situation next lump is assigned, consequently unlink isnt summoned. In this manner as
of now liberated piece 'first' cannot be combined forward.
Presently add the solidified piece to unsorted receptacle. For our situation since no union occurs, simply
include the 'primary' lump to unsorted container.
Presently lets state attacker at line [3] overwrites the piece header of 'second' lump as pursues:
prev_size = even number and hence PREV_INUSE bit is unset.
size = -4
fd = free address – 12
bk = shellcode address
With attacker influence, free at line [4] does the following:
For non mmaped chunks, consolidate backward and/or forward.
Duplicate 'second' piece's fd and bk esteems to factors FD and BK, separately. For our situation FD = free
location - 12 and BK = shellcode address (As a feature of heap, assailant puts his shellcode inside 'first'
stack support).
Estimation of BK is duplicated to an area at counterbalance 12 from FD. For our situation adding 12
bytes to FD, focuses to GOT section of free and subsequently now GOT passage of free is overwritten
with shellcode address. Bingo!! Presently on at whatever point free is conjured, shellcode gets
executed!! Consequently executing line [5] in powerless program results in shellcode execution.
Common Programming Errors and Security Measures_3

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
Understanding Buffer Overflow: Stack and Heap Buffer Overflows, Exploiting Buffer Overflow, JOP and ROP
|11
|1080
|283