Mykhailo Zarai "Be careful when dealing with C++" at Rivne IT Talks

transcript

Be careful when dealing with C/C++

Think Twice, Code Once

Mykhailo Zarai (April 2017)

Why do we care?Almost every day we hear about :•vulnerabilities•data breech

Vulnerabilities examples•Windows Remote Code execution (MS15-115)•NDIS Privilege of Elevation (MS15-17)•Kernel-Mode Drivers Privilege (MS15-135)

Data breach 2016•Apple Health Medicaid•Central Coast Credit Union•Commission on Elections•Department of Homeland Security

What we are going to do?•Talk about secure programming•Programming toolbox•Some references and recommendations

Common Vulnerabilities•Buffer overflow• Integers•Null pointer dereferencingHomework:• Strings•Arrays• Exceptions

Look inside buffer overflow problem

Return Address

ESP - Extended Stack Pointer (topo)

Parent Routine Stack

EBP - Extended Base Pointer (base)

Char *bar

Char c[12]

ory Addresses

The data is put on reverse order onto buffer

Return Address

Char *bar

Char c[12]

ory AddressesH E L L O

H E L L O

BOOM!Buffer Overflow!

H E L L O

Return Address

Char *bar

Char c[12]

ory Addresses

Canary Word

Integers – Unsigned integer WrapMust not be allowed to wrap:• Integer operands of any point arithmetic and

array indexing• The assignment expression for declaration of a

variable length array• The postfix expression preceding square

brackets []• Function arguments of type size_t or rsize_t• In security-critical code

Integers – Unsigned integer WrapOperator

Wrap Operator

+ Yes -= Yes << Yes < No

- Yes *= Yes >> No > No

* Yes /= No & No >= No

/ No %= No | No <= No

% No <<= Yes ^ No == No

++ Yes >>= No ~ No != No

-- Yes &= No ! No && No

= No |= No un + No || No

+= Yes ^= No un - Yes ?: No

Unsigned integer operation shouldn't wrap

Heap Buffer overflow in Mozilla SVGMultiplication of the signed int pen->num_vertices and the size_t value:

Heap Buffer overflow in Mozilla SVGCompliant solution:

Converting a pointer to integer or integer to pointerDo not convert a pointer type to an integer type if the result cannot be represented in the integer type (undefined behavior)

Converting a pointer to integer or integer to pointerCompliant solution: any valid pointer to void can be converted to intptr_t or uintptr_t and back with no change in value.

Null pointer dereferencing (CWE-476)

std::string::c_str() is being called on a temporary std::string object. The resulting pointer will point to released memory at the end of the assignment expression. Result is undefined behavior when accessing elements on that pointer

In the compliant solution, a local copy of the string returned by str_func() is made to ensure that string str will be valid when the call display_string() is made.

null pointer dereferencing

The operand of the unary & operator shall be either a function designator, the result of a [] or unary * operator, or an lvalue that designates an object that is not a bit-field and not declared with the register storage-class specifier.

MS C++ Security Features• /guard (Enable Control Flow Guard)• /GS (Buffer Security Check)• /SAFESEH (Image has Safe Exception

Handlers)• /NXCOMPAT (Data execution prevention

support)• /DYNAMICBASE (Use address space layout

randomization)(ASLR)

GCC & Clang Security Features

Universal solution?

Toolbox• External code analysis tools:• PVS Studio• Cpp-Check• clang

•Windows application verifier•Reversing:• Radare2• IDA Pro

Application Verifier• Exceptions Stop Details - Ensures that applications do not hide access violations

using structured exception handling• Handles Stop Details - Tests to ensure the application is not attempting to use

invalid handles• Heaps Stop Details - Checks for memory corruptions issues in the heap• Input/Output Stop Details - Monitors the execution of asynchronous IO, and

performs various validations• Leak Stop Details - Detects leaks by tracking the resources made by a dll that

are not freed by the time the dll was unloaded• Locks Stop Details - Verifies the correct usage for critical sections• Memory Stop Details - Ensures APIs for virtual space manipulations are used

correctly (for example, VirtualAlloc, MapViewOfFile)• TLS Stop Details - Ensures that Thread Local Storage APIs are used correctly• Threadpool Stop Details - Ensures correct usage of threadpool APIs and

enforces consistency checks on worker-thread-states after a callback

References - Double Agent• Attacking Antivirus & Next Generation Antivirus – Taking full control of any

antivirus by injecting code into it while bypassing all of its self-protection mechanism. The attack has been verified and works on all the major antiviruses including but not limited to: Avast, AVG, Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Quick Heal and Trend Micro.

• Installing Persistent Malware – Installing malware that can “survive” reboots and are automatically executed once the operating system boots.

• Hijacking Permissions – Hijacking the permissions of an existing trusted process to perform malicious operations in disguise of the trusted process. e.g. Exfiltrating data, C&C communication, lateral movement, stealing and encrypting sensitive data.

• Altering Process Behavior – Modifying the behavior of the process. e.g. Installing backdoors, weakening encryption algorithms, etc.

• Attacking Other Users/Sessions – Injecting code to processes of other users/sessions (SYSTEM/Admin/etc.).

Application Verifier - Double AgentZero-Day Code Injection and Persistence Technique

https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/

ReferencesSEI CERT C++ Coding Standardhttps://www.securecoding.cert.org

ReferencesSecure Programming Cookbook for C and C++ Recipes for Cryptography, Authentication, Input Validation & MoreBy John Viega, Matt Messier

ReferencesSecure Coding in C and C++ (2nd Edition) (SEI Series in Software Engineering) 2nd Edition by Robert C. Seacord

You can avoid all this painAsk this guy how to do it