The document discusses secure coding practices for C and C++. It warns about common vulnerabilities like buffer overflows, integer overflows, and null pointer dereferencing. It provides examples of these issues and secure coding techniques to address them. The document recommends using tools like Application Verifier and external code analysis tools to detect issues. It lists references on secure coding standards and techniques to help programmers write more robust code.

1. Be careful when dealing
with C/C++
Think Twice, Code Once
Mykhailo Zarai (April 2017)

2. Why do we care?
Almost every day we hear about :
•vulnerabilities
•data breech

3. Vulnerabilities examples
•Windows Remote Code
execution (MS15-115)
•NDIS Privilege of Elevation
(MS15-17)
•Kernel-Mode Drivers Privilege
(MS15-135)

4. Data breach 2016
•Apple Health Medicaid
•Central Coast Credit Union
•Commission on Elections
•Department of Homeland
Security

5. What we are going to do?
•Talk about secure programming
•Programming toolbox
•Some references and
recommendations

6. Common Vulnerabilities
•Buffer overflow
•Integers
•Null pointer dereferencing
Homework:
•Strings
•Arrays
•Exceptions

7. Look inside buffer overflow
problem

8. Return Address
ESP - Extended
Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base
Pointer (base)
Char *bar
Char c[12]
StackGrowth
MemoryAddresses
The data is put on
reverse order onto buffer

9. Return Address
ESP - Extended
Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base
Pointer (base)
Char *bar
Char c[12]
StackGrowth
MemoryAddresses
H E L L O
H E L L O
H E L L O
H E L L O
H E L L O
BOOM!
Buffer Overflow!
H E L L O

10. Return Address
ESP - Extended
Stack Pointer (topo)
Parent Routine Stack
EBP - Extended Base
Pointer (base)
Char *bar
Char c[12]
StackGrowth
MemoryAddresses
Canary Word

11. Integers – Unsigned integer
Wrap
Must not be allowed to wrap:
• Integer operands of any point arithmetic and
array indexing
• The assignment expression for declaration of a
variable length array
• The postfix expression preceding square
brackets []
• Function arguments of type size_t or rsize_t
• In security-critical code

12. Integers – Unsigned integer
Wrap
Operat
or
Wrap Operat
or
Wrap Operat
or
Wrap Operat
or
Wrap
+ Yes -= Yes << Yes < No
- Yes *= Yes >> No > No
* Yes /= No & No >= No
/ No %= No | No <= No
% No <<= Yes ^ No == No
++ Yes >>= No ~ No != No
-- Yes &= No ! No && No
= No |= No un + No || No
+= Yes ^= No un - Yes ?: No

13. Unsigned integer operation
shouldn't wrap

14. Heap Buffer overflow in
Mozilla SVG
Multiplication of the signed int pen-
>num_vertices and the size_t value:

15. Heap Buffer overflow in
Mozilla SVG
Compliant solution:

16. Converting a pointer to
integer or integer to pointer
Do not convert a pointer type to an
integer type if the result cannot be
represented in the integer type
(undefined behavior)

17. Converting a pointer to
integer or integer to pointer
Compliant solution: any valid pointer to
void can be converted to intptr_t or
uintptr_t and back with no change in
value.

18. Null pointer dereferencing
(CWE-476)

19. std::string::c_str() is being called on a
temporary std::string object. The
resulting pointer will point to released
memory at the end of the assignment
expression. Result is undefined behavior
when accessing elements on that pointer

20. In the compliant solution, a local copy of
the string returned by str_func() is made
to ensure that string str will be valid
when the call display_string() is made.

21. null pointer dereferencing
The operand of the unary & operator shall be
either a function designator, the result of a [] or
unary * operator, or an lvalue that designates
an object that is not a bit-field and not declared
with the register storage-class specifier.

22. MS C++ Security Features
•/guard (Enable Control Flow Guard)
•/GS (Buffer Security Check)
•/SAFESEH (Image has Safe Exception
Handlers)
•/NXCOMPAT (Data execution prevention
support)
•/DYNAMICBASE (Use address space
layout randomization)(ASLR)

23. GCC & Clang Security
Features

24. Universal solution?

25. Toolbox
•External code analysis tools:
• PVS Studio
• Cpp-Check
• clang
•Windows application verifier
•Reversing:
• Radare2
• IDA Pro

26. Application Verifier
• Exceptions Stop Details - Ensures that applications do not hide access violations
using structured exception handling
• Handles Stop Details - Tests to ensure the application is not attempting to use invalid
handles
• Heaps Stop Details - Checks for memory corruptions issues in the heap
• Input/Output Stop Details - Monitors the execution of asynchronous IO, and
performs various validations
• Leak Stop Details - Detects leaks by tracking the resources made by a dll that are not
freed by the time the dll was unloaded
• Locks Stop Details - Verifies the correct usage for critical sections
• Memory Stop Details - Ensures APIs for virtual space manipulations are used
correctly (for example, VirtualAlloc, MapViewOfFile)
• TLS Stop Details - Ensures that Thread Local Storage APIs are used correctly
• Threadpool Stop Details - Ensures correct usage of threadpool APIs and enforces
consistency checks on worker-thread-states after a callback

27. References - Double Agent
• Attacking Antivirus & Next Generation Antivirus – Taking full control of
any antivirus by injecting code into it while bypassing all of its self-
protection mechanism. The attack has been verified and works on all
the major antiviruses including but not limited to: Avast, AVG, Avira,
Bitdefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes,
McAfee, Norton, Panda, Quick Heal and Trend Micro.
• Installing Persistent Malware – Installing malware that can “survive”
reboots and are automatically executed once the operating system
boots.
• Hijacking Permissions – Hijacking the permissions of an existing trusted
process to perform malicious operations in disguise of the trusted
process. e.g. Exfiltrating data, C&C communication, lateral movement,
stealing and encrypting sensitive data.
• Altering Process Behavior – Modifying the behavior of the process. e.g.
Installing backdoors, weakening encryption algorithms, etc.
• Attacking Other Users/Sessions – Injecting code to processes of other
users/sessions (SYSTEM/Admin/etc.).

28. Application Verifier -
Double Agent
Zero-Day Code Injection and Persistence
Technique
https://cybellum.com/doubleagentzero-
day-code-injection-and-persistence-
technique/

29. References
SEI CERT C++ Coding Standard
https://www.securecoding.cert.org

30. References
Secure Programming Cookbook for C and
C++ Recipes for Cryptography,
Authentication, Input Validation & More
By John Viega, Matt Messier

31. References
Secure Coding in C and C++ (2nd Edition)
(SEI Series in Software Engineering) 2nd
Edition by Robert C. Seacord

32. You can avoid all this pain
Ask this guy how to do it