[ lab02.html ]
- To have experimented with a dangerous misuse of arrays.
- To know what the buffer overrun attack is.
- To know how to write C++ code that is not exposed to buffer overrun attacks.
- Download (shift&click) the following awful example.
[ lab02bad.cpp ]
- It is designed as an example of a bad log-in program.
- It uses char* arrays to hold character strings and the old "str*" library to manipulate them.
Each string has an extra '\0' char at the end.
- #include <cstring> // defines the "str*" functions.
- authenticated= ! strncmp(pwd,passwd,7); // CoMPares upto 7 charcaters of pwd and passwd and sets
authenticated to true if they are equal.
- if(!strcmp(name,"botting")) // compares the characters in name with those in "botting" and does not keep count. It tries pairs of characters until one is different or '\0'. The condition succeeds if the strings are equal.
- strcpy(pwd, "123456"); // Copies "123456" into pwd -- this copies 6 characters and a null '\0' even if
pwd has room for 2 character:-(
(End of Net)
- It has many faults and we will remove some of these in our laboratories.
- This is how it works when compiled and run:
- First it outputs the addresses of the three character arrays used in the program: "name", "pwd", and "passwd".
- Then it enters a loop until a log-in is authenticated:
- It asks for a name ("botting" for example) using a function "get".
- It looks up the password for the name ("botting" has "123456") using function get_password.
- It asks for a password.
- It tests to see if the two passwords match.
- If they don't match it outputs a message and repeats from step 1 above.
- If the two passwords match it "Welcomes" the user.
- Make it compile it into "lab02bad" and test it. It should work as described.
- Unfortunately it falls to a simple buffer over run attack.
- Run it with name 'botting' and try passwords 'x', 'xx', 'xxxx', 'xxxxxx', and so on.... what happens with each? Any unexpected logins?
- When you can explain to me what is going on (hint: draw a picture!) you've
earned a 'D' for the lab.
- Please preserve a copy of the compiled code "lab02bad" ready for
a future lab.
- Your task is to fix the buffer overrun. Where is the problem?
void get(char * askfor, int numchars, char * input)
- Here are two ways to attempt to fix the problem that are fairly easy
and one that is challenging (I've tried all three).
- The quick fix: input the user data into a 'string' variable. Then
use the 'string' functions to extract a substring that fits in the given
7 character buffer. This relies on the C++ Standard Library
[ string.html ]
a buffer overrun in its place. So, I'll offer a max of a B in the
lab for this solution.
- Use a character by character loop: Have a single
and put the user data into it one character at a time using
until the buffer(input) is full or the user taps enter ('\n').
Then add the terminating ('\0') and discard the rest of the data by
using cin.get(c) and not doing anything with c! Get this working and you've got
- The challenge of getline: Here you use
cin.getline(input, numchars+1, '\n');
to fill the buffer. You then need to use
to see if there are any characters to discard and
to clear the fail flag. After clearing the fail flag then you
can use cin.get(...) to discard the rest of the line. Get this working and you've got
- Pick the strategy closest to your taste, and may the source be with you,
as you patch the code.
- Show me when you are happy that it fights off the attackers, or when
we are out of time.
Show me an example of a buffer over run resisted.
Before the end of the laboratory period.
- Work on your next project.
- Study this
[ sins-of-software-security.html ]
Do not fix the many other faults with this code. We will get to
I will publish my solutions in the next lab.
. . . . . . . . . ( end of section CSci202 Laboratory 03 Pointers and Information Security) <<Contents | End>>
- accessor::=`A Function that accesses information in an object with out changing the object in any visible way".
In C++ this is called a "const function".
In the UML it is called a query.
- Algorithm::=A precise description of a series of steps to attain a goal,
[ Algorithm ]
- class::="A description of a set of similar objects that have similar data plus the functions needed to manipulate the data".
- constructor::="A Function in a class that creates new objects in the class".
- Data_Structure::=A small data base.
- destructor::=`A Function that is called when an object is destroyed".
- Function::programming=A selfcontained and named piece of program that knows how to do something.
- Gnu::="Gnu's Not Unix", a long running open source project that supplies a
very popular and free C++ compiler.
- mutator::="A Function that changes an object".
- object::="A little bit of knowledge -- some data and some know how". An
object is instance of a class.
- objects::=plural of object.
- OOP::="Object-Oriented Programming",
Current paradigm for programming.
- Semantics::=Rules determining the meaning of correct statements in a language.
- SP::="Structured Programming",
a previous paradigm for programming.
- STL::="The standard C++ library of classes and functions" -- also called the
"Standard Template Library" because many of the classes and functions will work
with any kind of data.
- Syntax::=The rules determining the correctness and structure of statements in a language, grammar.
- Q::software="A program I wrote to make software easier to develop",
- TBA::="To Be Announced", something I should do.
- TBD::="To Be Done", something you have to do.
- UML::="Unified Modeling Language".
- void::C++Keyword="Indicates a function that has no return".