count_digits incorrectly returns zero for zero. The correct result is one. A name of 251 characters with a salary of zero will require 257 characters (251 for name, 1 for salary, 5 for color, space, dollar sign, new-line, and null), but len will be incorrectly computed as 256, and len > sizeof(buffer) will not be triggered, so the code will overflow buffer.
(Another problem is strlen has undefined behavior when name is not null-terminated, but the context of name is not clear from the problem statement.)
c - How can I find vulnerabilities in this code? - Stack Overflow
Dynamic tools to detect vulnerabilities in software applications written in c? - Information Security Stack Exchange
vulnerability - Some vulnerable projects in C or C++ for a lecture? - Information Security Stack Exchange
Vulnerability Scanning Tools in C/C++
When will I have access to the lectures and assignments?
What will I get if I subscribe to this Specialization?
Is financial aid available?
count_digits incorrectly returns zero for zero. The correct result is one. A name of 251 characters with a salary of zero will require 257 characters (251 for name, 1 for salary, 5 for color, space, dollar sign, new-line, and null), but len will be incorrectly computed as 256, and len > sizeof(buffer) will not be triggered, so the code will overflow buffer.
(Another problem is strlen has undefined behavior when name is not null-terminated, but the context of name is not clear from the problem statement.)
This is not an answer, but an example of what the code potentially should have been to avoid the buffer overflow described by Erik Postpischil.
The count_digits function is wrong (in case of 0), but also unnecessary. It is possible to limit the output to buffer using snprintf:
void add_record(const char* name, unsigned int salary)
{
char buffer[256];
int len;
len = snprintf(buffer, sizeof buffer, "%s: $%u\n", name, salary);
if (len >= sizeof(buffer)) {
printf("Too long string");
exit(1);
}
fputs(buffer, global_file_handle);
}
Note that if len is exactly equal to sizeof buffer, this will mean that the resulting string was already truncated. In fact, len + 1 is the size that buffer should have been to prevent truncation.
Avalanche is a dynamic defect detection tool that generates "inputs of death" - input data reproducing critical bugs and vulnerabilities in the analysed program.
BoundsChecker is a memory checking and API call validation tool used for C++ software development with Microsoft Visual C++.
Valgrind is an instrumentation framework for building dynamic analysis tools. There are Valgrind tools that can automatically detect many memory management and threading bugs, and profile your programs in detail.
!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown.
I usually use fuzzing in order to identify vulnerabilities in software with or without the source code. The fuzzing technique consists on manipulating the inputs to an application in a semi-automated way to produce errors that you have to study later using a debugger or inspecting the source code.
For example, you can program a fuzzer for the PDF format and use it to generate malformed PDF files and open them with your software that is supposed to fail gracely when reading malformed PDFs.
With a fuzzer you can test thousands of different combinations of inputs covering lots of cases but it is method that does not guarantee that there are no bugs.
You can use the Peach Fuzzing Platform that is a good framework to implement fuzzers and includes the tools to open the debugger automaticaly and logging the inputs when a bug is found.
Open Security Training has some great resources to teach developers about secure code practices including a virtual machine with compilers and vulnerable code samples
Also look at NIST's SAMATE TEST Suite for C and C++ vulnerable code, For e.g. C test suite contains good examples of Format String, Buffer overflow vulnerabilities in C.
You can find vulnerable versions of open source software like Wireshark on SAMATE as well. You might also want to look at exploit-db.com once your students are comfortable with simple vulnerabilities.
Finding security issues in Wireshark, VLC or any media libraries can be a great exercise for students and also improves security of open source projects.
DevIL is an image library with quite a lot of stack overflows in it.
Hi every one!
I have a question about vulerability in c/c++! I am going to test some Vulnerability Scanning Tools in C/C++ (ccpcheck, Flawfinder v.v.v) through my dataset and that I recived a lot of vulnerabilities :)
But, I think there are a lot of vulnerabilities which are false positive !!!
How can i reduce ratio false positive (FP)?
Hope for supporting!
Thank you for reading!