[cs631apue] Test Cases and C Vulnerabilities
Jan Schaumann
jschauma at stevens.edu
Wed Sep 2 14:54:57 EDT 2020
Charles Magyar IV <cmagyar at stevens.edu> wrote:
> https://www.thegeekstuff.com/2013/02/stack-smashing-attacks-gcc/
>
> https://wiki.osdev.org/Stack_Smashing_Protector
> http://www.sis.pitt.edu/jjoshi/courses/IS2620/Spring07/Lecture3.pdf
Those are good links, and it's a good idea to research
the options available in your tools, such as the
compiler flags. (I had hinted at additional compiler
flags when noting the '-Wall -Werror -Wextra' flags in
one of the video segments.)
The other mechanism that we'll employ to ensure we
write robust, secure code is -- and you'll get tired
of hearing me say this soon enough -- by
1) always checking all return codes of all functions
2) never trusting input from the user or the
environment
That is, we will _always_ verify that e.g., text
provided by the user is not longer than the buffer we
try to stuff it into, or that it matches the character
set that we consider valid; we'll always verify that
if we expect a thing to be a number, it actually _is_
a number; we'll always verify that a function that was
supposed to return a valid pointer did not return NULL
etc. etc.
A lot of this is programming muscle memory, getting
into the habit of following certain patterns.
Using the tools to help detect what we missed is then
the second protection in our belt-and-suspenders
approach.
-Jan
More information about the cs631apue
mailing list