Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

New Visual C++.NET Option Tightens Buffer Security

The new /GS option in the new Microsoft Visual C++.NET compiler will help reduce the instances of exploitable buffer overruns in your Windows application code


advertisement
Editor's Note: This article discusses a new feature in the Microsoft Visual C++.NET compiler, which at the time of publishing was still in beta. The features described may change before the official release of the product.




uffer overruns are a huge security problem in the software industry, and if you have them in your code you are asking for trouble. If you're lucky, an attacker will just shut down your application with an access violation. If you're not so lucky, the attacker can inject and execute malicious code.

There are many ways to help mitigate such threats (see my Best Defense article, "Testing Buffer Overruns"), including education and peer code reviews. Now with the release of Microsoft Visual Studio.NET beta 1, Microsoft has introduced another buffer security tool for the Windows platform: Visual C++.NET's new compile-time option.



Anatomy of a Buffer Overflow
During a function call on a 32-bit Intel processor, when function A() calls function B(), the CPU must be told to return back to A() when B() completes. When A() is about to call B(), the processor places (pushes) the address of the next instruction after the call to B() onto the stack. When B() completes, it takes (pops) the return address off the stack and continues execution from that address. Any local data B() has also resides on the stack, right before the return address, and if A() passes buffer data (such as a string) to B() then it is also placed on the stack just after the return address.

The following C++ code sample is a function call that I also illustrate in Figure 1, a somewhat simplistic chart of what the stack looks like right after A() calls B():

void B(char *pcBuffer) { char cTemp[16]; strcpy(cTemp,pcBuffer); } void A() { B("In a hole in the ground, there lived a Hobbit."); puts("We just called B()!"); }


Figure 1. The Stack Right After Function A() Calls Function B().
 
Figure 2. The Property Pages Dialog Box.

The danger is if an attacker can overflow the buffer (cTemp) by passing in an overly long pcBuffer, the attacker can overwrite the return address so when B() returns it won't return to A(). Rather, it will return to the address the attacker just wrote onto the stack as part of the overflow. Specially crafted buffers can make B() return to the start of the cTemp buffer, which may contain malicious assembly language. The possibilities are endless for an attacker.

The best way to solve this kind of problem is to replace calls to strcpy( ) with calls to a somewhat more secure function such as strncat(). I outlined some of these dangerous functions in my Best Defense article "15 Tips for Secure Win32 Programming."

There is simply no substitute for secure programming practices, but sometimes these aren't enough. Developers are human, we make mistakes, and we leave vulnerable code in our applications sometimes. Enter the new /GS option in Visual C++.NET.

The /GS Option
The new /GS compile-time option adds special data (a cookie) to the stack between the local data and the return address. The startup code for a process or dynamic link library (DLL) determines and assigns a random value for the cookie. When the function returns (often referred to as function epilog), the compiler checks the cookie; if it has changed, then it calls a default error handler function that halts the process. Stopping the application is better than risking an attack. Setting this option is simple; just follow these steps from within your Visual C++.NET project:

  1. Open the project's Property Pages dialog box (see Figure 2).
  2. Click the C/C++ folder.
  3. Click the Code Generation property page.
  4. Set the Buffer Security Check property to Yes (/GS).


Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap