Failure to handle errors correctly

Slides:



Advertisements
Similar presentations
Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Advertisements

Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.
Yoshi
Exception Handling The purpose of exception handling is to permit the program to catch and handle errors rather than letting the error occur and suffer.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 15: Exception Handling.
Exception Handling Xiaoliang Wang, Darren Freeman, George Blank.
Chapter 16: Exception Handling C++ Programming: From Problem Analysis to Program Design, Fifth Edition.
 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.
C++ Programming: From Problem Analysis to Program Design, Third Edition Chapter 16: Exception Handling.
Exception Handling Chapter 12.  Errors- the various bugs, blunders, typos and other problems that stop a program from running successfully  Natural.
C Programming - Lecture 5
Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
16-Jun-15 Exceptions. Errors and Exceptions An error is a bug in your program dividing by zero going outside the bounds of an array trying to use a null.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Exceptions. Errors and Exceptions An error is a bug in your program –dividing by zero –going outside the bounds of an array –trying to use a null reference.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Building Secure Software Chapter 9 Race Conditions.
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Java for enterprise networks Version 2.3 Feb 2008 JSP Validation and Exception handling Why validate? Client side validation.
June 14, 2001Exception Handling in Java1 Richard S. Huntrods June 14, 2001 University of Calgary.
Exception Handling Basic -- from generic idea to Java.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Natalia Yastrebova What is Coverity? Each developer should answer to some very simple, yet difficult to answer questions: How do I find new.
Computer Security and Penetration Testing
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
Parsing and Validating Text Input file opening and closing fprintf, fscanf and sscanf fgets and fputs fgetc and putc Parsing a Token Delimited Input Record.
Errors And How to Handle Them. GIGO There is a saying in computer science: “Garbage in, garbage out.” Is this true, or is it just an excuse for bad programming?
SEC835 Runtime integrity and resource control. Application based Denial of Service Application can crash for many reasons and at any time due to programming.
Exceptions in Java. Exceptions An exception is an object describing an unusual or erroneous situation Exceptions are thrown by a program, and may be caught.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Storing and Retrieving Data
Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.
Fall 2002CS 150: Intro. to Computing1 Streams and File I/O (That is, Input/Output) OR How you read data from files and write data to files.
Java Basics Opening Discussion zWhat did we talk about last class? zWhat are the basic constructs in the programming languages you are familiar.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Exception Handling in Java Topics: Introduction Errors and Error handling Exceptions Types of Exceptions Coding Exceptions Summary.
Chapter 15: Exception Handling C++ Programming: Program Design Including Data Structures, Fifth Edition.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Locking In CFML. Locking in CFML - Why - How - What - When } to lock? Understand Locking.
(c) University of Washington10-1 CSC 143 Java Errors and Exceptions Reading: Ch. 15.
Exceptions Lecture 11 COMP 401, Fall /25/2014.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Debugging Malloc Lab Detecting Memory-Related Errors.
1 ENERGY 211 / CME 211 Lecture 14 October 22, 2008.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Eighth Lecture Exception Handling in Java
Dynamic Allocation in C
Content Coverity Static Analysis Use cases of Coverity Examples
Protecting Memory What is there to protect in memory?
Exceptions In this lecture:
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Tirgul 13 Exceptions 1.
Chapter 2: System Structures
Introduction to .net Impersonation
File I/O in C Lecture 7 Narrator: Lecture 7: File I/O in C.
Introduction to Static Analyzer
Files.
CSC 143 Java Errors and Exceptions.
C Programming - Lecture 5
Exceptions 10-May-19.
Outline Chapter 3: Processes Chapter 4: Threads So far - Next -
Presentation transcript:

Failure to handle errors correctly

Intro Many security risks are possible when programmers fail to handle error conditions correctly The program can end up into an insecure state The application can die: denial of service (DOS) C#, Ruby, Python, Java. Crashing, aborting, or restarting in server code could be serious problems. Common source of problems is code “cut&paste”

CWE CWE 81: Failure to sanitize Directives in error message Web Page CWE 388: Error Handling CWE 209: Error Message Information leak CWE 390: Detection of Error Condition Without Action CWE 252: Unchecked Return Value

Affected Languages ASP PHP C C++ C# Ruby Python VB.NET Java.

The flaw explained… Yielding too much information Ignoring errors Misinterpreting errors Using useless return values Using non-error return values

… The flaw explained… Yielding too much information: Ignoring Errors: an error occurs and the programmer says exactly what happened and how to fix the error Ignoring Errors: Some errors are informational or optional (the return value of printf is very rarely checked) Windows impersonation functions: ImpersonatedSelf(), ImpersonateLogonUser(), SetThreadToken() , when fail the token still has the identity associated with the process token->privilege elevation bug Call fopen(), it fails (no file, file locked, access denied): if you don’t handle the error, calls to fwrite() or fread() fail too->DOS.

Windows Impersonation Mechanism In distributed systems, it is typical for one server to call another server to accomplish a task for a client. This functionality is called impersonation. To handle these requests for a client, the server must be given the authority to do so. The ability to call other servers while impersonating the original client is called delegation. Through impersonation, a thread runs in a security context that is different from the context of the process that owns the thread. When a server thread runs in the security context of the client, it uses an access token that represents the client credentials in order to obtain access to the objects to which the client has access. This provides the ability for a thread to run by using different security information from the process that owns the thread. Typically, a thread in a server application impersonates a client. This impersonation allows the server thread to act for that client in order to access objects on the server or validate access to the client objects. The following diagram shows the impersonation process. A client makes a request to server A. If server A must query server B to complete the request, server A impersonates the client security context and makes the request to server B for the client. Server B uses the security context of the original client, instead of the security identity for server A, to determine whether to complete the task.

… The flaw explained… Misinterpeting errors: Some errors mustn’t be caught as well as NullPointerException, and in some cases programmer do not catch correctly the exception, just force to quit-> DOS. Misinterpeting errors: recv() return three values Length of messages in bytes I f no msgs available and the user has performed an orderly shutdown, it returns 0 Otherwise -1 and errno is set to indicate the error. Malloc(): if the size argument is 0 allocates a zero length item return a valid pointer to that item If the size argument is >0 and there isn’t enough memory available return NULL Realloc() if the size argument is 0, the block pointed to by the ,memblock argument is freed and the return value is Null. If the size argumentis >0 and there isn’t enough memory available, realloc() returns NULL

… The flaw explained Using useless return values Some of the C standard return functions are simply dangerous strncpy() returns no useful values, just a pointer to the destination buffer, regardless the state of the destination buffer If the call leads to a buffer overrun, the return value points to the start of the overflowed buffer! Using non error return values MulDiv() (Win OSs) allow programmers to do a little 64 bit math before 64 bit integers. Int result= ((long long) x * (long long)y)/z The function returns -1 on error, which could be an acceptable result.

Sinful C/C++… The developer is checking the return from a function that yields a completely useless value The return from strncpy() is a pointer to the start of the destination buffer It’s of little use, but it allows chaining of function calls Assume there is no buffer overrun along the way. Char dest [19]; Char p = strncpy(dest, szSomeLongDataFromAHaxOr, 19); If (p) { Everything worked fine, party on dest or p } Programmer is expecting NULL on error->OOOps

… Sinful C/C++… Common mistake. The code checks for a return value but only in an assert, which goes away once you no longer use the debug option. DWORD OpenfileContents (char *szFileName) { Assert (szFilename !=Null); Assert (strlen(szFileName) >3); FILE *f = fopen(szFileName, “r”); Assert(f); //Do work on the file Return 1; }

…Sinful C/C++ (on Win) Windows include impersonation functions that may fail. Windows server 2003 allows to grant privileges only to specific accounts such as service accounts (local systems, local services, network services) and administrators. Thus your code could simply fail when calling an impersonation function ImpersonatedNamedPipeClient(hPipe); DeleteFile(szFileName); RevertToSelf(); If the process is running as Local System, and user calling the code is a low-privileged user, the call to DeleteFile() may fail because the user has no access to the file If the impersonation function fails the thread is still executing in the context of the process, Local System, which probably can delete the file (a LOW-PRIVILEGED USER!!!!!!)

Spotting the Sin during code reviews Verify the correctness of all functions that do not check the return value from functions with a non –void return type. The best way to find the sin is through code review.

Redemption Steps… DWORD OpenFileContents (char *szFileName) { If (szFileName == NULL || strlen(szFile) <=3) Return ERROR_BAD_ARGUMENTS; FILE *f = fopen(szFileName, “r”); If (f==NULL) Return ERROR_FILE_NOT_FOUND; //Do work on the file Return -1; }

Resources Code complete, Second Edition by Steve McConnell (Microsoft Press, 2004) Linux Kernel mremap() Missing Return Value Checking Privilege escalation: www.osvdb.org/displayculn.php?osvdb_id=3986.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.