Secure C and the universities - trained for buffer overflow

Question

I recently finished a university course in C. Therefore I lack experience, of course.

Some universities tend to teach their students secure programming, or at least some elements. There's even a video (taken from here).

Being in C, copying strings, requires - as far as I know - strcpy or string.h functions. How do you use it securely in every-day programming? Do you have some functions, which handle allocation to prevent buffer overflows? There's the CERT secure coding standard for C. It's offering examples and compliant solutions:

int main(int argc, char *argv[]) {
  /* ... */
  char prog_name[128];
  strcpy(prog_name, argv[0]);
  /* ... */
}

And their alternative is:

int main(int argc, char *argv[]) {
  /* ... */
  char *prog_name = (char *)malloc(strlen(argv[0])+1);
  if (prog_name != NULL) {
    strcpy(prog_name, argv[0]);
  }
  else {
    /* Couldn't get the memory - recover */
  }
  /* ... */
}

Taken from here, 2nd example.

But as far as I get it that's just more challenging, more code, more work. Why does no one change the library itself? Or at least why does no one provide a secure alternative library or functions, which handle this in the right way?

Thanks for reading, wishi

hi is there any more videos on programming from harvard

yesraaj
– yesraaj

2009-01-27 11:20:42 +00:00
Commented Jan 27, 2009 at 11:20 — yesraaj
– yesraaj, Commented Jan 27, 2009 at 11:20

sth · Accepted Answer · 2009-01-27 11:25:55Z

9

The Posix function for this (available on nearly every system) is strdup(). strcpy() is used if you don't want to allocate new memory and already have a buffer you want to use, but then you better known how big that buffer is and if the string fits in it. If you don't know if the string fits, there is strncpy() that just copies a given number of characters. So you can limit the copied amount to your buffers size.

And besides of that, there are lots of sting libraries that manage string sizes in different ways.

And since you tagged it C++: There is std::string that does all the memory management for you and doesn't give you these problems.

answered Jan 27, 2009 at 11:25

sth

231k56 gold badges288 silver badges370 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

user14554 · Accepted Answer · 2009-01-27 13:27:22Z

2

the l (strlcpy, strlcat) functions from OpenBSD are usually better than the n functions, they are both faster and easier to use securely, but they are nonstandard. However, they are BSD licensed so you can include a known good implementation in any program so you can be both cross platform and secure.

For Windows, if you don't care about portability, you can use *_s functions.

answered Jan 27, 2009 at 13:27

user14554

2 Comments

oz10 Over a year ago

Better than the n functions how?

benno Over a year ago

As described here: gratisoft.us/todd/papers/strlcpy.html There is still a lot of work to use the 'n functions' effectively.

David Schmitt · Accepted Answer · 2009-01-27 13:28:58Z

2

Use strncpy:

#define BUFSIZE 127
int main(int argc, char *argv[]) {
  /* ... */
  char prog_name[BUFSIZE + 1];
  strncpy(prog_name, argv[0], BUFSIZE);
  progname[BUFSIZE]= '\0';
  /* ... */
}

There are *n* versions for most str* functions.

edited Jan 27, 2009 at 13:28

answered Jan 27, 2009 at 11:27

David Schmitt

59.5k27 gold badges124 silver badges165 bronze badges

1 Comment

Toon Krijthe Over a year ago

Better use BUFSIZE as the length and allocate BUFSiZE + 1 ;-).

Uri · Accepted Answer · 2009-01-29 00:02:09Z

If I understand correctly, your real question is why the API functions are not made more secure.

One reason reason is that C library is legacy (too late to change it now).

The main reason, however, is that the library is designed to be minimalistic, so that it does the bare minimum and it is the user's responsibility to ensure that it is called correctly. If it was doing any excessive checks, then a price would be paid every time it is called, even if the user can assure for other reasons that no problem is going to occur. This is very very common in many APIs.

That being said, there are enough libraries that provide safer alternatives, they're just not part of the standard library. Also, many people who do higher level stuff work with C++, that has standard class libraries for many of those things.

OregonGhost · Accepted Answer · 2009-01-27 11:19:32Z

0

Actually, Microsoft did provide secure alternatives to the CRT functions. Everybody I know hates them though and disables the warning that you shouldn't use the old functions. If you want something secure, maybe you should use C++. And then either STL strings or something like Qt.

Well, or you go to platforms like .NET or Java, which usually doesn't suffer from these problems (your app might crash, but no way to inject code into your app through a buffer overflow).

Edit: With Data Execution Prevention / NX enabled (default for Vista and .NET), this shouldn't be a problem for traditional platforms as well.

answered Jan 27, 2009 at 11:19

OregonGhost

23.8k7 gold badges76 silver badges109 bronze badges

5 Comments

Thomas Owens Over a year ago

Using C++ does not magically stop all buffer overflows and the problems they cause.

MSalters Over a year ago

Having strdup avaialble doesn't stop buffer overflows either, when people continue to use malloc/strcpy with fixed lengths. C++ offers, but does not enforce alternatives. Code reviews - which you need anyway - can enforce the use of those alternatives.

OregonGhost Over a year ago

@Thomas: I meant what MSalters wrote. C++ offers many secure alternatives to the plain old CRT functions, and that alone is in my opinion a reason to switch.

OregonGhost Over a year ago

@Longpoke: I meant to say that DEP/NX protects you from code injection via buffer overflow, just like managed platforms do anyway. I did not say that DEP/NX prevent buffer overflows in general.

L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ Over a year ago

DEP/NX are mitigation at best. They have been bypassed before, and even when you can't bypass them, there are other things you can do like setting up a call to an arbitrary function on the stack.

EvilTeach · Accepted Answer · 2009-01-27 21:37:32Z

0

int main
(
    int argc, 
    char *argV[]
) 
{
   char prog_name[128];
   if (strlen(argV[0]) < sizeof(prog_name))
   {
       strcpy(prog_name, argV[0]);
   }
   else
   {
       printf("%s is too large for the internal buffer\n", argV[0]);
   }

   return 0;
}

edited Jan 27, 2009 at 21:37

answered Jan 27, 2009 at 15:09

EvilTeach

29k21 gold badges89 silver badges144 bronze badges

1 Comment

unwind Over a year ago

Pet peeve: ditch the parens, sizeof is an operator and not a function. Parens are used for types, and are part of the argument to sizeof, which is "cast-like" in appearance.

Community · Accepted Answer · 2017-05-23 12:19:32Z

0

Maybe you would find useful reading answers to this question

edited May 23, 2017 at 12:19

CommunityBot

11 silver badge

answered Jan 28, 2009 at 23:45

kliketa

1,2763 gold badges17 silver badges23 bronze badges

Collectives™ on Stack Overflow

Secure C and the universities - trained for buffer overflow

7 Answers 7

Comments

2 Comments

1 Comment

Comments

5 Comments

1 Comment

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

7 Answers 7

Comments

2 Comments

1 Comment

Comments

5 Comments

1 Comment

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related