5299665 2000-07-25  21:24  /40 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11910>
Kommentar till text 5296113 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Chasing bugs / vulnerabilties
------------------------------------------------------------
From: Kurt Seifried <listuser@SEIFRIED.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <001501bff5d3$a1d293e0$6900030a@seifried.org>

Amen.
[snipsnip]

> Both white box (known source and specifications) and black box (using
> documetation for software without knowing the internals) testing should be
> carried out - by individuals separate and apart from the coders.
>
> Try the UNIX Fuzz experiment, first conducted at the University of
Wisconsin
> on multiple UNIX operating systems and when tried again several years
later
> revealed only slightly better results (the Fuzz experiment throws garbage
> input on the command line into a program and tests the response).   We
> (check out
> http://www.cerias.purdue.edu/coast/ms_penetration_testing/v11.html) tried
> the same experiment on WinNT with 'interesting' results.

Fuzz for Linux:
http://fuzz.sourceforge.net/

Secure programming documentation and software (several links).
http://www.securityportal.com/lskb/articles/kben10000082.html

ITS4
http://www.rstcorp.com/its4/

SLINT
http://www.l0pht.com/products.html#SLINT

> Michael S Hines, CISA,CIA,CFE,CDP         | Phone 765.494.5338

Kurt Seifried
SecurityPortal, your focal point for security on the net
http://www.securityportal.com/
(5299665) ------------------------------------------

5299712 2000-07-25  21:54  /36 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11912>
Ärende: Don't change C conventions; fix programmers instead
------------------------------------------------------------
From: jsl2@JEDITECH.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.GSO.4.10.10007251108230.1343-100000@stargazer.jeditech.com>

...

My two cents regarding the discussion of changing the C
varargs/stdarg calling convention: it's a waste of time - we should
be teaching proper programming techniques instead.

1. There are other languages that provide strict type checking: C++,
Java, etc. With the use of C++ iostream, one doesn't need varargs for
printf() and friends. "Ease of use" of iostream, etc. is not for
debate here - point is there are alternatives.

2. How long do we think it'll take before varargs supplement will
take to ratify? For the compiler vendors to implement? and more
important, to IMPLEMENT CORRECTLY? Do we want to take a chance this
may introduce compiler bugs that could result in security problems?

3. The effort to "fix" varargs will solve ONE class of problems for
ONE language. It doesn't fix buffer overflows; it doesn't fix numeric
over/underflows; it doesn't remove dangerous chars from URLs (well,
in some circumstances maybe it can)

IMHO the effort should focused on teaching people how to write
defensive programs; how to validate user input; and why the details
matter. These topics are just as important as data
structures. Needless to say, the proper techniques (and a dose of
paranoia) will carry across languages.

Don't waste time inventing crutches - time to flog the luser
programmers. :=)

Regards,
-James
(5299712) ------------------------------------------(Ombruten)

5303603 2000-07-26  20:43  /112 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <11932>
Ärende: Poor man's solution to format bugs
------------------------------------------------------------
From: Mike Frantzen <frantzen@EXPERT.CC.PURDUE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200007260031.TAA27965@expert.cc.purdue.edu>

/*
 * This is a kludgy example of a source level workaround to the now
 * infamous format bugs.  It should work for newer versions of gcc.  Older
 * versions should work as well but you can use recursive macros.
 *
 * It uses a set of variable arguement macros to wrap variable arguement
 * functions.  It counts the number of arguements and passes the count
 * to a wrapper function.  Now it has a count of the passed arguements.
 *
 * It should be relatively easy to apply the technique to other vulnerable
 * functions.  Care would have to be taken in multithreaded programs to
 * use a thread specific data.
 * Stick the macros into the standard include's and a slight hack to LD_PRELOAD
 * or libc.  Those of us who are not Theo get some semblance of protection ;)
 *
 * I'm sure someone with more sleep will improve on the concept.
 *
 * See the gcc info pages for an explaination of variable arguement macros.
 * I'm too tired to explain them.  You may want to run 'gcc -E' against it
 * to see how they expand.
 *
 * gcc -v
 * Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.7/2.95.2/specs
 * gcc version 2.95.2 19991024 (release)
 *
 * Program output:
 *  none
 *  one 1
 *  two 1 2
 *  three 1 2 3
 *  Aiieee.  Arguement count mismatch of 1.
 *  Aiieee.  Arguement count mismatch of -1.
 *
 *
 * As always, pardon the spelling errors.  Bad english is by native language.
 * See you all at defcon.
 */


#include <stdio.h>
#include <stdio.h>
#include <varargs.h>


/* Could stick this stuff into an include file */
#define printf                  mikes_print(&cnt, print0

#define print0(x, args...)      x ,print1(## args)
#define print1(x, args...)      x+(++cnt-cnt) ,print2(## args)
#define print2(x, args...)      x+(++cnt-cnt) ,print3(## args)
#define print3(x, args...)      x+(++cnt-cnt) ,print4(## args)
#define print4(x, args...)      x+(++cnt-cnt) ,print5(## args)
#define print5(x, args...)      x+(++cnt-cnt) ,print6(## args)
#define print6(x, args...)      x+(++cnt-cnt) ,print7(## args)
#define print7(x, args...)      x+(++cnt-cnt) ,print8(## args)
#define print8(x, args...)      x+(++cnt-cnt) ,print9(## args)
#define print9(x, args...)      Need_to_make_more_print_statements
/* END include stuff */


void mikes_print(int *args, char *format, ...);

/* Arguement counter */
int cnt = 0;

int main(void)
{

  printf("none\n");
  printf("one %d\n", 1);
  printf("two %d %d\n", 1, 2);
  printf("three %d %d %d\n", 1, 2, 3);
  printf("explode %x %n %p\n", 1, 2, 3, 4);
  printf("explode %d %p %n %d %d\n", 1, 2, 3, 4);

  return 0;
}


/*
 * Simply counts the % tokens in the function.
 * Bomb out if they don't match *args.
 */
void mikes_print(int *args, char *format, ...)
{
  va_list ap;
  char *rptr;

  for (rptr = format; *rptr; rptr++)
    if (*rptr == '%')
      if (*++rptr != '%')
        (*args)--;

  if (*args) {
    fprintf(stderr, "Aiieee.  Arguement count mismatch of %d.\n", *args);
    *args = 0;
    return;
  }

  /* Must turn counter back to 0 */
  *args = 0;

  va_start(ap);
  vprintf(format, ap);
  va_end(ap);
}
(5303603) ------------------------------------------