Printf("Function %S Is at Address %016X\N", Name, Addr);

Home , C string handling, Printf (Unix), Printf format string

Outline

Exercise: using Unix permissions CSci 4271W Injection vulnerabilities: format strings Development of Secure Software Systems Day 9: More Unix Access Control Logistics announcements Stephen McCamant Good technical writing (pt. 1) University of Minnesota, Computer Science & Engineering More Unix permissions

Setting: files related to this class Users and groups

Student and course staff materials Users: smccaman (instructor), paul1155 (TA), Imagine everything is in Unix files on CSE Labs stude003 (student) Versus reality of a mixture of Unix with web-based Groups: csci4271staff (instructor and TA), csci4271all systems like Canvas (staff and students)

What I want from you Outline

Exercise: using Unix permissions First, think of a kind of file/directory/information that would be relevant to the class Injection vulnerabilities: format strings Then, decide on the appropriate octal permissions Logistics announcements bits, plus owner and group, that would be appropriate Then repeat with a new resource, looking for one Good technical writing (pt. 1) with different permissions bits More Unix permissions

Injection vulnerabilities printf reminder

printf (and related functions like fprintf are a Common dangerous pattern: interpreter code with convenient way to produce formatted output attacker control The format string argument contains format eval Interpreted language example: specifiers (starting with %) controlling how the other OS example: shell script injection arguments are interpreted Web examples: JavaScript (XSS), SQL injection printf("Function %s is at address %016x\n", C library example: printf format string name, addr); Variable arguments functions Format string attack

In secure code, format strings should not be under printf C has special features for functions like that external control take a varying number of arguments Common case: just constant strings Macros va_start, va_arg, etc. What malicious things can an attacker do via a Compiler can’t check type or number of arguments format string? Args will be stored on stack, for pointer access Step one: add extra integer specifiers, dump stack Already useful for information disclosure

Format string attack layout Format string attack layout

Format string attack: overwrite Practical format string challenges %n specifier: store number of chars written so far to pointer arg Attacker usually must control format as well as one Benign but uncommon use: account for length in other formatting or more arguments Writing a big value requires impractical output size Advance format arg pointer to other Workaround 1: overwrite two bytes with %hn attacker-controlled data Workaround 2: use overlapping unaligned write to control Control number of chars written with padding byte by byte Net result is a “write-what-where” primitive

Format string defenses Outline

Compilers will warn for printf that looks like it Exercise: using Unix permissions puts should just be Injection vulnerabilities: format strings Several platforms have decided to just remove %n Android Bionic, Visual Studio Logistics announcements %n Linux glibc by default will block if the format Good technical writing (pt. 1) string is writeable Major remaining use is information disclosure More Unix permissions Complete project 1 instructions posted Supplemental office hours

Provides more detail beyond previous in-class I will host another office hour after class (5:15-6:15) announcements today Available from Assignments page of public site May continue based on demand Most important reminder: initial report due Friday by Please also take advantage of Piazza, we’ll be active 11:59pm there too

Outline Writing in CS versus other writing

Exercise: using Unix permissions Key goal is accurately conveying precise technical Injection vulnerabilities: format strings information Logistics announcements More important: careful use of terminology, structured organization Good technical writing (pt. 1) Less important: writer’s personality, appeals to More Unix permissions emotion

Still important: concise expression Know your audience When technical terminology makes your point clearly, use it Don’t use long words or complicated expressions But provide definitions if a concept might be new to when simpler ones would convey the same meaning many readers Be careful to provide the right information in the definition Beneficial for both clarity and style Define at the first instead of a later use On other hand, avoid introducing too many new terms Reuse the same term when referring to the same concept

Precise explanations Provide structure Don’t say “we” do something when it’s the computer that does it Use plenty of sections and sub-sections And avoid passive constructions It’s OK to have some redundancy in previewing Don’t anthropomorphize (computers don’t “know”) structure Use singular by default so plural provides a Limit each paragraph to one concept, and not too distinction: long - The students take tests Start with a clear topic sentence + Each student takes a test + Each student takes multiple tests Outline Process UIDs and setuid(2)

Exercise: using Unix permissions UID is inherited by child processes, and an Injection vulnerabilities: format strings unprivileged process can’t change it Logistics announcements But there are syscalls root can use to change the UID, starting with setuid Good technical writing (pt. 1) E.g., login program, SSH server More Unix permissions

Setuid programs, different UIDs More different UIDs

If 04000 “setuid” bit set, newly exec’d process will Two mechanisms for temporary switching: take UID of its file owner Swap real UID and effective UID (BSD) Other side conditions, like process not traced Remember saved UID, allow switching to it (System V) Specifically the effective UID is changed, while the Modern systems support both mechanisms at the real UID is unchanged same time Shows who called you, allows switching back

Setgid, games Special case: /tmp

Setgid bit 02000 mostly analogous to setuid We’d like to allow anyone to make files in /tmp But note no supergroup, so UID 0 is still special So, everyone should have write permission Classic application: setgid games for managing But don’t want Alice deleting Bob’s files high-score files Solution: “sticky bit” 01000

Special case: group inheritance Other permission rules

When using group to manage permissions, want a Only file owner or root can change permissions whole tree to have a single group Only root can change file owner When 02000 bit set, newly created entries with chown have the parent’s group Former System V behavior: “give away ” chown (Historic BSD behavior) Setuid/gid bits cleared on Set owner first, then enable setuid Also, directories will themselves inherit 02000