Question

Working with strings can lead to various security flaws and errors in software development using the C++ language. What are the common string manipulation errors that can be encountered? How can these errors be resolved and/or limited? What tips can be utilized to identify security vulnerabilities related to strings in C++? Be sure to provide an appropriate source code example to illustrate your points.

Answer 1

Working with strings in C++ may lead to manipulation errors and needs to be resolved. Some of the common errors include :

• String Truncation errors - String truncation may occur while reading user input or copying a string when a destination character array is not large enough to hold the contents of a string. The following code, for example, will truncate user input exceeding 11 characters.

   #include <iostream.h>
   int main() {
   char buff[12]; 
   cin.width(12); 
   cin >> buff; 
   cout << "echo: " << buff << endl; 
   }
  In some cases, String Truncation errors may lead to loss of data, or even software vulnerabilities too.
  

• String Errors without invoking a string function - Strings in C++ are character arrays, so it is possible to perform an insecure string operation without invoking functions that are highly susceptible to error, like strcpy(), streadd(), strecpy() strcat(), gets(), and strtrns(). Consider the following code, for example , accepts a string argument, copies it to the buff character array, and prints the contents of the buff. If the first argument to the program equals or exceeds 128 characters (remember the trailing null character), the program writes outside the bounds of the fixed-size array.

   int main(int argc, char *argv[]) {
      int j = 0;
      char buff[128];
      char *arg1 = argv[1];
      while (arg1[j] != '\0' ) {
      buff[j] = arg1[j]; 
     i++;
      }
      buff[j] = '\0'; 
     printf("buff = %s\n", buff); 
   }

• Errors of Null-termination - Consider the following code, for example , the static declarations for the three character arrays (x[], y[], and z[]) fail to allocate storage for the null-termination character. As a result, the strcpy() to x writes a null character beyond the end of the array. Depending on how the compiler allocates storage, this null byte may be overwritten by the strcpy() on . If this occurs, x now points to an array of 20 characters, while y points to an array of 10 characters. The strcpy() to z fills z, causing the strcat() on it to write well beyond the bounds of the array (particularly because the terminating null byte for y is overwritten by the strcpy() to z).

   int main(int argc, char* argv[]) {
     char x[16];
     char y[16];
     char z[32];
     strcpy(x, "0123456789abcdef");
     strcpy(y, "0123456789abcdef");
     strcpy(z, x);
     strcat(z, y);
      printf("x = %s\n", x); 
     return 0; 
   }

• Unbound String copies - Unbounded string copies occur when data is copied from an unbounded source to a fixed length character array (for example, when reading from standard input into a fixed length buffer). For example, the code below reads characters from standard input using the gets() function into a fixed-length character array until a newline character is read or an end-of-file condition is encountered.

   void main(void) {
   char Pass[80]; 
   puts("Enter 8 character password:"); 
    gets(Pass);
   }

• String Vulnerabilities - Let us have a look at the Get password code section( that shows how strings are misused that pose security threats).

   bool IsPasswordOk(void) {
   char Pass[12];
   gets(Pass); 
  if (!strcmp(Pass, "good password")) 
   return(true); 
  else return(false);
    }
    void main(void) {
   bool PswrdStatus; 
   puts("Enter password:"); 
   PswrdStatus = IsPasswordOk(); 
   if (PswrdStatus == false) { 
   puts("Access denied"); 
   exit(-1); 
   } 
   else puts("Access granted"); 
   }
  The get password program starts in the main() routine. The first line executed is the puts() call that prints out a string literal . The puts() function is defined in C++ as a character i/o function, is declared in stdio.h, and writes a string to the input stream pointed to by stdin followed by a newline character ('\n'). The IsPasswordOk() function is called to retrieve a password from the user . The function returns a boolean value: true if the password is valid, false if it is not. The value of PswrdStatus is tested and access is allowed or denied.The IsPasswordOk() function uses the gets() function to read characters from the input stream (pointed to by stdin) into the array pointed to by Password until an EOF is encountered or a newline character is read. Any newline character is discarded, and a null character is written immediately after the last character read into the array. The strcmp() function defined in string.h compares the string pointed to by Password to the string literal "good password" and returns an integer value of zero if the strings are equal and a nonzero integer value if they are not. The IsPasswordOk() function returns true if the password is "good password" and the main() function consequently grants access.