NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Linux Security Auditing Project> 2000-q2

Subject: Re: static analysis
From: Antonomasia (antnotatla.demon.co.uk)
Date: Thu Jun 29 2000 - 01:32:43 CDT

Next message: Sean Hunter: "Re: static analysis"
Previous message: Chris Evans: "Re: INN: guilty of syslog() format string breakage?"
Maybe in reply to: Chris Evans: "static analysis"
Next in thread: David A. Wagner: "Re: static analysis"
Maybe reply: Antonomasia: "Re: static analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 27 Jun 2000, Jonathan Leto wrote:

> while(<>){
> if ( /sprintf\s*$\s*[A-z0-9_]+\s*,\s*(".*?"|[A-z0-9_]+)\s*$/ ){
> print "Woohoo, stupid programming tricks!: $_\n";
> }
> }

\w Match a "word" character (alphanumeric plus "_")
Won't [A-z] include these on ASCII systems and be uncertain elsewhere ?
133 91 5B [
134 92 5C \ '\\'
135 93 5D ]
136 94 5E ^
137 95 5F _
140 96 60 `
(I base these remarks om man pages for perlre and ascii.)
I suppose you really want to match any non-comma for the first arg.
My scancode.plx might make a suitable framework for holding whatever
REs we think will detect this problem area - I'm starting to think about
it.

Chris Evans:

> 1) Limit some of the noise (constant strings not containing
% as the 2nd arg)

> 2) Contain a list of violations;
> syslog, 2 args => potential violation
> snprintf, 3 args => potential violation

You might see "syslog (level,p,q);" where the format (p) can be set
by the user to have more than one conversion specification.

How about for probably exploitable code
    syslog, fmt=2nd arg, problem if fmt is non-constant
    sprintf, fmt=2nd arg, problem if fmt is non-constant
    snprintf, fmt=3rd arg, problem if fmt is non-constant
and for merely broken code
    syslog, fmt=2nd arg, constant fmt over budget.

I'm wondering how closely perl starg-like behaviour might match C
starg behaviour. This might make the best way to detect
constant-fmt-over-budget conditions: reuse somebody else's thinking
in throwaway Perl code (in the gnu autoconf testing style).

--
##############################################################
# Antonomasia   antnotatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Next message: Sean Hunter: "Re: static analysis"
Previous message: Chris Evans: "Re: INN: guilty of syslog() format string breakage?"
Maybe in reply to: Chris Evans: "static analysis"
Next in thread: David A. Wagner: "Re: static analysis"
Maybe reply: Antonomasia: "Re: static analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]