Skip to content
August 14, 2013 / Jared DeMott

Is Auditing C/C++ Different Nowadays?

C/C++ has been around for a long time.  As you may know, it has issues; lots of them.  And we can’t be rid of it; it’s still being used all the time in the creation of new software.  But over time, have we gotten better at writing and auditing it?  If so, are there newer bug types and patterns that we should now be looking for?

Answer: it depends.  Many of the bugs from yester-year still exist in code, particularly older or immature code like SCADA, ICS, telematics, etc.  Their secure software development lifecycle needs to catch up to desktop maturity.  Speaking of which, most new C/C++ that is being written for mainstream, desktop-like systems is very complex: kernels, browsers, virtulizers, etc.  And yes, there are new bug patterns to be found there.

The strcpys of yesterday won’t likely be found, and even if they were, exploiting them would be difficult with today’s protections.  What today’s attacker needs is a bug that will give each of the three primary exploit primitives: read/write/execute.  The read is used to leak information, often addresses related to the start of data structures and code modules.  The write is often used to “update” objects, including function pointers.  And of course, the execute redirection often begins with a stack pivot, ROP payload, shellcode, and maybe even sandbox escapes.  Wow.  Do such bugs exist?  Yup.

I’ll be presenting a talk on this subject September 13th at GrrCon and again September 28th at DerbyCon.  The talk begins with a background on yesterday’s bugs.  Next it describes todays bugs, like use-after-free and type confusion.  Code examples of bugs and fixes will be presented.  The talk concludes with trends and thoughts on mitigations. Hope to see you there!

2 Comments

Leave a Comment
  1. Jared DeMott / Oct 3 2013 7:24 am

    BTW, the video for the DerbyCon talk is at: http://www.irongeek.com/i.php?page=videos/derbycon3/3203-jared-demott-is-auditing-cc-different-nowadays

    I’ll also be talking about this on pauldotcom tonight at 6pm EST

Trackbacks

  1. Hey Adobe, hackers have access to your Source Code! | Bromium Labs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: