Vulnerability Pattern Template

From Guidance Share

Jump to: navigation, search

Contents

Description

Vulnerability Patterns

These represent the viewpoint and perspective of the defender.

  • Contextual Causes explains the circumstances / environment in which the vulnerability applies.
  • Antipattern Solution provides examples of bad.
  • Symptoms and Consequences defines the implications of the antipattern.
  • Refactored Solution provides examples of good (with fixed vulnerabilities).
  • Benefits explains why you should avoid the antipattern.
  • Liabilities identifies any other side-effects or consequences that you should be aware of.

Template

Contextual Causes

Why do you find yourself in this predicament. This should be focussed on technology and code, not people or processes

Antipattern Solution

Show an example of bad

Symptoms and Consequences

What's the most visible manifestation of the problem?

Refactored Solution

Show an example of the bad code fixed

Benefits

Why should you care?

Liabilities

What else do you need to be aware of? Are there any side-effects?

Example

Contextual Causes

The target application is written in a language that does not provide automated memory management, buffer length checking and array bounds checking. This is most often C/C++ but could include any language that is not type safe. Furthermore, input validation is missing or there is a lack of proper input validation.


AntiPattern Solution

The most common forms are:

  • Use of an unbounded copy
char buf[1024];
strcpy(buf, s);
  • Use of a bounded copy with incorrect calculations
char buf[1024];
strncpy(buf, s, 1025);
  • Failure to null terminate a string
char srcBuf[3];
char destBuf[3];
srcBuf[0] = 'a';
strcpy(destBuf, srcBuf);
  • Copy based on size of source not destination
void myCopy(char *string)
{
  char *destBuf = new char[MY_MAX_STRING_SIZE];
  while (string != NULL)
  {
     *destBuf = *srcBuf;
     destBuf++;
     srcBuf++;
  }
}
  • Using untrusted input to allocate buffer size
void myCopy(char *srcString, int untrustworthySize)
{
  char *destBuf[untrustworthySize];
  strcpy(destBuf, srcString)
}

Also see Integer Overflow, Improper String Length Checking, Ignored Function Return Value, Use of sizeof() on a Pointer Type. Each of these vulnerabilities can lead to a buffer overflow.

Symptoms and Consequences

  • An unchecked buffer that can lead to a process crash or execution of malicious code.

Refactored Solution

  • Use of a bounded copy
char buf[BUF_SIZE];
strncpy(buf, s, BUF_SIZE);
  • Null terminate string before use
char srcBuf[3];
char destBuf[3];
srcBuf[0] = 'a';
srcBuf[1] = '\0';
strcpy(destBuf, srcBuf);
  • Copy based on size of destination buffer
void myCopy(char *string)
{
  char *destBuf = new char[MY_MAX_STRING_SIZE];
  int i = 0;
  while (string != NULL) && (i < MY_MAX_STRING_SIZE)
  {
     *destBuf = *srcBuf;
     destBuf++;
     srcBuf++;
     i++;
  }
}
  • Check memory allocation and use bounded copy
void myCopy(char *srcString, int untrustworthySize)
{
  char *destBuf[untrustworthySize];
  if (destBuf != null)
    strncpy(destBuf, srcString, untrustworthySize)
}

Benefits

  • Process stability
  • Protection from arbitrary code execution

Liabilities

Personal tools