IMPLEMENTATION
上传用户:ig0539
上传日期:2022-05-21
资源大小:181k
文件大小:2k
- This document details a few steps and decisions taken to ensure vsftpd is free
- of common implementation flaws.
- Tackling the buffer overflow
- ============================
- Probably the most common implementation flaw causing security problems is the
- buffer overflow. Buffer overflows come in many shapes and sizes - overflows
- onto the stack, overflows off the end of dynamically malloc()'ed areas,
- overflows into static data areas. They range from easy to spot (where a user
- can put an arbitrary length string into a fixed size buffer), to very
- difficult to spot - buffer size miscalculations or single byte overflows. Or
- convoluted code where the buffer's definition and various usages are far
- apart.
- The problem is that people insist on replicating buffer size handling code
- and buffer size security checks many times (or, of course, they omit size
- checks altogther). It is little surprise, then, that sometimes errors creep
- in to the checks.
- The correct solution is to hide the buffer handling code behind an API. All
- buffer allocating, copying, size calculations, extending, etc. are done by
- a single piece of generic code. The size security checks need to be written
- once. You can concentrate on getting this one instance of code correct.
- From the client's point of view, they are no longer dealing with a buffer. The
- buffer is encapsulated within the buffer API. All modifications to the buffer
- safely go through the API. If this sounds familiar, it is because what vsftpd
- implements is very similar to a C++ string class. You can do OO programming
- in C too, you know ;-)
- A key point of having the buffer API in place is that it is MORE DIFFICULT to
- abuse the API than it is to use it properly. Try and create a buffer memory
- corruption or overflow scenario using just the buffer API.
- Unfortunately, secure string/buffer usage through a common API has not caught
- on much, despite the benefits it brings. Is it under publicised as a solution?
- Or do people have too much sentimental attachment to strcpy(), strlen(),
- malloc(), strcat() etc? Of notable exception, it is my understanding that at
- least the rather secure qmail program uses secure buffer handling, and I'd
- expect that to extend to all Dan Bernstein software. (Let me know of other good
- examples).