dangling pointers and security

[Aravind]

I would like to know in what manner dangling pointers affect the
security of a application developed using C++.What are the loopholes
that are created by dangling pointers and how they could be exploited
by hackers?.

Aravind

 

[Karl Heinz Buchegger]

I would like to know in what manner dangling pointers affect the
security of a application developed using C++.What are the loopholes
that are created by dangling pointers and how they could be exploited
by hackers?.

Do you have any idea what 'dangling pointers' are?

 

[JKop]

Aravind posted:

I would like to know in what manner dangling pointers affect the
security of a application developed using C++.What are the loopholes
that are created by dangling pointers and how they could be exploited
by hackers?.

Aravind

You are way way wayyyyyyyy off!


First, what do hackers do? They access computers and networks via the
Internet and do things that you don't want them to do.

How do you stop them? Don't give them the ability in the first place!


Sounds simple? So why do people get "hacked"? Mainly because Microsoft is
stupid; it enables things like "file sharing" and "printer sharing" via the
internet protocol TCP/IP. Hackers exploit the ability *that has explicitly
been given to them*.


Now, dangling pointers:



int* pChocolate = new int;

delete pChocolate;

*pChocolate = 5;



That's what a dangling pointer is, and as you can see, it has nothing at all
whatsoever to do with hacking and/or hackers.


Hope that helps.


-JKop

 

[Rolf Magnus]

First, what do hackers do? They access computers and networks via the
Internet and do things that you don't want them to do.

Actually, they don't. That's what the media made out of the word
"hacker". A hacker is actually just a programmer who is good at
programming and who likes it.

 

[Thomas Matthews]

JKop wrote:




Actually, they don't. That's what the media made out of the word
"hacker". A hacker is actually just a programmer who is good at
programming and who likes it.

My understanding (or definition) of hacker is one who attempts
a task without reading or finding out how to do it first.

When I was growing up, hackers would figure out how to log into
other computers and browse. No malicious intent, just bragging
rights. Other hackers would attempt to write editors starting
from the bottom up without any pre-design.

At some point in time, hacker was designated with a negative
conontation (sp!). This was due to the few who were malicious.
Now, the malicious ones are hired by "The Dark Side" for
"evil purposes".

So much for being able to play "Global Thermonuclear War"
on the "Wombat" computer. "Want to play a game?"

--
Thomas Matthews

C++ newsgroup welcome message:
http://www.slack.net/~shiva/welcome.txt
C++ Faq: http://www.parashift.com/c++-faq-lite
C Faq: http://www.eskimo.com/~scs/c-faq/top.html
alt.comp.lang.learn.c-c++ faq:
http://www.raos.demon.uk/acllc-c++/faq.html
Other sites:
http://www.josuttis.com -- C++ STL Library book

 

[Rolf Magnus]

My understanding (or definition) of hacker is one who attempts
a task without reading or finding out how to do it first.

When I was growing up, hackers would figure out how to log into
other computers and browse. No malicious intent, just bragging
rights. Other hackers would attempt to write editors starting
from the bottom up without any pre-design.

Yes, something like that. For doing that, you would need to be very good
at programming and also like it, so it's more or less consistent with
my definition. I just couldn't put it in words as good as you could.

At some point in time, hacker was designated with a negative
conontation (sp!). This was due to the few who were malicious.
Now, the malicious ones are hired by "The Dark Side" for
"evil purposes".

And now, most people only know those malicious ones, because they are in
the media, and movies and novels are written about them.
Only few people would realize that the "Linux Kernel Hacker's Guide" is
not about breaking into linux systems.

 

[Mark A. Gibbs]

the definition of hacker i've always known is someone who does something
unorthodox and/or inelegant, just to get something done. bypassing
passwords to enter a secure area is a little unorthodox, so the
definition extends to cover that group.

Yes, something like that. For doing that, you would need to be very good
at programming and also like it, so it's more or less consistent with
my definition. I just couldn't put it in words as good as you could.

i agree except that you don't necessarily *need* to be good at
programming (or even fond of it) to hack a working program together. it
would probably be a mess, and an embarrasment to any professional
programmer with dignity, but it would work.

that said, the best hackers would tend to be ones who are very good,
because they would be the ones thinking outside the box.

to me, a hacker is someone who "just gets it done, and damn the
torpedos". that doesn't necessarily imply competence or enjoyment,
although there will be a high degree of correlation. hacker is a kind of
play derogatory, too. both a hacker and a very good programmer may get a
job done, but only the good programmer should be proud of his work.

And now, most people only know those malicious ones, because they are in
the media, and movies and novels are written about them.
Only few people would realize that the "Linux Kernel Hacker's Guide" is
not about breaking into linux systems.

there's a whole subculture with it's own parlance and jargon that
differentiates between hacker, crackers, phreakers, sneakers and so on.
i don't know all the subtleties of it, but i believe that the kind of
person who breaks into things is a cracker. they may or may not have
hacked their way in, depending on the elegance of the method, but in the
end, the result is that they've cracked the system - not "hacked" the
system.

bonus points for obscure pop culture reference ^_^

for the record, i have never heard of any instance when a dangling
pointer caused a security issue - and i have no idea how one could be
(except by a monumental fluke, and even then, it would likely not be a
deterministically reproducable problem). crashes, yes. odd behaviour,
yes. buffer overruns on the other hand....

mark

 

[Steven T. Hatton]

My understanding (or definition) of hacker is one who attempts
a task without reading or finding out how to do it first.

http://www.xemacs.org/Documentation/21.5/html/internals_1.html#SEC1

1. A History of Emacs

XEmacs is a powerful, customizable text editor and development environment.
It began as Lucid Emacs, which was in turn derived from GNU Emacs, a
program written by Richard Stallman of the Free Software Foundation. GNU
Emacs dates back to the 1970's, and was modelled after a package called
"Emacs", written in 1976, that was a set of macros on top of TECO, an old,
old text editor written at MIT on the DEC PDP 10 under one of the earliest
time-sharing operating systems, ITS (Incompatible Timesharing System). (ITS
dates back well before Unix.) ITS, TECO, and Emacs were products of a group
of people at MIT who called themselves "hackers", who shared an idealistic
belief system about the free exchange of information and were fanatical in
their devotion to and time spent with computers. (The hacker subculture
dates back to the late 1950's at MIT and is described in detail in Steven
Levy's book Hackers. This book also includes a lot of information about
Stallman himself and the development of Lisp, a programming language
developed at MIT that underlies Emacs.)

 

[Julie]

I would like to know in what manner dangling pointers affect the
security of a application developed using C++.What are the loopholes
that are created by dangling pointers and how they could be exploited
by hackers?.

Aravind

Dangling pointer:
http://catb.org/~esr/jargon/html/D/dangling-pointer.html

In a language such as C++, a dangling pointer isn't particularly a problem, in
and of itself. In languages where pointers are abstracted away (e.g. Java),
there can be all sorts of negative consequences because of the implied notion
that a pointer only points to something valid (or possibly null).

Common code practices indicate that a pointer should either: point to something
valid, or be set to null. Under this practice, usage of a valid pointer will
result in defined behavior, usage of a null pointer will result in an exception
or program termination. However, using a dangling pointer is completely
undefined, and there is where a potential problem can be exploited, but it is
going to be very system specific behavior.

So, suppose that there is a system & application where it is known that there
is some sequence of steps that results in (internally) a dangling pointer.
Additionally, occasionally that dangling pointer may eventually point to a
portion of memory that contains security (access-control) related information.
That dangling pointer, could then conceivable be exploited to be used to write
to (what is presumed) secure parts of memory, changing access control, and
possibly granting additional (unintended) access to the user.

Note that this is only one scenario, there is no single or unified answer to
your question.

 

[JKop]

Julie posted:

So, suppose that there is a system & application where it is known that
there is some sequence of steps that results in (internally) a dangling
pointer.

int* pBozo = new int;

delete pBozo;

//AHHH!!!! Dangling pointer!

Additionally, occasionally that dangling pointer may
eventually point to a portion of memory that contains security
(access-control) related information.

pBozo = GenerateSuperDuperRandomMemoryAddress();

That dangling pointer, could then
conceivable be exploited to be used to write to (what is presumed)
secure parts of memory, changing access control, and possibly granting
additional (unintended) access to the user.

BULL

SHIT

BULL

SHIT


Note that this is only one scenario, there is no single or unified
answer to your question.

Dangling pointers are not a problem at all whatsoever.


-JKop

 

[Julie]

JKop wrote:
<trash snipped>

Nice attitude. You are going to go far.

 

[Mark A. Gibbs]

Good day, Julie,

After ignoring lousy attitudes and snipping trash, sometimes even the
biggest schmucks can have a point. The behaviour of accessing dangling
pointers is, as you pointed out, undefined. However, the behaviour of
the preceding delete is quite well-defined.

For example assume that you have previously "new"ed some kind of
certificate or a key to allow access to a restricted resource. After
using it, you call delete on this pointer, but do not get rid of it
completely. You have a dangling pointer problem now.

But is it a security risk? I doubt that. If the code worked at all then
that resource - the certificate or key - should have been invalidated
before the memory was deallocated, either in the destructor, or by an
explicit call before, or both. If not, then your problem isn't a
dangling pointer, it's a resource leak.

While I have to agree that it's not *impossible* for a dangling pointer
to lead to a security breach - due to the nature of undefined behaviour,
a dangling pointer could one day lead to the obliteration of entire
galaxies for all we know (when windows' memory footprint is so large is
must be googol-bytes) - the non-deterministic nature of modern operating
systems would tend to make that a non-reproducable bug.

One would also assume that a "secure" OS would have some way to defend
against random memory writes wreaking havoc anywhere but in the calling
process.

Add to that that any program that could potentially lead to security
breaches would (assumedly) be thoroughly tested - and that dangling
pointers are trivial to detect, I'd say the practical probability is
slim to none and shrinking.

mark

 

[E. Robert Tisdale]

Actually, they don't.
That's what the media made out of the word "hacker".
A hacker is actually just a programmer
who is good at programming and who likes it.

No.

The word hacker is a pejorative term used to describe someone
(a programmer for instance) who succeeds through persistence
without really knowing what he (or she) is doing.
For example, a person who breaks into other peoples'
computer accounts by guessing their passwords is a hacker.
A programmer who guesses at the semantics and syntax of a library
function call correctly without every consulting a manual is a hacker.

Think of an ill prepared camper who forgets to bring a hatchet or saw
and ends up hacking tree limbs (for firewood) with a Swiss army knife.

http://www.xemacs.org/Documentation/21.5/html/internals_1.html#SEC1

1. A History of Emacs

[snip]

This is *not* a definition of hacker. The people at MIT were hackers
because they didn't really know what they were doing and not
because they "shared an idealistic belief system".
For the sake of respectability in this case, modern researchers
might wish to substitute the term *experimentalist* for hacker.

 

[Richard Herring]

No.

The word hacker is a pejorative term

No. From the Jargon File:

hacker: n.
1. A person who enjoys exploring the details of programmable
systems and how to stretch their capabilities, as opposed to most users,
who prefer to learn only the minimum necessary. RFC1392, the Internet
Users' Glossary, usefully amplifies this as: A person who delights in
having an intimate understanding of the internal workings of a system,
computers and computer networks in particular.

2. One who programs enthusiastically (even obsessively) or who
enjoys programming rather than just theorizing about programming...

[and much more]

http://www.catb.org/~esr/jargon/html/H/hacker.html

cf.

cracker: n.
One who breaks security on a system. Coined ca. 1985 by hackers in
defense against journalistic misuse of hacker (q.v., sense 8). An
earlier attempt to establish worm in this sense around 1981--82 on
Usenet was largely a failure...


http://www.catb.org/~esr/jargon/html/C/cracker.html