gets() is dead

[Keith Thompson]

Banning gets() solve little, you still need to take backups and avoid poor
quality programs & trojans.

[...]

Keeping gets() in the language solves nothing.

 

[Tak-Shing Chan]

I have not performed code audit of KNode, and neither have I any great value
here to protect.

[OT] You can write a program to traverse your filesystem(s),
open every object file it sees, and flag every call to gets,
scanf and its ilk to a logfile. This is much weaker than a real
code audit, but it is better than nothing at all.

Tak-Shing

 

[Tor Rustad]

I have not performed code audit of KNode, and neither have I any great
value here to protect.

[OT] You can write a program to traverse your filesystem(s),
open every object file it sees, and flag every call to gets,
scanf and its ilk to a logfile. This is much weaker than a real
code audit, but it is better than nothing at all.

My current professional project, is actually to write a program, which
monitor and analyze the programs/modules on a high-security system. If
non-authorized binary is detected, it will trigger an alarm on another
host.

I could trigger an alarm on gets() calls too, but if an insider
really tried to put in a backdoor, it probably would be far more
sophisticated than that, in order to fool internal and external code
audits.

A more interesting feature, would be to enforce run-time checks of a 3rd
party module, e.g. by placing a wrapper in front of some core API.

 

[Richard Tobin]

I could trigger an alarm on gets() calls too, but if an insider
really tried to put in a backdoor, it probably would be far more
sophisticated than that, in order to fool internal and external code
audits.

Yes, prohibiting gets() does little to prevent an author from
installing a backdoor. After all, they can always call fgets() with a
buffer smaller than the size argument.

-- Richard

 

[Tak-Shing Chan]

[OT] You can write a program to traverse your filesystem(s),
open every object file it sees, and flag every call to gets,
scanf and its ilk to a logfile. This is much weaker than a real
code audit, but it is better than nothing at all.

My current professional project, is actually to write a program, which
monitor and analyze the programs/modules on a high-security system. If
non-authorized binary is detected, it will trigger an alarm on another
host.

I could trigger an alarm on gets() calls too, but if an insider
really tried to put in a backdoor, it probably would be far more
sophisticated than that, in order to fool internal and external code
audits.

A more interesting feature, would be to enforce run-time checks of a 3rd
party module, e.g. by placing a wrapper in front of some core API.

The program I was talking about is actually much simpler.
It scans for dynamic symbols in binary objects and compare them
to a predefined list of banned labels. In the example below, the
banned labels are "scanf", "gets", "strncpy" and "sprintf".

Tak-Shing

----- OT beyond this line -----
/*
** scan.c (requires GNU libbfd)
**
** Released under GPL
**
** Copyright (C) 2007 Tak-Shing Chan
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "bfd.h"

static const char *banned[] = {
"scanf",
"gets",
"strncpy",
"sprintf"
};

int
main(int argc, char *argv[])
{
bfd *abfd;
long storage_needed;
asymbol **symbol_table;
long number_of_symbols;
long i;
long j;

if (argc != 2) {
fprintf(stderr, "usage: find [path] -exec %s '{}' \\;\n",
argv[0]);
return EXIT_FAILURE;
}

bfd_init();

if (!(abfd = bfd_openr(argv[1], NULL))) {
fprintf(stderr, "Cannot open %s\n", argv[1]);
return EXIT_FAILURE;
}

if (!bfd_check_format(abfd, bfd_object)) {
fprintf(stderr, "%s is not an object file\n", argv[1]);
return EXIT_FAILURE;
}

storage_needed = bfd_get_dynamic_symtab_upper_bound(abfd);

if (storage_needed <= 0) {
fprintf(stderr, "%s has no dynamic symbols\n", argv[1]);
return EXIT_FAILURE;
}

if (!(symbol_table = malloc(storage_needed))) {
fprintf(stderr, "Memory allocation failure\n");
return EXIT_FAILURE;
}

number_of_symbols =
bfd_canonicalize_dynamic_symtab(abfd, symbol_table);

for (i = 0; i < number_of_symbols; i++) {
for (j = 0; j < sizeof banned / sizeof *banned; j++) {
if (!strcmp(bfd_asymbol_name(symbol_table), banned[j])) {
printf("%s: %s detected!\n", argv[1], banned[j]);
break;
}
}
}

free(symbol_table);
bfd_close(abfd);
return 0;
}