mock/mock.txt

   1 1a.
   2         malloc might fail and thus return NULL.
   3         strncpy is used with a length off by one thus not copying the null byte.
   4         src is too small to fit domain.
   5
   6         To fix this change the code to:
   7         char *src = malloc(10);
   8         if(src == NULL){
   9                 perror("malloc");
  10                 exit(EXIT_FAILURE);
  11         }
  12         char *domain = "www.ru.nl";
  13         strncpy(src, domain, 10);
  14 1b.
  15         Probably, this all happens in the same scope and the same control flow and
  16         therefore via static analysis you can catch these simple errors.
  17 1c.
  18         Yes, a return to libc attack overwrites the return address of a function
  19         with the pointer to some libc function. Therefore when overflowing often
  20         the stack canary is destroyed and then the program can act upon by refusing
  21         to continue execution for example.
  22 1d.
  23         With annotations for sure. An off-by-one error is made in the initialize
  24         function. When buf is annotated with the fact that it must be at of length
  25         len PREfast will complain that at some point buf[len] will be written.
  26
  27         If the code is not annotated with SAL it will probably not detect the error
  28         since complex inference is often difficult.
  29 2.
  30         The first type of memory safety is the fact that you can never write/read
  31         in memory you are not supposed to write/read in.
  32
  33         The second type of memory safety is the fact that there is no such thing as
  34         uninitialized memory. You can never read memory that has not been
  35         initialized.
  36 3a.
  37         In a normal SQL injection you try to input user information that modifies
  38         not only the value but the query itself.
  39
  40         A blind SQL injection does not modify the query enough to make a difference
  41         but the information is gathered via side effects such as the type of the
  42         respons and the lack of response. By trying to generate errors or long
  43         query times you can get to know things about the server or application.
  44 3b.
  45         TOCTOU is misusing the non-atomicity of operations. Often you first ask
  46         whether you may do something and then do it. In between these moments a
  47         clever attacker can change things. For example a setuid wants to write a
  48         file such as /etc/passwd. First it checks whether the file is a regular
  49         file and not a symlink. After checking it will write. However, a different
  50         thread can try to change /etc/passwd to a symlink in the meantime thus
  51         misleading the program.
  52 3c.
  53         Whitelisting means only allowing a subset of inputs. Blacklisting means
  54         disallowing a subset of inputs. Whitelisting is safer but often more work
  55         since the set of inputs may be very large. Blacklisting is more difficult
  56         because it is very difficult to know the exact set of disallowed patterns.
  57 4a.
  58         Deserializing an object means that you bypass all checks on the object and
  59         possibly you can violate constraints that would be made when you would use
  60         the regular object creation techniques.
  61 4b.
  62         If the program writes the object to a file and then reads it back in the
  63         attacker can inspect the serialized object and change things before it is
  64         read back.