--- /dev/null
+1a.
+ malloc might fail and thus return NULL.
+ strncpy is used with a length off by one thus not copying the null byte.
+ src is too small to fit domain.
+
+ To fix this change the code to:
+ char *src = malloc(10);
+ if(src == NULL){
+ perror("malloc");
+ exit(EXIT_FAILURE);
+ }
+ char *domain = "www.ru.nl";
+ strncpy(src, domain, 10);
+1b.
+ Probably, this all happens in the same scope and the same control flow and
+ therefore via static analysis you can catch these simple errors.
+1c.
+ Yes, a return to libc attack overwrites the return address of a function
+ with the pointer to some libc function. Therefore when overflowing often
+ the stack canary is destroyed and then the program can act upon by refusing
+ to continue execution for example.
+1d.
+ With annotations for sure. An off-by-one error is made in the initialize
+ function. When buf is annotated with the fact that it must be at of length
+ len PREfast will complain that at some point buf[len] will be written.
+
+ If the code is not annotated with SAL it will probably not detect the error
+ since complex inference is often difficult.
+2.
+ The first type of memory safety is the fact that you can never write/read
+ in memory you are not supposed to write/read in.
+
+ The second type of memory safety is the fact that there is no such thing as
+ uninitialized memory. You can never read memory that has not been
+ initialized.
+3a.
+ In a normal SQL injection you try to input user information that modifies
+ not only the value but the query itself.
+
+ A blind SQL injection does not modify the query enough to make a difference
+ but the information is gathered via side effects such as the type of the
+ respons and the lack of response. By trying to generate errors or long
+ query times you can get to know things about the server or application.
+3b.
+ TOCTOU is misusing the non-atomicity of operations. Often you first ask
+ whether you may do something and then do it. In between these moments a
+ clever attacker can change things. For example a setuid wants to write a
+ file such as /etc/passwd. First it checks whether the file is a regular
+ file and not a symlink. After checking it will write. However, a different
+ thread can try to change /etc/passwd to a symlink in the meantime thus
+ misleading the program.
+3c.
+ Whitelisting means only allowing a subset of inputs. Blacklisting means
+ disallowing a subset of inputs. Whitelisting is safer but often more work
+ since the set of inputs may be very large. Blacklisting is more difficult
+ because it is very difficult to know the exact set of disallowed patterns.
+4a.
+ Deserializing an object means that you bypass all checks on the object and
+ possibly you can violate constraints that would be made when you would use
+ the regular object creation techniques.
+4b.
+ If the program writes the object to a file and then reads it back in the
+ attacker can inspect the serialized object and change things before it is
+ read back.
repositories / ss1617.git / commitdiff