Software Security

How Should We Make Software Secure?

University of Washington, Microsoft Research, and Carnegie Mellon University Summer Institute

June 15–18, 2003

 

Challenge Problem: Code Teasers
submitted by Jeannette Wing, copied with permission from the author, Mike Howard

Spot the Security Flaw

These are all taken from Mike Howard's MSDN web pages on writing secure code.  Each little code snippet has (at least) one security vulnerability.  Can you spot them all?

1. Warm-up exercise

void funkyfunc(char c) {
   char *buff = new char(250);
   if (buff) 
      memset(buff,c,250);
   delete [] buff;
}
2. Unit analysis
WCHAR g_wszComputerName[INTERNET_MAX_HOST_NAME_LENGTH + 1];

// Get the server name and convert it to the Unicode string.
BOOL GetServerName (EXTENSION_CONTROL_BLOCK *pECB) {
   DWORD   dwSize = sizeof(g_wszComputerName);
   char    szComputerName[INTERNET_MAX_HOST_NAME_LENGTH + 1];

   if (pECB->GetServerVariable (pECB->ConnID,
            "SERVER_NAME",
            szComputerName,
            &dwSize)) {
   // rest of code snipped

3. This pseudocode reflects a somewhat common flaw. Imagine this is multithreaded, code-handling sensitive data to be encrypted prior to writing to disk or a network connection. Also, assume that all functions raise exceptions on failure.

Try {
   Byte [] text = AccessPlaintextData();
   Byte [] password = GetPassword();
   Byte [] salt = GetSalt();
   
   EncryptData(text,password);
   SendEncryptedData(text, salt);

   ScrubSecret(password);
   ScrubSecret(salt);
   ScrubSecret(text);
   
} Catch() {
   // exception code
}

4. Some .asp code
Hello, 
<% response.write(request.querystring("Name")) %>

5. ShuffleAndUpdate
void ShuffleAndUpdate(char *szName, char *szPwd, 
                DWORD index,
                DWORD d) {
   DWORD dwArray[32]; 
   ZeroMemory(dwArray,sizeof(dwArray));
   BOOL fAllowAccess = FALSE;
   if (IsValidUser(szName,szPwd)) {
      fAllowAccess = TRUE;
      ShuffleArray(dwArray,szName);
         }
   dwArray[index]= d;
   if (fAllowAccess) {
      // do something sensitive
   }
}

6. This code is from a service that runs as SYSTEM, and it makes file-based requests on behalf of its users.

bool WritePipeDataToFile(HANDLE hPipe) {
   bool fDataWritten = false;

   ImpersonateNamedPipeClient(hPipe);

   HANDLE hFile = CreateFile(...);
   if (hFile != INVALID_HANDLE_VALUE) {
      BYTE buff[1024];
      DWORD cbRead = 0;
      if (ReadFile(hPipe,
             buff,
             sizeof(buff),
             &cbRead,
             NULL)) {

         DWORD cbWritten = 0;
         if (WriteFile(hFile,
                 buff,
                    cbRead,
                 &cbWritten,
                 NULL)) {
            if (cbRead == cbWritten)
               fDataWritten = true;
         }
      }

      if (hFile) CloseHandle(hFile);
   }

   RevertToSelf();

   return fDataWritten;
}
 
Solutions



For problems or questions regarding this website contact wing@microsoft.com
Last updated: 04/03/03.