TechEcho

8 comments

patrickmayalmost 10 years ago

I like the original Ken Thompson sneakiness in C (<a href="http://electronicdesign.com/dev-tools/thompson-ritchie-and-kernighan-fathers-c" rel="nofollow">http://electronicdesign.com/dev-tools/thompson-ritchie-and-k...</a>):"Also in his Turing Award lecture, he described how he had incorporated a backdoor security hole in the original UNIX C compiler. To do this, the C compiler recognized when it was recompiling itself and the UNIX login program. When it recompiled itself, it modified the compiler so the compiler backdoor was included. When it recompiled the UNIX login program, the login program would allow Thompson to always be able to log in using a fixed set of credentials."

评论 #9709998 未加载

评论 #9708323 未加载

评论 #9708305 未加载

评论 #9708302 未加载

thaumaturgyalmost 10 years ago

OpenBSD specifically modified malloc() a few years ago to prevent this sort of sneakiness (<a href="http://www.tw.openbsd.org/papers/eurobsdcon2009/otto-malloc.pdf" rel="nofollow">http://www.tw.openbsd.org/papers/eurobsdcon2009/otto-malloc....</a> [pdf]). So they route their malloc() calls through mmap() which returns randomized pages, and free() immediately returns memory to the kernel rather than leaving it mapped in the current process.I'd be surprised if these changes haven't made it into FreeBSD, but afaik Linux doesn't work this way (by default, anyway).

评论 #9707887 未加载

评论 #9707892 未加载

ojnalmost 10 years ago

It also makes the assumption that it's a little-endian system. On a big-endian system, the high order byte of the timestamp would be modified, which would probably be too obvious.

esmialmost 10 years ago

"In C/C++, you can use bugs in one part of a program to cause trouble in another. That’s pretty darn underhanded."I would argue every language has that property. But with C/C++ being so closely tied to the ABI of the machine perhaps they are more underhanded than others. But to me, this branding does feel a bit unfair.Still, a fun contest and an interesting read.

评论 #9711651 未加载

codezeroalmost 10 years ago

The description of the bug in surveil.txt in the source archive was a bit easier for me to understand, really nifty :)

jonahxalmost 10 years ago

Would setting the malloc'd memory back to the original message before freeing it solve the problem?

评论 #9707877 未加载

评论 #9709404 未加载

ameliusalmost 10 years ago

Would there be a way to do this automatically? Like a "sneaky pre-compiler"?

itistoday2almost 10 years ago

Looking at the source, this is where the alarm bells should go off in a reviewer's head:<pre><code> memcpy(filter->buffer, output->piu_text_utf8, sizeof(output->piu_text_utf8)); </code></pre> 1. memcpy is less safe than memmove and strncpy. strncpy should be used.2. The two character arrays should use the same constant in defining their length, and that constant should be used both in the struct definitions and here in the copy operation.3. The code is written in C in spite of it being 2014 at the time.

评论 #9710451 未加载

评论 #9710712 未加载

8 comments

patrickmayalmost 10 years ago

评论 #9709998 未加载

评论 #9708323 未加载

评论 #9708305 未加载

评论 #9708302 未加载

thaumaturgyalmost 10 years ago

评论 #9707887 未加载

评论 #9707892 未加载

ojnalmost 10 years ago

It also makes the assumption that it's a little-endian system. On a big-endian system, the high order byte of the timestamp would be modified, which would probably be too obvious.

esmialmost 10 years ago

评论 #9711651 未加载

codezeroalmost 10 years ago

The description of the bug in surveil.txt in the source archive was a bit easier for me to understand, really nifty :)

jonahxalmost 10 years ago

Would setting the malloc'd memory back to the original message before freeing it solve the problem?

Being Sneaky in C

8 comments

Being Sneaky in C

8 comments