0

I have an interview where I am expecting to have to review some vulnerable C code and point out the vulnerability(s). I am by no means a C developer, but I do know that the common vulnerabilities are primarily related to how developers manage memory.

I'm aware of Microsofts list of banned functions not to use when writing in C -- and yes, these can be quite helpful when doing code review. I was wondering, when reviewing C code, if there are any additional methodologies that are useful to follow or resources to use?

Hysii
  • 179
  • 1
  • 5
  • 1
    Is the position you are interviewing an entry-level, intermediate or senior-level position? –  Apr 06 '20 at 14:04
  • 5
    You are not a C dev, but your interview requires that you know C? Are you applying for the wrong job? – schroeder Apr 06 '20 at 14:07
  • Its relatively entry, and I dont think that any particular language is expected to be known. The expectation is that i can perform code review and identify vulnerabilities. – Hysii Apr 06 '20 at 14:11
  • 1
    Writing code and searching for vulnerabilities from it are a slightly different, but mostly overlapping skill sets. The more general the security related work is, the less important it is to deeply know different languages, but if it's just about reviewing C, you should have strong experience with it. My hint is not to concentrate too much on whether you find all the problems, but speaking out your reasoning process while doing it. That's what they really measure on an interview. – Esa Jokinen Apr 06 '20 at 15:24
  • There are good 5 minute entry level videos on Engineer Man Youtube channel. They have examples of buffer overflows. – postoronnim Apr 06 '20 at 16:55
  • @Hysii Here is my tip for you: Since it's an entry level position, showing your approach to solving problems is more important than just learning a list of problems by heart. I'd rather take a candidate who cannot find the "correct" solution, but demonstrates the ability to quickly acquire and use new knowledge, than a candidate who solves the problem because they have seen it before, without really groking it. –  Apr 07 '20 at 08:19
  • Focusing on the *Microsofts list of banned functions* may be dangerous. They are replaced by other functions that non Microsoft environments do not support. Said differently blindly advising to follow that *Microsoft rule* could lead to non portable code. Depending on the context, the solution can be worse than the problem. – Serge Ballesta Jan 04 '21 at 08:09

3 Answers3

1

Without an understanding of the underlying language, one problem you may have is understanding context.

While it may be best practice to eschew these banned functions completely, I see a lot of projects where some of these functions are used, but in safe contexts. If you raise a red flag simply every time you see one of these functions in use, you may have a bad time.

Here are some examples using the infamous strcpy and its slightly safer version strncpy:

void foo_1(char* bar) {
    char buf[100];
    strcpy(buf, bar);
    puts(buf);
}

char* foo_2(char* bar) {
    char* buf = NULL; 
    buf = malloc(strlen(bar)+1);
    strcpy(buf, bar);
    return buf; // freed later
}

void foo_3(char* bar) {
    char buf[100];
    strncpy(buf, bar, sizeof(buf));
    puts(buf);
}

void foo_4() {
    char buf[100];
    strcpy(buf, "This is just an example.");
    puts(buf);
}

If I did this correctly, these examples should be:

  1. Unsafe (if bar is longer than 100 bytes, an overflow will occur)
  2. Safe (buffer is created large enough)
  3. Unsafe (produces un-terminated string when there are no null bytes in first n bytes of bar)
  4. Safe (string is constant and smaller than buffer size)

From the strcpy manpage:

If the programmer knows (i.e., includes code to test!) that the size of dest is greater than the length of src, then strcpy() can be used.

If these examples are challenging, you may want to brush up on your C programming, as these are by no means complex examples.

Additionally, while the "strn" family functions also may appear on the banned list, many projects use these safely as well by forcing a null byte at the end, often done with a wrapper function.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
1

For C coding interviews, review the following:

  1. Integer Overflows/Underflow: https://www.exploit-db.com/docs/english/28477-linux-integer-overflow-and-underflow.pdf

  2. Buffer Overflows (Stack/Heap): https://owasp.org/www-community/attacks/Buffer_overflow_attack

  3. Format String Vulnerabilities: https://owasp.org/www-community/attacks/Format_string_attack

In addition to the vulnerabilities, you can expect the interviewer to ask you about basics of exploitation. You can read up on:

  1. NOP Sled
  2. Return to libc
  3. ROP

Finally, you should review mitigations/defenses to protect against these vulnerabilities:

  1. ASLR/DEP
  2. Stack Canaries
  3. Control Flow Integrity
Security Enthusiast
  • 11
  • 1
-4

google:'buffer overrun exploits' and 'python buffer overrun proof of concept'

C++ would be almost same for the problems.

Learn to code arrays in C/C++.

[1][2][3]{4}
memalloc - C++ new
memcpy - = 
free - C++ delete
schroeder
  • 123,438
  • 55
  • 284
  • 319
Georgiy Chipunov
  • 1
  • 1