Typical security issues in C++: why the GC isn't your enemy
Siarhei Siamashka
siarhei.siamashka at gmail.com
Tue Dec 6 04:35:18 UTC 2022
On Monday, 5 December 2022 at 19:57:39 UTC, H. S. Teoh wrote:
> D's bounds checks are often touted as a major feature to
> prevent issues with buffer overflow and out-of-bounds accesses.
> Interestingly, "buffer overflow" and "out of bounds..." add up
> only to about 14% of the total issues. Nothing to sneeze at,
> but nonetheless not as big an issue as use-after-free bugs.
This doesn't mean that there are fewer "out of bounds" bugs in
general. But they are less likely to become exploitable security
vulnerabilities. The "use after free" bugs are relatively easily
to exploit:
1. The old buffer is freed.
2. This part of memory is later allocated for storing some
security sensitive information.
3. Access via the old pointer results in leaking the sensitive
information.
GC surely helps to mitigate the security aspect of this. But the
bug in the application logic may still be there and only manifest
itself as a memory leak (if the application still keeps a pointer
to the data that is not supposed to be used anymore). A good
coding practice in C/C++ is to explicitly set a pointer to NULL
immediately after deallocating memory.
> Integer overflow is also sometimes brought up as something
> important; but at least according to the above categorization
> it only accounts for 2% of issues. So not as big a deal as
> some may have made it sound.
First, not every bug easily results in an exploitable security
vulnerability. It's the same as with the "buffer overflow" vs.
"use after free" case. And more importantly, C/C++ compilers are
just safer than D compilers when it comes to integer overflows
detection. Chromium developers are actively using
[UBSAN](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html), which even allows detecting unsigned integer overflows:
-fsanitize=unsigned-integer-overflow: Unsigned integer
overflow, where the result
of an unsigned integer computation cannot be represented in
its type. Unlike signed
integer overflow, this is not undefined behavior, but it is
often unintentional.
You can grep Chromium source code for `no_sanitize` or even
`__attribute__((no_sanitize("unsigned-integer-overflow")))` if
you don't believe me.
Many of the integer overflow bugs are caught by the C++ compiler
via UBSAN during the development and never reach the end users.
While D compilers don't offer any reasonable protection. Except
for GDC, which supports `-ftrapv` option as an undocumented
"Easter egg".
More information about the Digitalmars-d
mailing list