I have not blogged in a while so I figured I better get back to it. I'm going to touch on some source code auditing techniques regarding variables. I hope you all enjoy. Feel free to leave any comments regarding this post or any suggestions.
When auditing source code theres a lot of things to keep in mind such as return values, code paths, logic etc. Today I'll discuss a little bit about how to properly follow variables in code.
First thing to notice about any variable is the datatype. In the C and C++ languages there are several different datatypes which are of various sizes and represent various forums of data. When following a variable through the code the best thing to do is to look at the declaration of the variable. Make a note of what datatype the variable is declared as and what amount of data can be stored in it.
The next thing to do is to watch the variable and make any notes of where the variable is assigned a dynamic or static value. Dynamic values are typically much more interesting than static values however, programmers can and do make mistakes by assigning static values to variables. While looking for variable assignment the auditor should keep in mind the datatype and any kind of typecasting which may be taking place which could cause the intended values being assigned to be represented differently than expected.
Now the auditor should have some basic information about the variable. From the first two steps the auditor should be able to get a fairly clear picture of what the variable is used for and what kind of values the variable can receive. The next part is to try to find relationships between variables.
Relationships between variables is often important. Variables which rely on each other to get value can often times cause problems. This is typically due to trust of the other variables value. If a variable relies on another variable to get a value and a user can manipulate the value of either variable there may be times when the variables can be out of sync with each other and this can cause problems in some portions of the code which should be looked at. For instance, one variable may have some sort of arithmatic preformed on it based on the value of another variable.
Whenever an auditor sees a variable which is important to how a function operates the auditor should consider that any dynamic values the variable receives which is user supplied is always malicious. Dynamic values which are most interesting to look at are values which can bypass logic, cause an arithmatic operation to result in a value which is not expected (ie. a negative array index), large integer values, and long strings.
If auditors pay attention to variables they are sure to find some bugs.
a blog about current security vulnerabilities and technical subjects in general