Thursday, March 08, 2007
Become One With the Variables
I have not blogged in a while so I figured I better get back to it. I'm going to touch on some source code auditing techniques regarding variables. I hope you all enjoy. Feel free to leave any comments regarding this post or any suggestions.

When auditing source code theres a lot of things to keep in mind such as return values, code paths, logic etc. Today I'll discuss a little bit about how to properly follow variables in code.

First thing to notice about any variable is the datatype. In the C and C++ languages there are several different datatypes which are of various sizes and represent various forums of data. When following a variable through the code the best thing to do is to look at the declaration of the variable. Make a note of what datatype the variable is declared as and what amount of data can be stored in it.

The next thing to do is to watch the variable and make any notes of where the variable is assigned a dynamic or static value. Dynamic values are typically much more interesting than static values however, programmers can and do make mistakes by assigning static values to variables. While looking for variable assignment the auditor should keep in mind the datatype and any kind of typecasting which may be taking place which could cause the intended values being assigned to be represented differently than expected.

Now the auditor should have some basic information about the variable. From the first two steps the auditor should be able to get a fairly clear picture of what the variable is used for and what kind of values the variable can receive. The next part is to try to find relationships between variables.

Relationships between variables is often important. Variables which rely on each other to get value can often times cause problems. This is typically due to trust of the other variables value. If a variable relies on another variable to get a value and a user can manipulate the value of either variable there may be times when the variables can be out of sync with each other and this can cause problems in some portions of the code which should be looked at. For instance, one variable may have some sort of arithmatic preformed on it based on the value of another variable.

Whenever an auditor sees a variable which is important to how a function operates the auditor should consider that any dynamic values the variable receives which is user supplied is always malicious. Dynamic values which are most interesting to look at are values which can bypass logic, cause an arithmatic operation to result in a value which is not expected (ie. a negative array index), large integer values, and long strings.

If auditors pay attention to variables they are sure to find some bugs.
 
posted by bannedit at Thursday, March 08, 2007 | Permalink |


4 Comments:


At 10:48 PM, Blogger ProjectSkyLine

Hey man ... get back in #innercircle!

heh, been checking in on your blog now and then. Stop by and read ours if your bored, hah!

- sk

 

At 9:01 PM, Blogger ProjectSkyLine

Hey man,

Good to see you back on #inci.

So, I just about google's policing effort, and I had a thought a way of circumventing it.

From my post:
"I see an immediate tactic of malware distributed through 3rd party applications to contain code that will *hide* or disable the exploit code that injects the malware when it see's a google bot querying the page.

Pretty simple for them to do, since google bot advertises itself. In fact, writers could just have it not displayed on any OS/Browser that it couldn't effect. If it needed Windows IE Version 6 to run the exploit, programmers could only serve to that browser."

Anyways, got any ideas on this MR SECURITY! z0mg -

Also, do you do source code audits?! Get at me!


- sk

 

At 2:06 PM, Blogger Unknown

Certified Ethical Hacker CEH training is held at TechBharat Consulting using official EC-Council curriculum. CEH certification certifies you as Ethical Hacker and Penetration Tester. CEH training is held on Version 7.
ethical hacking certification cost

 

At 5:17 AM, Anonymous Anonymous

You wrote it in that way that everybody can understand what are you talking about. Thanks a lot for this post.