Re: how can i handle string operation in kernel mini driver?

> ----------

From: xxxxx@nryan.com[SMTP:xxxxx@nryan.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, July 16, 2003 6:06 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: how can i handle string operation in kernel mini
driver?

It all depends on if you can trust your input. Same as any other kernel
code.

It is worse. Even trusted input can cause problems with these string
routines because of a bug or unexpected conditions and testing may not
reveal it. I tend to believe only counted string functions should be used
whenever possible even in user mode. It is better to be a bit paranoid than
lose time with silly problems which can be easily avoided. Better be safe
than sorry.

IIRC original question was about sscanf and strtok which seems as data from
user mode, file or registry. Nothing what can be trusted. And horrible idea
at all.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

I don’t know if I catch the gist of your reasoning, but a device driver
should be the bottom layer of the onion peel, and there’s a mass of OS code
in between the app and the driver. If a problem in an app, such as a
dangling pointer, is passed all the way down to the driver, the problem is
in the intervening layers: IMO “defensive programming” here means, heck, we
can’t trust the input the OS gives us, therefore we have to armor our car in
case they ws rocket propelled grenades at us. Is it ok to write a driver as
if we were a platoon commander in Iraq ?

Somehow I don’t think this is the right way of doing business. A device
driver, by its very position in the hierarchy, should not have to worry
about bad input, small stacks, or anything of that sort. After all, that’s
why it’s trusted code, no ?

And the architecture has a failsafe mechanism to contain dangling pointers,
it’s called “segments”. It’d be a simple matter to wrap every I/O buffer and
driver-accessible data packet in a segment, and you’d not need to worry
about corrupting other people’s buffers.

Use the architecture, dude…

Alberto.

-----Original Message-----
From: Loren Wilton [mailto:xxxxx@earthlink.net]
Sent: Wednesday, July 16, 2003 12:58 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: how can i handle string operation in kernel mini
driver?

It all depends on if you can trust your input. Same as any other kernel
code.

Sure. And The Answer in kernel mode is that You Can’t.

Which could explain why a whole lotta MS Kernel routines start with _try,
and those that can’t either know they will take out the user program only,
or carefully check their inputs by hand before using them. And still get
burned sometimes.

Kernel mode (or OS interfaces in general) are somewhat unique in that it is
very very rare that one programmer and one programmer only has absolute
control of both sides of an interface. Any interface. Even if there is a
spec on what is to be provided to an interface (or *back from* an
interface), you can’t trust that *everyone* will *always* get it right. So
you have to practice Defensive Programming if you expect your code and the
OS to survive.

Blowing up in a call from a bad pointer dereference is bad enough. But if
you manage to trash a bunch of global data (or worse, code) do to a runaway
data transfer in the process, *really* bad things can happen, which in a lot
cases can be virtually irrecoverable,even with a reboot. And the bad thing
is that while you know quickly when you fumble a bad pointer and die, you
may not have any immediate indication at all that you trashed data outside a
buffer range. Someone else might find that out, three days from now.

Loren

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

The architecture has two levels of protection to handle this kind of thing,
segments and pages. I find it amazing that people claim to be security
conscious all over the place and yet fail to use the machine architecture to
make simple provisions for this kind of error. Wrap it in a segment, put an
unallocated page at the end of the buffer, or else use STL or a C++ string
class that takes care of these things seamlessly, there’s lots of ways of
handling it. The one approach I don’t find acceptable is to demand a
proprietary interface.

And you know, if the C library is no longer sufficient to guarantee good
coding, that’s a one more reason to move up to C++ !

Alberto.

-----Original Message-----
From: Loren Wilton [mailto:xxxxx@earthlink.net]
Sent: Tuesday, July 15, 2003 11:34 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: how can i handle string operation in kernel mini
driver?

The problem is that any string routine that doesn’t have a size-delimited
output buffer (such as strcpy or sscanf) is inherently unsafe, because it
has no way to prevent overrunning the output buffer with a too-long source.
This is probably the source of 98+% of all of the MS security bugs that have
been fixed over the last few years. (And probably everyone else’s as well.)

You can always add code to check the source length, but there are always
lots of edge conditions (will strncpy put a terminating null in the output
buffer or not?) that somehow never seem to get checked quite correctly until
after some hacker finds that particular one.

A set of routines that are perhaps less efficient, but which will have an
output buffer limit and handle termination cases correctly is FAR more
appropriate for kernel (or network path) usage.

Useful as they are, I’m afraid that I think most of the routines in string.h
are inherently evil for kernel or network or any other high-reliability
usage.

Loren

----- Original Message -----
From: “Moreira, Alberto”
To: “Windows System Software Developers Interest List”
Sent: Tuesday, July 15, 2003 8:23 AM
Subject: [ntdev] Re: how can i handle string operation in kernel mini
driver?

> In a compiler that’s attached to a DDK and that has no other objective
> besides building drivers, it’d make more sense to me if string.h was
> kernel-side safe.

—
You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.