CSCD 303 Lab3 Secure Code Fun
Due: February 10, 2014

Instructions
This lab has two parts. The first part is for you to do some self study about buffer overflows and the insecure code that leads to them happening. We will limit ourselves to the C language. The second part is for you to identify some insecure code in C and offer the fix for them. Plus, describe some tools to prevent insecure code from happening.

Part 1. - Background Reading

Choose to read from the links below anything you feel will help answer the Lab questions and exercises. The first link is long and you only need the part on C and possibly the tools for fixing the code.

Sans Reading Room
Sans Secure Code Paper
Paper from CMU
Mitigating C Vulnerabilities
CERN Vulnerable C functions
CERN Recommendations
CERN Static Code Analysis Tools
CERN's Page on Static Analysis Tools
Or, find some of your own references and please include them in your Lab write-up if you find some good ones.

Part 2. - Questions

1. Why are the following C functions unsafe? Provide short examples of how they are unsafe
Strcpy
Strcat
Sprintf
gets

2. Are there functions that could replace the functions in Question 1 and if so, name them and show examples of using them in a safer way.

3. Is the following code unsafe for buffer overflows? If yes, how would you fix it?

#include <>
void Test ()
{
char buff[8];
printf ("Some input: ");
gets (buff);
puts (buff);

}
int main ()
{
Test ();
return 0;
}

4. Describe one other type of buffer overflow than the stack based buffer overflow we discussed in class

5. Describe briefly at least two tools useful in secure code development

Turn In
1. Results from answering the questions in electronic form
2. Put CSCD330 - Lab 3 in the Subject line
3. Extra Credit 8 points: Cut and paste the code in 3. into a C file. Show what happens when the code is violated. Then, fix it and show how it is fixed and can't be violated.