The location in memory of a function is computed at compile time and then stored for later use by the program. If an attacker can overwrite certain function pointers, they may he or she may be able to execute arbitrary code. To mitigate the effects of such attacks, pointers to functions can be encrypted at runtime based on some runtime on the basis of some characteristics of the execution process so that only a running process will be able to decode them.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");
|
...
Microsoft Windows provides the EncodePointer() and DecodePointer() function functions that encrypt and decrypt pointers using a secret that is unique to the given process.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int (*log_fn)(const char *, ...) = EncodePointer(printf);
/* ... */
DecodePointer(log_fn)("foo");
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int (*log_fn)(const char *, ...) = encode_pointer(printf);
/* ... */
decode_pointer(log_fn)("foo");
|
...
MITRE CWE: CWE-311, "Missing Encryption encryption of Sensitive Datasensitive data"
...
Sources
[MSDN] EncodePointer(), DecodePointer()
...