...
Code Block | ||||
---|---|---|---|---|
| ||||
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");
|
If a vulnerability exists in this program that allows an attacker to overwrite the log_fn
function pointer, such as a buffer overflow or arbitrary memory write, the attacker may be able to overwrite the value of printf
with the location of an arbitrary function.
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <Windows.h>
void *log_fn = EncodePointer(printf);
/* ... */
int (*fn)(const char *, ...) = (int (*)(const char *, ...))DecodePointer(log_fn);
fn("foo"); |
Note that DecodePointer()
does not return success or failure. If an attacker has overwritten the pointer contained in log_fn
, the pointer returned will be invalid and cause your application to crash. However, this is preferable to giving an attacker the ability to execute arbitrary code.
...
SEI CERT C++ Coding Standard | MSC16-CPP. Consider encrypting function pointers |
MITRE CWE | CWE-311, Missing encryption of sensitive data |
Bibliography
[AA. Bibliography#MSDNMSDN] | EncodePointer() DecodePointer() |
Microsoft Corporation 2012 | Microsoft Security Development Lifecycle (SDL) – version 5.2Phase 3: Implementation |
...