The location in memory of a function is computed at compile time and then stored for later use by the program. If an attacker can overwrite certain function pointers, they may be able to execute arbitrary code. To mitigate the effects of such attacks, pointers to functions may be encrypted at run time based on some characteristics of the execution process such that only a running process will be able to decode them.
Noncompliant Code Example
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");
If an attacker can launch some kind of overwrite attack such as a buffer overflow, they may be able to overwrite the value of printf with the location of an arbitrary function.
Compliant Solution (Windows)
Microsoft Windows provides the EncodePointer() and DecodePointer() function that encrypt and decrypt pointers using a secret that is unique to the given process.
int (*log_fn)(const char *, ...) = EncodePointer(printf);
/* ... */
DecodePointer(log_fn)("foo");
Compliant Solution (C1X)
Two similar functions are under consideration for the new C Standard, tentatively dubbed C1X.
C1X defines encode_pointer() to have the following behavior:
The encode_pointer function shall perform a transformation on the
pfargument, such that thedecode_pointerfunction shall reverse that transformation. Thus, for any pointer to functionpfun,decode_pointer(encode_pointer( (void(*)()) pfun )when converted to the type of
pfun, shall equalpfun.
int (*log_fn)(const char *, ...) = encode_pointer(printf);
/* ... */
decode_pointer(log_fn)("foo");
Risk Assessment
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MSC16-C |
high |
unlikely |
low |
P9 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[MSDN]] EncodePointer()
, DecodePointer()