Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Security</strong><br />
The only solution here is to never trust data controlled by a user. printf type functions must also<br />
be used carefully. When a function takes as an argument a format chain, the latter must only be<br />
formatted by the program itself and not the user.<br />
Example :<br />
One never writes:<br />
sprintf(buf, argv[1]);<br />
but one writes:<br />
sprintf(buf, "%s", argv[1]);<br />
4. Race Condition<br />
A) Presentation<br />
Even if they are among the least-known, “race conditions” are some <strong>of</strong> the most common bugs found<br />
on s<strong>of</strong>tware.<br />
These vulnerabilities are extremely hard to identify and therefore to correct. Indeed, a program<br />
functioning very well can host several <strong>of</strong> these bugs in a “silent” manner, in the sense that there is no<br />
malfunctioning <strong>of</strong> the program, or at least not in a systematic way, but this can still be exploited in a<br />
malicious way.<br />
Most <strong>of</strong> the time, “race conditions” decide how robust the s<strong>of</strong>tware is. The competing access to data<br />
can cause application instability without any other consequences. However, there are many times (by<br />
this I mean a very short lapse <strong>of</strong> time) when “race conditions” have security implications. In fact, file<br />
system accesses are subject to course connect security states much more <strong>of</strong>ten than most people<br />
believe.<br />
In a constantly changing IT environment, where the multi-threading, multi-treating and distributed<br />
computing are all the rage, this type <strong>of</strong> problem can only become more frequent in the future.<br />
Definition<br />
A “race condition” happens when several processes have access to and manipulate the same<br />
information or data at the same time. To “keep it simple”, a “race condition” is encountered when an A<br />
application will use information that is going to be modified in a more or less synchronous way by a B<br />
application. We then have an abnormal functioning <strong>of</strong> applications due to the bad relative<br />
synchronization <strong>of</strong> events.<br />
“Race conditions” are <strong>of</strong>ten encountered on numerous applications: these are possible only in<br />
environments where multi-threads are found, that is where executed processes allow a certain<br />
interactivity or at least an asynchronous treatment <strong>of</strong> information, as can happen with Unix signals, for<br />
example.<br />
The <strong>Hack</strong>ademy DMP -159/209- SYSDREAM