Security and Loopholes in C++
C++ is a general purpose language. This is a structured programming language that can be used in systems and embedded programming. C++ is an object oriented language which supports encapsulation, data hiding, inheritance and polymorphism.
Cyber-attacks became pervasive causing hardship to the web users — individuals and organizations, both government owned or private. A study administered in China reveals that software developed by start-up companies has more serious security issues than other organizations, government and academic institutes have attracted more attention from the attackers. It’s been found that the majority of them are because of vulnerabilities in the code. Avoiding insecure coding practices within the initial stages of Software Development can minimize the time and energy spent on finding and fixing them in later stages, and also minimize the losses to humanity on this account.
C++ programming language is preferred because it involves performance and efficiency. But as nothing is perfect, there are some loopholes present in the C++ programming language too!
- One of the main reasons is ability to directly access memory manipulating functions by means of pointers to memory locations. This exposes C++ programs to buffer overflow and format string attack.
- Buffer overflow and other associated forms of attacks usually occur when a user enters more data than the program was designed to hold.
- A format string attack can take place when some formatting function such as printf() is not used in the right manner.This way, injecting parameters such as “%x” and “%n” in a format string clears the way for an intruder to obtain the access and write to the stack.
- Memory allocation and freezing is likely to lead to errors. This way, any substantial mistake can easily bring about memory leaks or maybe even crash a program.
- As we learnt earlier, C++ gives a user complete control of the computer’s memory using Direct Memory Access(DMA). Besides providing this feature, it failed to provide the feature of garbage collector which can automatically filter the unnecessary data.
- There’s often security issues using the C++ language. In spite of the fact that object-oriented programming offers great security, if compared to other programming languages, certain security issues actually exist because of the usage of friend functions, global variables and pointers.
- In structured programming, global data is used which does not provide security. In a large program it is difficult to find which operation operates which data and it gradually becomes complex.
- In unstructured programming, there comes a problem of code redundancy which means that the same operation needs to be repeated many times and the same sequence needs to be copied at some places. Therefore, the size of the program is incremental and consequently the efficiency of the program decreases.
Knowledge about the presence of security vulnerabilities in a programming language doesn’t solve the difficulty completely, unless the developer remains security conscious during all the phases of software development.
There are two ways of detecting security vulnerabilities in a program:
1.1 Static Analysis — It is administered statically without executing the code. In this analysis, the code is examined to find the errors. This can be done manually as well as using some software.
1.2 Dynamic Analysis — Dynamic Analysis is carried during the execution of a program. In this analysis, the program is executed by putting in inputs and checking if the output is as expected or not. This can also be done manually or using some software.
TIPS FOR SECURE CODING IN C++
- Strcpy() and strcat should not be used (). Instead of strcpy() and strcat(), use strncpy() and strncat(): The strcpy() and strcat() functions don’t have enough functionality to restrict the length of input results. As a result, strncpy() and strncat() have further buffer overflow security.
- Make sure you’re using streadd() or strecpy correctly (): It is recommended that you allocate a destination buffer that is at least 4X longer than the input buffer while using the streadd() or strecpy() functions.
- Make use of precision specifiers as far as possible: When using string arguments for formatting operations, precision specifiers should be used in the format strings. Sprintf(), vsprintf(), scanf(), and sscanf() are examples of formatting functions used in the C++ programming language ().
- Provide adequate output buffer sizes for functions like realpath() and getpass(): To prevent overrunning the buffer’s limits, create output buffers of adequate size to securely lodge the largest possible string returned by the feature. When writing C++ applications, it’s important that you have the buffer sizes right.
- Provide adequate input buffer sizes for functions like realpath(), syslog(), and getopt():
- Some functions in the C++ programming languages accept strings as input. realpath(), syslog(), and getopt() are several examples. A buffer overflow attack can occur when certain functions are injected with a large volume of input buffer.
- As a result, before calling the realpath(), syslog(), and getopt() functions, a good coder can determine the maximum possible length of such input string needed for a given programme and shorten input strings accordingly.
- Conduct in-depth assessment evaluations: Using auditing software to look for potentially unsafe functions in C++ source codes is still a good idea. You can quickly detect vulnerability bugs and fix them until a red line appears using such a tool.
Conclusion
Apart from being vulnerable to hacking attacks, C++ is the essential programming language. As a result, learning how to write secure, solid code in this language is critical for ensuring that applications perform as intended while maintaining data integrity and privacy.
References
[1] https://pentestmag.com/write-secure-code-cc-programming-languages/
[2] https://data-flair.training/blogs/advantages-and-disadvantages-of-cpp/
[3] https://tekslate.com/c-explain-advantages-disadvantages
[4]http://ijarcsse.com/Before_August_2017/docs/papers/Volume_5/7_July2015/V5I7-0461.pdf
[5] Figure 1- https://static1.smartbear.co/smartbear/media/blog/wp/constexpr%20to%20improve%20security1.jpg
[6] Figure 2- https://www.educative.io/v2api/editorpage/5393602882568192/image/6038586442907648
By- Vaishnavi Sonwalkar, Geetanjali Shinde, Abhijeet Shivachary, Aishwarya Satpute
