-
Notifications
You must be signed in to change notification settings - Fork 87
FORTIFY SOURCE and Safe String Library
I've had some questions regarding FORTIFY_SOURCE and whether that is a replacement for this library. What is the benefit of the Safe String Library over FORTIFY_SOURCE
For a quick read, check out this RedHat post: FORTIFY SOURCE Explanation and Deep Dive into FORTIFY SOURCE. Basically FORTIFY_SOURCE is a GCC compiler flag that adds check code into certain calls that could cause buffer overflows, and then stops that code from executing.
FORTIFY SOURCE works on only a few functions, including:
memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets
Also, while the compiler attempts to make replacements, it can't always do so, and then fails silently. So some of your usages of replaceable functions may not actually be protected.
Finally, if a buffer overflow does occur on a protected (fortified) function, an exception is thrown halting your program.
That depends on your perspective. There are a few advantages:
- With the Safe String Library, the programmer is aware of which usages of unsafe functions are replaced (protected) and which aren't; remember, FORTIFY_SOURCE attempts to make changes, but doesn't guarantee all vulnerable instances are protected.
- When a buffer overflow could occur, the Safe String Library returns an error, allowing the programmer an opportunity to handle the situation gracefully, in context; when using FORTIFY_SOURCE, an exception is thrown, and if it isn't handled, then the program terminates - from the exception, it may be difficult to determine the context of the buffer overflow and the appropriate way to gracefully handle the error. Terminating the program is not always the right exception handling procedure (think IoT devices, medical devices, safety-critical programs, etc.)
- The Safe String Library allows for the protection of more string and buffer manipulation functions; if a program uses advanced string manipulation functions, FORTIFY SOURCE doesn't protect many of those operations.
That's a really good question!! Put another way, should I enable FORTIFY SOURCE on my program AND ALSO use the Safe String Library? First, if you look at the actual source code for the Safe String Library, the underlying functions in Safe String Library do NOT call the unprotected (unsafe) C Library functions. Therefore, using FORTIFY SOURCE along with the Safe String Library is not duplicative (you don't get belts and suspenders!)
However, FORTIFY SOURCE doesn't hurt. If there are some memcpy or strcat functions that were forgotten or missed, or if you have open source modules that aren't using safe versions of those functions, FORTIFY SOURCE can help protect those instances.
FORTIFY SOURCE was added to GCC to protect most instances of simple banned function usages, and prevent buffer overflows. However, unless special care is taken to add exception handling for any exception thrown by the FORTIFY SOURCE replacement code, your program may crash unexpectedly on some inputs, and this could be an issue, depending on your product.
The Safe String Library gives the programmer more flexibility, covers more string manipulation functions, and allows for customized recovery when a buffer overflow is detected. But at least when you use the Safe String Library, if you also use FORTIFY_SOURCE, you won't be forced to wear belts and suspenders!