How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities

Dangling pointers occur when a programmer creates, uses, and then frees an object in memory, but does not change the object's pointer value accordingly -- in this case, to a null pointer. Instead, the pointer inaccurately refers to the memory location of the de-allocated memory. The pointer is considered to be "dangling" since it points to memory that may no longer hold a valid object. Because the memory may contain completely different data, unpredictable behavior can result when a programmer mistakenly dereferences the pointer to access the object.

Experts at online risk management company Watchfire, recently acquired by IBM, have found a way to take control of dangling pointers and point them to a specific memory location. By sending a specially crafted URL to a server, researchers Jonathan Afek and Adi Sharabani discovered that they could crash a target machine and run their own shell code on it. Using this method, an attacker could remotely control or infect any machine that has a dangling pointer in one of its applications, in much the same way that an attacker could exploit a buffer overflow vulnerability.

And we have seen how damaging and effective buffer overflow attacks can be. Corrupted data structures, information leaks, privilege escalation and execution of malicious code are all possible exploits when an attacker meddles with computer memory. Although dangling pointers can probably be found in most mature applications, hackers are going to focus on Web server applications because they often contain a high volume of sensitive data.

More information Get an in-depth look at how Watchfire researchers exploited the dangling pointer. For more information on emerging security threats, check out our special news coverage of Black Hat USA 2007. Stumped on Web security? Send Michael Cobb your questions.

Dangling pointers can be very difficult for programmers to locate since they often corrupt unrelated data or cause system instabilities long after they are created. The bugs are most prevalent in low-level languages such as C and C++. In higher-level languages like Java and C#, dangling pointers cannot occur. Here, pointers are handled automatically, and implicit garbage collection occurs when an object is eliminated. Developers using languages without some form of automatic handling of pointers need to reassess their application development processes. All pointers need to be set to a null pointer after use.

Smart pointers are popular data types that can better manage memory. A smart pointer typically uses reference counting to reclaim objects. Reference-counting mechanisms calculate the smart pointers that refer to the same object, and once the count equals zero, the object is deleted.

Some other defensive measures include the "tombstones method" and the "locks-and-keys method." Once an object is dead, an associated tombstone can provide automatic nullification of any pointers that may be referencing it. In a locks-and-keys scenario, pointer access is determined by comparing the two values of a pair of ordered keys. Other available products like Valgrind, a suite of debugging equipment, and the Boehm-Demers-Weiser garbage collector, a tool that cleans up code, can also help prevent dangling pointers.

Since dangling pointers can no longer be considered a benign problem, developers need to adjust software development processes so that dangling pointers are prevented from reaching production code. Because the problem may become too serious to leave until the quality control stage, protective measures should be placed earlier in the development lifecycle. With high-level languages, the process will be relatively straightforward. For those developing and maintaining programs in other languages, relying on the above-mentioned best practices is recommended.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Emerging Information Security Threats Study of banking malware analyzes underground economy Microsoft warns of SQL Server zero-day How to prevent clickjacking attacks with security policy, not technology Cisco: Cybercriminals more savvy than ever in 2008 Flash, PDF are growing malware targets Holiday shopping threats Amit Yoran on DHS, federal cybersecurity What are 'phlashing' attacks? Security researchers leading way in biometrics, insider threats, encryption and virtualization New worm attacks Windows smartphones Secure Software Development Adobe hopes to speed patch releases with more transparency Microsoft updates code analysis tool, SQL injection XSS library Poor development practices lead to continued security problems How can quality assurance tools aid software development? Metaforic crosses swords with software pirates How can gap analysis be applied to the security system development life cycle? Microsoft opens up secure development program Mozilla's Snyder says security pros should press vendors on security Vista functionality still wins over security Mozilla to release Firefox threat-modeling data RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.