A Weak Pointer is any pointer that can be maligned to point outside the bounds to which it was initially allocated in the binary code. An example could be either a stack pointer or heap pointer. When allocated, the Weak Pointer was given a base value and maximum size. It is thought that binary-level vulnerabilities cannot occur without the ability to force a pointer to fall outside the range it was allocated. Other forms of exploitation can happen without it, but it stops the attacker from obtaining control flow.
To secure the Weak Pointer, several steps can be taken:
- An automated control flow integrity (CFI) or software fault isolation (SFI) solution is often available from compilers. Just rebuilding with these protections enabled is usually a victory because it eliminates the need for a patch. But, be warned that practically all of these implementations are restricted by their critical neo and do not impose much performance overhead, so they often have glaring holes. Not to impose much performance and do
- Another step that can be taken is the data pointer that faulted can be efficiently and effectively masked to prevent it from falling outside its bounds. To do this, a user with source access will modify the source to add a couple of operations to update the pointer to restrict it to within its bounds. If the pointer is already within that, there will be no effect.
An example:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
const int SIZE_SMALL = 4;
const int SIZE_LARGE = 131072;
int f(int argc) {
if (argc > 1) {
char *dst = malloc(SIZE_SMALL);
dst[argc]='\0';
}
}
int main(int argc, char *argv[]) {
f(argc);
return 0;
}
This example has several obvious weak pointers.
ObjectSecurity OT.AI Platform Weak Pointer Analysis finds these successfully; they have a path, and confidence score reports successfully for these.
What exactly can be done for any allocated dst? The following function repairs a pointer given the original and updates the math of the pointer to restrict it before using the Wepointer.
void * repair(void * orig, int size, void * ptr) {
if (ptr < orig) ptr = orig;
if (ptr > (orig+size)) ptr = (orig+size)
return ptr;
}
int f_repaired(int argc) {
if (argc > 1) {
char *dst = malloc(SIZE_SMALL);
char *dst_access = dst + argc;
dst_access = repair(dst, SIZE_SMALL, dst_access);
*dst_access='\0';
}
}
This approach is the same for all Weak Pointers, but remember that you now may need to keep track of the pointer’s bounds up to the point at which the pointer is weak to have the bounds to restrict the pointer. Why point that out? Because the vulnerable pointer is a reassignable data value, the protection can’t be glued to the code that accesses it if it has potentially different values. To make that more clear, here is another example (just in the narrative this time):
- A Weak Pointer occurs at an address.
- That address accesses a pointer that was passed around as a variable.
- Therefore, the correct bound must be looked up for that pointer before it is applied.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article