Facebook Awards Researchers $100k For Detecting Emerging Class of C++ Bugs

An anonymous reader writes: Facebook has awarded $100,000 to a team of researchers from Georgia Tech University for their discovery of a new method for identifying "bad-casting" vulnerabilities that affect programs written in C++. "Type casting, which converts one type of an object to another, plays an essential role in enabling polymorphism in C++ because it allows a program to utilize certain general or specific implementations in the class hierarchies. However, if not correctly used, it may return unsafe and incorrectly casted values, leading to so-called bad-casting or type-confusion vulnerabilities," the researchers explained in their paper.

They've only just discovered this?

[Viol8]

Most casting errors will be caught at runtime. For the rest theres dynamic_cast though people tend to be too lazy to use it. Thats not a fault of the language.
Obviously if you use C style casts then you pays your money...

Re:They've only just discovered this?

[Viol8]

That should have read "caught at compile time"

Re:They've only just discovered this?

dynamic_cast requires RTTI, which means you're a bit optimistic to say "Most caught at compile time, for other casts use dynamic_cast".

Of course, templates mean that the compiler can substitute actual types. That gives you compile-time polymorphism instead of runtime polymorphism, and that in turn means you're increasingly right that most cast errors are caught at compile time. The price is unfortunately even longer compile times. Guess why I'm posting right now....

Re:They've only just discovered this?

[Viol8]

I suggest you go read your C++ book again. It only returns null for pointers.

Re:They've only just discovered this?

[Cassini2]

On error, dynamic_cast returns NULL for pointers, and an exception for references. From cppreference:

If the cast is successful, dynamic_cast returns a value of type new_type. If the cast fails and new_type is a pointer type, it returns a null pointer of that type. If the cast fails and new_type is a reference type, it throws an exception that matches a handler of type std::bad_cast.

Yawn -- Another Closed Source Problem

Thankfully, I only use FOSS software which is not vulnerable to this problem. Many eyes are sure to catch anything like this in the rigorous peer reviews that happen on every commit.

Re:Yawn -- Another Closed Source Problem

We have applied CAVER to largescale software including Chrome and Firefox browsers, and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox, all of which have been confirmed and subsequently fixed by vendors.

Re:Yawn -- Another Closed Source Problem

[jonkalb]

Thankfully, I only use FOSS software which is not vulnerable to this problem. Many eyes are sure to catch anything like this in the rigorous peer reviews that happen on every commit.

In case any readers are not seeing this statement as sarcasm, this award was given because the group found eleven previously unknown security vulnerabilities in open source code. Although "many eyes" are better than few eyes, is is naive to believe that open source code is flawless just because it is open source.

Re:Yawn -- Another Closed Source Problem

Actually, it's more of a troll than sarcasm.

Re:Yawn -- Another Closed Source Problem

[edtice1559]

Perhaps it is somewhat of a troll, but also makes a valid point. (I happen to like the sarcasm as well). We would like to think that all bugs are shallow given enough eyes. It's a reasonable mantra. And closed-source software has a history of eyes being intentionally closed (and the CSO getting mad at you for reporting bugs). Simple things like forgetting to close a file can be found through sheer determination. If the software is small enough for somebody to understand the whole thing, even the more complicated bugs may be found out this way. When things get large, you have experts who understand individual subsystems really well but for use cases that cross multiple sub-systems, subtle errors are made. These can't be found by looking at the code unless you know both subsystems very well. But there may not be anybody in that position so the bugs stay around a long time. For this type of situation you need better tools and a lot of progress has been made in this area. But given the number of bugs that get found in even good production software, there is still clearly a gap to fill.

Rants against the C++ language

And Stroustrup coming in 3.. 2.. 1..

No they haven't

[Burdell]

They haven't awarded anything to "Georgia Tech University", because there is no such thing. Georgia Tech is an institute; the Georgia Institute Of Technology.

Re:No they haven't

[fnj]

I once saw a clueless idiot write "University of Boston" for "Boston University".

Perl doesn't have that problem!

[MagickalMyst]

Variable types are interpreted dynamically during runtime in Perl, depending on how the variable is called.

Sorry, I couldn't resist...

Re: Gee...

Just change to ADA instead.

Debug runtime typing system

[edtice1559]

I actually read the paper (okay, mod me down). Java and .Net have very strong runtime typing systems. C/C++ does not. Adding one is a bit tricky because there are certain things that are legal in C/C++ and not Java. Specifically, it's okay to cast between two classes that are non-polymorphic (unrelated from a type system perspective). Also C/C++ applications often have some additional performance requirements. They've created a runtime typing system and then a mechanism (probably a pre-processor) that can cause static_cast and dynamic_cast to instead use their casting mechanism. You turn it on for debug and off for release. We already have things like debug heaps to look for memory corruption at a small performance cost why not also have a debug type checking system. And, of course, since it gets switched off in production builds, it doesn't have the runtime performance costs. It's one of those things that is obvious as soon as somebody does it. Those are often some of the best advances as they can have a lot of impact quickly.

Re:Debug runtime typing system

[friedmud]

Agreed... projects I work on have been doing this for ages. Here's one of the open source examples:

https://github.com/libMesh/lib...

dynamic_cast with an error statement in DEBUG mode. static_cast otherwise (including if you don't have RTTI).

This is a no brainer...

Re: Debug runtime typing system

[loufoque]

static_cast does not allow casting between unrelated pointer types, you need reinterpret_cast for that.
reinterpret_cast is known to be dangerous and is therefore avoided.
There is also the C-style cast, which is even more dangerous than reinterpret_cast.

Re:Debug runtime typing system

[phantomfive]

Casting is a problem, true enough, but how do you exploit that? Is that a viable problem?

Re:Debug runtime typing system

[edtice1559]

From the paper: "Runtime type checking by dynamic_castis an expensive operation (e.g., 90 times slower than static_cast on average). For this reason, many performance critical applications like web browsers, Chrome and Firefox in particular, prohibit dynamic_cast in their code and libraries, and strictly use static_casto If can afford to use dynamic_cast in your code then, arguably, you can afford to write in a type-safe language like Java or C#. That's more of a philosophical discussion but the whole point is that if you can turn static_cast to dynamic_cast temporarily for debugging, that's useful. You an probably do that with some creative macro wizardry but this solution appears to be much better as it also includes an improved runtime type system

Basic fact flub in TFA

Ain't no such animal as "Georgia Tech University." There is only Georgia Tech or the Georgia Institute of Technology, or the University of Georgia.

OMFG!

[jimpop]

1) learn something that older people learned decades ago

2) write document warning people, who ignored history..., of the dangers!!

3) profit!

Re:OMFG!

[swillden]

1) learn something that older people learned decades ago

2) write document warning people, who ignored history..., of the dangers!!

3) profit!

They also built a tool to check potentially-dangerous casts. One we haven't had before.

Re:OMFG!

[jimpop]

Many a tool builder has come along to build tools to overcome failures. Fuzzing, or whatever you call it, is just a poor man's method of finding errors (the real problem) in some code. Glorified greps.

Re:OMFG!

[swillden]

Their tool isn't a fuzzer, it's a run-time cast checker -- to find the real error.

Re:OMFG!

[edtice1559]

Fuzzing and grepping are entirely different things. If your original post hadn't gotten modded up, I probably wouldn't even respond. Fuzzing is a mechanism where cleverly malformed data is sent to an application or even a piece of hardware to see how it responds. Things like an invalid message with a proper authentication code. It's a pretty effective form of testing. In this context your comment might as well be. "Testing your software is just a poor man's method of finding errors (the real problem) in some code. Glorified greps." Ideally we aren't writing defects and are bug-free before a testing cycle, but that rarely (if ever) happens. Even if there are no verification defects there may be validation concerns. Both this and fuzzing are *dynamic* tools. Grep is a static tool although I don't know how it could possibly be employed in finding all but the most trivial defects. There are sophisticated static tools out there as well. (See FindBugs for an open source example of one). But these have nothing in common with grep.

Re:OMFG!

[jimpop]

There is a vast difference between buggy code and poorly written code. The article and subject are about finding faults in poorly written code, which is something good programmers (and ones who are aware of a language's pitfalls and nuances) rarely produce. Testing is for finding bugs, rarely does testing involve analyzing code for purity.

Re:OMFG!

[edtice1559]

I realize that you want to believe this and I hate to be the one to burst your bubble so to speak but the fact is that these types of defects exist in almost any non-trivial piece of software. However, rather than go back and forth, how about you offer up some code that you've written and we'll run some of the tools you so dislike. If your code comes out "clean," I'll concede the point. But I'm confident that won't happen. In any event these tools are still not glorified grep and it's not information that older people knew. Software systems have gotten much larger over time. There are whole new classes of bugs (like the ones in the article) that are introduced because the application is too large for the programmer to be familiar with the entire thing. No amount of knowledge of the programming language will help. It's often impossible to predict the consequences of changing one part of a system. For all we know, the identified defects are the result of two changes that were each correct in isolation but the combination was dangerous. It's easy for that to happen with multiple people committing code. I don't understand your desire to take something as complicated as writing software and simply say that all problems are because other programmers aren't as good as you are. It's a complex domain and we should be glad to have additional tools.

Re:OMFG!

[jimpop]

I believe you are misconstruing what I've been saying. Tools are great, but they are no replacement for good solid code. Complex systems, or not, shouldn't contain the coding errors (they aren't bugs) that this and other fuzzing tools do find. Having, and awarding for such tools, leads, I believe, to an ecosystem of acceptability for poor coding. The correct avenue is to audit code and correct bad habits....but that takes deep knowledge of C/C++.

Re:OMFG!

[edtice1559]

You keep saying things like "This and other fuzzing tools" even though it's been pointed out in this thread numerous times that the tool in the paper is not a fuzzing tool and it isn't even close. This tool is finding bugs, not coding errors. It's finding a situation where one object type is cast to another but at some point that cast has become incompatible but the compiler can't catch it. If the compiler can't catch it, it's unlikely that a human audit is going to do so. You would have to continuously audit every cast in the application. But even then you won't find this type of defect. Because the actual cast is never the bug. It's the semantic meaning of the data before and after the cast. And for that, no amount of C++ knowledge in the world will help you. You need to know the application domain and all parts of it. Your philosophical points may have validity. But it's hard to take them seriously when you can't (or won't) even use very basic terminology correctly. The fact that the words are new to you indicates that you've dismissed an entire part of the tools ecosystem without even learning about it.

Re:OMFG!

[jimpop]

> You need to know the application domain and all parts of it.

I agree with that, 100%! I'm not doubting some of your statements, but you seem to be missing my main point. Forget fuzzing, type casting, tool sets, etc., I'm just arguing for purity in code as a better long term solution than post-processing object code.

Re: Gee...

[0123456]

Just change to ADA instead.

Do the words 'unchecked conversion' mean anything to you?

Re:Gee...

[Phronesis]

Because no one ever cast int to pointer or vice versa in K&R C.

A minor correction.

[Kickasso]

plays an essential role in misusing polymorphism in C++

Here, FTFY. Kids, if you cast, you are doing polymorphism wrong.

Re: A minor correction.

[loufoque]

Unless you're doing CRTP.

Re:A minor correction.

[Viol8]

Seriously? So you never cast a child class to a parent pointer? I don't think you do polymorphism at all.

Re: A minor correction.

[Kickasso]

Even with CRTP it's avoidable, for the price of slightly increased verbosity.

Re:A minor correction.

[Kickasso]

Why would anyone want to? Cast is an explicit type conversion (see the standard, 5.4 [expr.cast]).

Re:A minor correction.

[Viol8]

*boggle*

Don't worry about, go back to using Basic.

Re: A minor correction.

[loufoque]

It's not avoidable unless you're limiting yourself to a subset of CRTP.

Interface headers

[msobkow]

If your interface "classes" don't define all the methods you need to access an object, your architecture is screwed up. If you have to do typecasting, the interface should provide a method which is used to identify the correct class/interface for casting.

Casting without knowing what kind of object you're dealing with isn't a "bug" -- it's a shitty developer writing crap code who should be fired.

Re:Interface headers

[msobkow]

Note: "struct" overlays are another issue entirely, but even they should have a header field that lets you know how to cast the overlay.

Re:Gee...

[maligor]

I think that was reported back in ... oh 1973 with the original C compiler.

Just another reason to avoid C++.

I don't think it's really a reason to avoid C++, you can do lots of perverse things in C also. It's a feature of the family.

The biggest problem I personally have with C++ is operator overloads, which I think are just a bad idea.

Re:Gee...

[0123456]

The biggest problem I personally have with C++ is operator overloads, which I think are just a bad idea.

Yeah, because having to remember when to use == and when to use .equals() and which order to put the arguments for foo.equals(bar) to avoid possible null pointer exceptions in Java is just so much less likely to introduce bugs.

Re:Gee...

[JesseMcDonald]

The biggest problem I personally have with C++ is operator overloads, which I think are just a bad idea.

The problem isn't so much operator overloads as it is C++-style overloading in general. Operators are just another kind of function. The problem with overloading them is that there is no common type signature or interface definition binding the various overloads together. That, and the limited set of available operators, which drives developers to reuse operator names for unrelated tasks. Even the STL sets a poor example by overloading bit-shift operators for I/O.

Contrast that with user-defined operators in Haskell, where overloading is only allowed in the context of a typeclass instance:

-- Monoid laws:
-- x <> mempty == x
-- mempty <> y == y
-- (x <> y) <> z == x <> (y <> z)
class Monoid a where {
mempty :: a;
(<>) :: a -> a -> a;
}

instance Num a => Monoid (Sum a) where {
mempty = Sum 0;
Sum x <> Sum y = Sum (x + y);
}

instance Monoid [a] where {
mempty = [];
x <> y = x ++ y;
}

There can be any number of instances of the Monoid typeclass, but for every implementation of the (<>) operator the arguments and result must be the same type, and (per the Monoid laws—which admittedly are only convention, and not enforced by the type system) the implementation must be associative and have mempty as its left and right identity. The same overloading rules apply to the named function mempty and the operator (<>). Since Haskell permits arbitrary sequences of symbols as operator names, there is little pressure to abuse existing operators to new purposes, and while Haskell libraries tend to make extensive use of custom operators one rarely encounters them same issues that C++ project face with operator overloading.

The nearest C++ equivalent would be to define the built-in operators as members of various abstract base classes, and only allow a named function or operator to be redefined in classes which inherit their interface from the relevant base class. This unfortunately runs into some issues regarding polymorphism due to limitations of C++'s type system; for example, the implementation of mempty needs to be selected based on its return type, while C++ only supports selecting a class based on the type of the implicit parameter "this".

Re:Gee...

Casting is much more common in C++ code. I don't know if that's because of the proliferation of unique types, or because there are more newbie programmers working in C++, but I cringe whenever I look at a large C++ code base.

Good C code rarely needs casting, if at all. I presume the same is true of C++.

When I need complex runtime polymorphism, I'll switch to a language that better handles that, like Lua. The nice thing about C is that it interoperates easily with almost all other languages. This is less true with C++ (because of the stricter typing and abuse of overly specialized types; because of ABI issues; because of the way C++ programmers, like Java programmers, rely on mountains of third party libraries, often creating conflicts).

if you feel the need to cast you've probably coded yourself into a corner and should think about refactoring.

But is it a problem...

[Travelsonic]

with the language itself, or an issue that boils down to the coders, and how attentive they are to the vulnerabilities while they are producing the code for whatever they are working on?

My thought is that it is the latter (that it boils down to the coders, and their attentiveness + planning out their work to avoid such issues, but that's just one opinion.

Re:But is it a problem...

[david_thornley]

It's something of an "attractive nuisance" feature. It makes it easy to write bad code. There's a lot of those in C++, if less than there used to be.

The problem is with downcasts, from superclasses to subclasses. If you use dynamic_cast, you get the null pointer for invalid casts, so if you test for that in your code everything's fine. (If you don't test in your code, you'll probably find out fairly fast anyway, since you'll be trying to dereference nullptr.) However, dynamic_cast is often too slow. (One solution, if compiler vendors wanted to support it, would be to make dynamic_cast faster, but that's outside the scope.) Therefore, every time you cast from superclass to subclass, using static_cast, you need to know that you're casting to the right subclass.

This means that the programmer has to keep track of the subclass, and any mistake is a potential security problem. That type of mistake is easy to make, and it's difficult to verify it's being done right.

Given a situation like that, not being allowed to use dynamic_cast, I'd probably have virtual functions that would indicate the exact subclass something was, implementing my own type information system. This would make it harder to mess up, and easier to find if the programmer screwed up. That's not necessarily easy to retrofit, and it would be a pain if I tried maintaining something like that without being able to change upstream.

Re:But is it a problem...

[Travelsonic]

I see what you mean, and learned quite a bit from your post. I never considered that before. Been a while since I actually learned things from a conversation on Slashdot (versus bickering over mindless crap).

Re:Gee...

[lgw]

Operator overloads are there for the same reason void* is: when they actually make sense, they're a vast improvement. Complex numbers, for example, and really "+" is fine for string concatenation. Not being limited to built-in classes for that sort of thing is a feature, IMO.

C++ has few guiderails, and lets you write very unmaintainable code, much more so than C. But that's what let's you write performance-equivalent code that's much more maintainable than C.

My biggest gripe is coders who don't bother to learn the details of the 3 key library container classes: string, vector, and map. Poor coder choices causing significant (unnecessary!) performance hits was a bad enough problem that the standard had to add a fixed-sized array class, as even the simplest stuff like pre-allocating a vector when you know its size was beyond most coders. Sad, really.

And for goodness sake people, don't re-invent anything in std::algorithm! Stuff like inplace_merge or nth_element is really error prone to write yourself, as much fun as it might be to finally use that algorithms textbook from college.

Re:Gee...

[Keith+Henson]

Even worse is when Bjarne Stroustrup changed the behavior of overriding equal. This comprehensively broke the last version of the Xanadu code I was involved with. After a couple of months of Roger Gregory--who is a very sharp programmer--failing to figure out what had happened, I had to single step the program (like debugging assembly code) to find what had gone wrong under the new compiler. Took most of a night.