Your search keyword '"C string handling"' showing total 17 results

1. Detection of the Hardcoded Login Information from Socket and String Compare Symbols

Author

Minami Yoda, Akihiko Ohsuga, Yuichi Sei, Normaziah A. Aziz, and Shuji Sakuraba

Subjects

Password, General Computer Science, Firmware, Computer science, String (computer science), 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, String searching algorithm, computer.software_genre, Login, 0202 electrical engineering, electronic engineering, information engineering, Operating system, Electrical and Electronic Engineering, computer, C string handling, Vulnerability (computing), Backdoor

Abstract

Internet of Things (IoT) for smart homes enhances convenience; however, it also introduces the risk of the leakage of private data. TOP10 IoT of OWASP 2018 shows that the first vulnerability is ”Weak, easy to predict, or embedded passwords.” This problem poses a risk because a user can not fix, change, or detect a password if it is embedded in firmware because only the developer of the firmware can control an update. In this study, we propose a lightweight method to detect the hardcoded username and password in IoT devices using a static analysis called Socket Search and String Search to protect from first vulnerability from 2018 OWASP TOP 10 for the IoT device. The hardcoded login information can be obtained by comparing the user input with strcmp or strncmp. Previous studies analyzed the symbols of strcmp or strncmp to detect the hardcoded login information. However, those studies required a lot of time because of the usage of complicated algorithms such as symbolic execution. To develop a lightweight algorithm, we focus on a network function, such as the socket symbol in firmware, because the IoT device is compromised when it is invaded by someone via the Internet. We propose two methods to detect the hardcoded login information: string search and socket search. In string search, the algorithm finds a function that uses the strcmp or strncmp symbol. In socket search, the algorithm finds a function that is referenced by the socket symbol. In this experiment, we measured the ability of our proposed method by searching six firmware in the real world that has a backdoor. We ran three methods: string search, socket search, and whole search to compare the two methods. As a result, all methods found login information from five of six firmware and one unexpected password. Our method reduces the analysis time. The whole search generally takes 38 mins to complete, but our methods finish the search in 4-6 min.

Published

2021

2. How Secure are our Computer Systems Courses?

Author

Rajdeep Mohan Chatterjee, Elias Fang, Jessica Lam, Majed Almansoori, Kieran Mulligan, and Adalbert Gerald Soosai Raj

Subjects

Course materials, Security analysis, Focus (computing), Computer science, 05 social sciences, 02 engineering and technology, Computing systems, Code (semiotics), 020204 information systems, ComputingMilieux_COMPUTERSANDEDUCATION, 0202 electrical engineering, electronic engineering, information engineering, Mathematics education, 0501 psychology and cognitive sciences, Robust coding, 050107 human factors, C string handling

Abstract

Introductory computer systems courses teach students how a single program is executed inside a computer, providing them with their first exposure to the logical internals of computing systems. This is one of the first introductory courses where students can learn about security and the need for robust coding. However, currently, these courses are taught with a focus on functionality and efficiency only, ignoring security almost entirely. In this paper, we provide a basic security analysis of computer systems courses from 16 of the top 20 CS undergraduate programs at R1 universities in the US. We collected more than 760 thousand lines of C/C++ code written by 253 students and used by instructors in lectures and for assignments. We found students frequently use unsafe functions such as strcpy, strcat, and system, many of which can lead to serious security vulnerabilities. These unsafe functions are present in course materials such as in lecture slides and textbooks, and even in the code provided by instructors. We also show a high correlation between the unsafe functions used by students with those used by their instructors.

Published

2020

3. Assessing CS1 Design Skills with a String Manipulation Task

Author

Amali Weerasignhe and Cruz Izu

Subjects

Class (computer programming), Syntax (programming languages), Computer science, Programming language, Character (computing), 05 social sciences, String (computer science), 050301 education, 02 engineering and technology, computer.software_genre, Sketch, Task (project management), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 0503 education, computer, Word (computer architecture), C string handling

Abstract

This study explores novice programmers' abilities to design and code a string manipulation task in C after one semester of tertiary instruction. String manipulation is an important skill for novice programmers to master as most applications deal with text and/or interact with the user. The analysis shows most novice programmers (88%) were able to sketch their own programming plan to print a word in pyramid style. 53% of students chose to control the printing letter by letter (character level) and 32% updated and printed the word as a whole (string level). However only 6% used string functions, apart from strlen() and strcmp(), to implement their plan. This indicated a low level of transfer from their most recent class activity which focused on the C string library. As expected, not all succeeded to correctly implement their plan: 56% were correct at character level and 63% at string level, resulting in 49% of the whole cohort completing the task. Their code has been thoroughly analysed to identify implementation issues, and logical, syntax and plan errors are reported and discussed.

Published

2020

4. Semantic program alignment for equivalence checking

Author

Berkeley Churchill, Alex Aiken, Oded Padon, and Rahul Sharma

Subjects

Correctness, Computer science, Programming language, Formal equivalence checking, 020207 software engineering, 02 engineering and technology, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Test suite, 020201 artificial intelligence & image processing, Compiler, Equivalence (formal languages), computer, C string handling

Abstract

We introduce a robust semantics-driven technique for program equivalence checking. Given two functions we find a trace alignment over a set of concrete executions of both programs and construct a product program particularly amenable to checking equivalence. We demonstrate that our algorithm is applicable to challenging equivalence problems beyond the scope of existing techniques. For example, we verify the correctness of the hand-optimized vector implementation of strlen that ships as part of the GNU C Library, as well as the correctness of vectorization optimizations for 56 benchmarks derived from the Test Suite for Vectorizing Compilers.

Published

2019

5. Modular Static Analysis of String Manipulations in C Programs

Author

Antoine Miné, Matthieu Journault, Abdelraouf Ouadjaout, École normale supérieure - Cachan (ENS Cachan), Algorithmes, Programmes et Résolution (APR), LIP6, and Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS)-Sorbonne Université (SU)-Centre National de la Recherche Scientifique (CNRS)

Subjects

Iterator, [INFO.INFO-PL]Computer Science [cs]/Programming Languages [cs.PL], business.industry, Computer science, Programming language, String (computer science), 020207 software engineering, 02 engineering and technology, Static analysis, Reuse, Modular design, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, State (computer science), business, computer, C string handling, Reusability

Abstract

International audience; We present a modular analysis able to tackle out-of-bounds accesses in C strings. This analyzer is modular in the sense that it infers and tabulates (for reuse) input/output relations, automatically partitioned according to the shape of the input state. We show how the inter-procedural iterator discovers and generalizes contracts in order to improve their reusability for further analysis. This analyzer was implemented and was able to successfully analyze and infer relational contracts for functions such as strcpy, strcat.

Published

2018

6. A Solver for a Theory of Strings and Bit-Vectors

Author

Sanu Subramanian, Murphy Berzish, Omer Tripp, and Vijay Ganesh

Subjects

Binary search algorithm, Computer science, String (computer science), 020207 software engineering, 02 engineering and technology, String searching algorithm, Solver, High Energy Physics::Theory, String kernel, Satisfiability modulo theories, 0202 electrical engineering, electronic engineering, information engineering, C++ string handling, 020201 artificial intelligence & image processing, String metric, Algorithm, C string handling

Abstract

We present the Z3strBV solver for a many-sorted first-order quantifier-free theory Tw, bv of string equations, string length represented as bit-vectors, and bit-vector arithmetic aimed at formal verification, automated testing, and security analysis of C/C++ applications. Our key motivation for building such a solver is the observation that existing string solvers are not efficient at modeling the combined theory over strings and bit-vectors. We demonstrate experimentally that Z3strBV is significantly more efficient than a reduction of string/bit-vector constraints to strings/natural numbers followed by a solver for strings/natural numbers or modeling strings as bit-vectors. We also propose two optimizations. First, we explore the concept of library-aware SMT solving, which fixes summaries in the SMT solver for string library functions such as strlen in C/C++. Z3strBV is able to consume these functions directly instead of re-analyzing the functions from scratch each time. Second, we experiment with a binary search heuristic that accelerates convergence on a consistent assignment of string lengths. We also show that Z3strBV is able to detect nontrivial overflows in real-world system-level code, as confirmed against seven security vulnerabilities from the CVE and Mozilla databases.

Published

2017

7. A study on the usage of unsafe functions in gcc compared to mobile software systems

Author

Derrek Larson, Saleh M. Alnaeli, Mohamed Sarrab, and Melissa Sarnowski

Subjects

Engineering, 021103 operations research, Source lines of code, business.industry, 05 social sciences, 0211 other engineering and technologies, Function type, Mobile computing, 050301 education, 02 engineering and technology, Computer security, computer.software_genre, Code refactoring, Robustness (computer science), SAFER, Software system, business, 0503 education, computer, C string handling

Abstract

A case study is presented that empirically analyzes the use of known unsafe functions in gcc, a well-known general purpose software system, along with their distribution over a 5-year period from, 2012 through 2016. The 5-year history of gcc studied is comprised of a total of over 26 million lines of code. gcc was statically analyzed with the use of srcML and a tool created by one of the authors. A count of each unsafe function type present in each year of the system was recorded, along with a count of safe replacement functions, and their distributions analyzed. The results were compared to findings from a previous study on networking and mobile systems. The results show free, strcmp, strlen, and memcpy to be the most prevalent unsafe functions used among the years of gcc studied. This information can help developers by showing where they should direct their attention when refactoring their system to improve security, and thereby improve the system's robustness, reliability, and overall quality. By focusing on the most prevalent unsafe functions, developers can plan their refactoring process to be more effective. The fact that unsafe functions are still being used despite there being safer alternatives shows a need for new security standards, better education about security and security issues, and supervision of programmers to ensure they follow those standards.

Published

2017

8. Parallel Hierarchical Evolution of String Library Functions

Author

Jacob Soderlund, Darwin Vickers, and Alan Blair

Subjects

Emulation, Theoretical computer science, Computer science, String (computer science), 0102 computer and information sciences, 02 engineering and technology, String processing, 01 natural sciences, law.invention, Task (computing), Calculator, 010201 computation theory & mathematics, law, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Library function, C string handling, Premature convergence

Abstract

We introduce a parallel version of hierarchical evolutionary re-combination (herc) and use it to evolve programs for ten standard string processing tasks and a postfix calculator emulation task. Each processor maintains a separate evolutionary niche, with its own ladder of competing agents and codebank of potential mates. Further enhancements include evolution of multi-cell programs and incremental learning with reshuffling of data. We find the success rate is improved by transgenic evolution, where solutions to earlier tasks are recombined to solve later tasks. Sharing of genetic material between niches seems to improve performance for the postfix task, but for some of the string processing tasks it can increase the risk of premature convergence.

Published

2016

9. std::string Append

Author

Tom Nealis

Subjects

Task (computing), Operator (computer programming), Theoretical computer science, Computer science, C++ string handling, Append, Arithmetic, C programming language, C string handling

Abstract

Appending two or more strings together while developing a C++ application is a very common task. For std::strings, there are two primary ways to achieve the appended string. The first is to use the += operator to append two strings, and the second is to use the + operator. This report compares the two operations.

Published

2015

10. Glossary

Author

Frantisek Franek

Subjects

ANSI C, auto_ptr, Placement syntax, Glossary, C dynamic memory allocation, Computer science, Programming language, Pointer (computer programming), computer.software_genre, Data structure, computer, computer.programming_language, C string handling

Published

2003

11. Strings

Author

Mark Siegesmund

Subjects

Microcontroller, Copying, Computer science, C++ string handling, Character encoding, Arithmetic, Constant (mathematics), Unicode, C string handling

Abstract

This chapter explains how to use and manipulate strings in C. The standard C functions are shown copying, comparing, breaking up, and searching strings. Input and output are shown using both traditional and newer techniques. Conversions of numbers to and from strings are also a part of this chapter. Testing and manipulating characters in strings and the required standard C functions are shown. Constant strings kept in program memory on microcontrollers are described. Multi-byte character sets such as Unicode are briefly introduced. Examples and exercises are for the popular PIC™ microcontroller manufactured by Microchip.

Published

2014

12. Path- and index-sensitive string analysis based on monadic second-order logic

Author

Omer Tripp, Marco Pistoia, and Takaaki Tateishi

Subjects

Empty string, Theoretical computer science, Computer science, String (computer science), String interpolation, Static program analysis, String searching algorithm, Approximate string matching, String interning, scanf format string, String operations, String kernel, String metric, Algorithm, Software, C string handling

Abstract

We propose a novel technique for statically verifying the strings generated by a program. The verification is conducted by encoding the program in Monadic Second-order Logic (M2L). We use M2L to describe constraints among program variables and to abstract built-in string operations. Once we encode a program in M2L, a theorem prover for M2L, such as MONA, can automatically check if a string generated by the program satisfies a given specification, and if not, exhibit a counterexample. With this approach, we can naturally encode relationships among strings, accounting also for cases in which a program manipulates strings using indices. In addition, our string analysis is path sensitive in that it accounts for the effects of string and Boolean comparisons, as well as regular-expression matches. We have implemented our string analysis algorithm, and used it to augment an industrial security analysis for Web applications by automatically detecting and verifying sanitizers —methods that eliminate malicious patterns from untrusted strings, making these strings safe to use in security-sensitive operations. On the 8 benchmarks we analyzed, our string analyzer discovered 128 previously unknown sanitizers, compared to 71 sanitizers detected by a previously presented string analysis.

Published

2011

13. C++ Metastring Library and Its Applications

Author

Zalán Szűgyi, Zoltán Porkoláb, Ábel Sinkovics, and Norbert Pataki

Subjects

Expression templates, Policy-based design, scanf format string, Theoretical computer science, Computer science, Programming language, String (computer science), Single Compilation Unit, String interpolation, Template metaprogramming, computer.software_genre, computer, C string handling

Abstract

C++ template metaprogramming is an emerging direction of generative programming: with proper template definitions we can enforce the C++ compiler to execute algorithms at compilation time. Template metaprograms have become essential part of today's C++ programs of industrial size; they provide code adoptions, various optimizations, DSL embedding, etc. Besides the compilation time algorithms, template metaprogram data-structures are particularly important. From simple typelists to more advanced STL-like data types there are a variety of such constructs. Interesting enough, until recently string, as one of the most widely used data type of programming, has not been supported. Although, boost::mpl::string is an advance in this area, it still lacks the most fundamental string operations. In this paper, we analysed the possibilities of handling string objects at compilation time with a metastring library. We created a C++ template metaprogram library that provides the common string operations, like creating sub-strings, concatenation, replace, and similar. To provide real-life use-cases we implemented two applications on top of our Metastring library. One use case utilizes compilation time inspection of input in the domain of pattern matching algorithms, thus we are able to select the more optimal search method at compilation time. The other use-case implements safePrint, a type-safe version of printf - a widely investigated problem. We present both the performance improvements and extended functionality we have achieved in the applications of our Metastring library.

Published

2011

14. Memory Leaks and Their Debugging

Author

Frantisek Franek

Subjects

Programming language, Computer science, C dynamic memory allocation, media_common.quotation_subject, Smart pointer, computer.software_genre, Allocator, Memory leak, Placement syntax, Debugging, computer, media_common, C string handling, C standard library

Published

2003

15. One-Dimensional Arrays and Strings

Author

Frantisek Franek

Subjects

C dynamic memory allocation, C-One, Computer science, Pointer (computer programming), Compiler, Parallel computing, computer.software_genre, Data structure, computer, Base address, C string handling

Published

2003

16. Dynamic Allocation and Deallocation of Memory

Author

Frantisek Franek

Subjects

Unix, C dynamic memory allocation, Programming language, Computer science, media_common.quotation_subject, Parallel computing, computer.software_genre, Data structure, Allocator, Debugging, Pointer (computer programming), Compiler, computer, media_common, C string handling

Published

2003

17. Character and Number Conversions

Author

Roger T. Stevens

Subjects

Empty string, String operations, Pointer (computer programming), Null-terminated string, Character encoding, String literal, Arithmetic, ASCII, C string handling, Mathematics

Abstract

In the development of more complex C programs, the need to convert a string of the American Standard Code for Information Interexchange (ASCII) characters to an integer or floating point number or conversely to convert one of these numbers to a string of ASCII characters will arise. To perform such a conversion, functions are available as a part of the library included with every C compiler. This chapter describes a few of such functions. The atoi function converts a string of ASCII numbers. This function is passed a pointer to a string and returns an integer. The atol function is just the same as the atoi function except that it returns a long integer rather than an ordinary integer. The chapter then considers the atof , _ atold , strtod , strtold , itoa , ltoa , ultoa , ecvt , fcvt , and gcvt functions. Before using some of the conversion functions that convert from ASCII strings to various types of data, some tests are done to determine whether the string contains the right sort of data or not. The C language includes quite an assortment of such tests. It can be determined whether a string contains numbers, letters, or alphanumerics by just selecting the proper test. Each of the test functions determines whether a character is one of a particular character set, the character set differing for each individual test function. The chapter discusses all of these test functions and their uses.

Published

1993