FORTIFY SOURCE and Safe String Library

Dave W edited this page Jan 10, 2018 · 9 revisions

I've had some questions regarding FORTIFY_SOURCE and whether that is a replacement for this library. What is the benefit of the Safe String Library over FORTIFY_SOURCE

What is FORTIFY_SOURCE?

For a quick read, check out this RedHat post: FORTIFY SOURCE Explanation and Deep Dive into FORTIFY SOURCE. Basically FORTIFY_SOURCE is a GCC compiler flag that adds check code into certain calls that could cause buffer overflows, and then stops that code from executing.

FORTIFY SOURCE works on only a few functions, including: memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, snprintf, vsnprintf, gets

Also, while the compiler attempts to make replacements, it can't always do so, and then fails silently. So some of your usages of replaceable functions may not actually be protected.

Finally, if a buffer overflow does occur on a protected (fortified) function, an exception is thrown halting your program.

Is the Safe String Library Better?

That depends on your perspective. There are a few advantages:

  1. With the Safe String Library, the programmer is aware of which usages of unsafe functions are replaced (protected) and which aren't; remember, FORTIFY_SOURCE attempts to make changes, but doesn't guarantee all vulnerable instances are protected.
  2. When a buffer overflow could occur, the Safe String Library returns an error, allowing the programmer an opportunity to handle the situation gracefully, in context; when using FORTIFY_SOURCE, an exception is thrown, and if it isn't handled, then the program terminates - from the exception, it may be difficult to determine the context of the buffer overflow and the appropriate way to gracefully handle the error. Terminating the program is not always the right exception handling procedure (think IoT devices, medical devices, safety-critical programs, etc.)
  3. The Safe String Library allows for the protection of more string and buffer manipulation functions; if a program uses advanced string manipulation functions, FORTIFY SOURCE doesn't protect many of those operations.

Is FORTIFY SOURCE Duplicative of the Safe String Library Operations?

That's a really good question!! Put another way, should I enable FORTIFY SOURCE on my program AND ALSO use the Safe String Library? First, if you look at the actual source code for the Safe String Library, the underlying functions in Safe String Library do NOT call the unprotected (unsafe) C Library functions. Therefore, using FORTIFY SOURCE along with the Safe String Library is not duplicative (you don't get belts and suspenders!)

However, FORTIFY SOURCE doesn't hurt. If there are some memcpy or strcat functions that were forgotten or missed, or if you have open source modules that aren't using safe versions of those functions, FORTIFY SOURCE can help protect those instances.

Conclusions

FORTIFY SOURCE was added to GCC to protect most instances of simple banned function usages, and prevent buffer overflows. However, unless special care is taken to add exception handling for any exception thrown by the FORTIFY SOURCE replacement code, your program may crash unexpectedly on some inputs, and this could be an issue, depending on your product.

The Safe String Library gives the programmer more flexibility, covers more string manipulation functions, and allows for customized recovery when a buffer overflow is detected. But at least when you use the Safe String Library, if you also use FORTIFY_SOURCE, you won't be forced to wear belts and suspenders!

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.