Secure Coding in C and C++: Strings
- Dec 1, 2005
- Sample Chapter is provided courtesy of Addison-Wesley Professional
This chapter is from the book
Secure Coding in C and C++
with Dan Plakosh and Jason Rafail1
But evil things, in robes of sorrow, Assailed the monarch's high estate.—Edgar Allan Poe "The Fall of the House of Usher"
Strings—such as command-line arguments, environment variables, and console input—are of special concern in secure programming because they comprise most of the data exchanged between an end user and a software system. Graphic and Web-based applications make extensive use of text input fields and, because of standards like XML, data exchanged between programs is increasingly in string form as well. As a result, weaknesses in string representation, string management, and string manipulation have led to a broad range of software vulnerabilities and exploits.
2.1 String Characteristics
Strings are a fundamental concept in software engineering, but they are not a built-in type in C or C++. C-style strings consist of a contiguous sequence of characters terminated by and including the first null character. A pointer to a string points to its initial character. The length of a string is the number of bytes preceding the null character, and the value of a string is the sequence of the values of the contained characters, in order.
A wide string is a contiguous sequence of wide characters terminated by and including the first null wide character. A pointer to a wide string points to its initial (lowest addressed) wide character. The length of a wide string is the number of wide characters preceding the null wide character and the value of a wide string is the sequence of code values of the contained wide characters, in order.
Strings in C++
C-style strings are still a common data type in C++ programs, but there have also been many attempts to create string classes. Most C++ developers have written at least one string class and a number of widely accepted forms exist. The standardization of C++ [ISO/IEC 98] has promoted the standard template class std::basic_string and its char and wchar_t instantiations: std::string and std::wstring.
The basic_string class is less prone to errors that result in security vulnerabilities than C-style strings. Unfortunately, there is a mismatch between C++ string classes and C-style strings. Specifically, most C++ string classes are treated as atomic entities (usually passed by value or reference), while existing C library functions accept pointers to null-terminated character sequences. In the standard C++ string class, the internal representation does not have to be null-terminated [Stroustrup 97]. Some other string types, like Win32 LSA_UNICODE_STRING, do not have to be null-terminated either. As a result, there can be different ways to access string contents, determine the string length, and determine whether a string is empty.
Except in rare circumstances—in which there are no string literals2 and no interaction with the existing libraries that accept C-style strings, or in which one uses C-style strings only—it is virtually impossible to avoid having multiple string types within a C++ program. Usually this is limited to C-style strings and one string class, although it is often necessary to deal with multiple string classes within a legacy code base [Wilson 03].
Account Sign In
View your cart