This second video of this second course is about the local variable and how using the local variable in the. In all local programming language, local variable only exists while the function or the code block is in execution. After the execution of the function or the block, the local variable are simply deleted. In C and C++, the memory for the local variable are located on the stack, the execution stack. And when the local variables are created, they are not automatically initialized. Except in debug, the variables are initialized with 0xcc for all bite of the local variable. In C, the program can retrieve the address of the local variable as other variables, global or dynamic memory. And the memory is released at the end of the execution of the function but the variables are not cleared. So if some data are still in the variable when the function returns, this data stay in the stack until the space is reused again. If a variable is an instance of a class, the C++ will automatically call the creator of the class to initialize this variable. And if the constructor initialize the data, the data will be initialized. If the constructor does not initialize some part of the instance or some data member, this member will stay uninitialized. And will contain data that was in memory just before the constructor call. What does it mean for the security? First, if a variable is not correctly initialized, it may contain data that it should not. [COUGH] It will contain data that the previously called function let in local variable when it returned. It can also be argument that was passed to some other function that had been called just before. The data that stay in this local variable can be a user name, password, credit card number, or any very important information. So what recommends is to always completely initialize local variable. So this way we will be sure that the data is cleared and no important data stay in this variable. If a local variable contains important information like password, username, credit card number, or address of filing, or other important information, the code should clear it before returning. So this way, other functions are called just after, even if they are not initialized correctly. The local variabile to create will not be at risk to create a data leak. When a programmer uses local variable's address, he must be very, very careful. First, the variable will not exist anymore after the function returns. So if a function return the address of a local variable, it can sometime work. Because the caller may use and retrieve the data before calling other functions, or before another function overwrite the data in the address. But it's very bad because if we change a small thing in code, or in the calling function, or in the called function, this code could stop to work. If a function pass the address of a local variable to another function, the programmer must be certain. So he must know for sure that the function he call will not store the address. Because if the function store address in some structure, in memory structure, it will be and invalid when they later use it. What is a data leak? [COUGH] A data leak is when the program or library let some very important data get out of the memory space it controls, or the storage space it controls. So it can happen if a [COUGH] local variable that is not correctly initialized and created contain important data is used to answer to a network request for example. So [COUGH] some of the important data can be override by the response the program want to send. But some of the important data can stay there and be visible at the other end of the network link. If you test your program in debugging and you find bite with the value 0xcc, it's most probably because some local variable that was not correctly initialized has been sent over network. Or writing output file or displayed in the output stream or any other way to to leak information. So if you saw this value in the output data, you have to investigate why did this happen and find a way to fix that. So initialize it to another value, this way will not see the bad value and the output of your program anyway. Story of a data leak, we will now imagine solution and we have the code that will help us to imagine the situation. So the situation is a server that received from the network on the datagram based socket, UDP socket, some requests. One request is valid, it processes it and send the answer. When the request is not valid, it replaces a field in the request With an error code that indicate that the request is not valiant and returned the request itself with all the data that have been sent by the requester. This is not the best well designed protocol but a lot of protocol work in this kind of way. This is often protects for the debugging because the receiver received the full three requests so it can help to debug with why the request was invalid. So to complete this video, we'll now take a look to to sample that have been designed to work together. So once improbable is the UDP server zero, that is the the server that implements this kind of protocol in a very bad way and UDP actor. So there is the UDP server zero example. We have the credit here. One of the first things they could do is to include a file that defines the protocol will use on the DP sockets. So we'll take a look to this file, go to the documents. Very, very simple protocol. So we have one request that exists as the request number zero and this request do nothing. We have another value that we have to put in their results a field when we send a request, and we have at this time to results that can be returned after processing a request. So yes, always okay or invalid request code if the request code was and that a valid one. Each request and each response has shared the same structure and this is it, first to bite their request code. First the second two other bites, the serial number of the request there is a code and the size and bite. The size includes the size of data, and any data that could follow the data for a simple request. So I can close this file, come back to the file of the server. We have two internal function to receive and process requests will so I started to see them in a few seconds. The main function initialize the library. I put all the stuff that is not exactly the same on the Windows and Linux on library. The library, the project at the library is there here called base lib. So if you want, you can go and look at this code. The function socket startup. NCL is that windsock library and when those and do absolutely nothing on Linux. Recreate the the socket, UDP socket. That will be used to receive a request and also send back the response here. The cut in salary is the the address that we'll use to bind the network adapter to the server. Here we bind our available network adapter to the service. In a reel server, I will not recommend to do that, we'll more recommend to just find to the network adapter that is needed to buy into. And once I bind, I just get back the address I am binded to in order to display the number, the port number. So I will be able to send a request to the sport when I will use the other example UDP hacker zero. After that, this is the main loop that will simply call forever or until they never a cure the function receive and process requests. The end closed the socket and library they don't really have a way to stop the services in this version. So they have a good change that error does not take your and we will never execute the cleanup code here. The receiving process requests create something like variable the first one, the first two variable to contain the address of the requester. So the address welcome where they come from. And after that we have a lookout variable, oops, a local variable that will contain the request we receive. And a pointer that will allow us to read the data in the buffer as if they were in either protocol leader structure. We call the function received from and we will receive a request from a client. After receiving a request, we post them to the process requests function that will process the request. The process request function is just there and it's a switch that will based on the request code execute the the code needed to process the request. Here, we have request that do nothing. So we just said the result. You were given positive result and do absolutely nothing else. And if this is not this request code, we set the result to invalidate the request code and we send back the request in the bookcase. This video is about the local variable. So, no surprise. The problem with the current code is how they use the locale for your boat. And you can see here that the variable that they used to received a request and to send back their request if the request is not valid, is a local variable and this local variable is not used. So, this like how variable contain and may contain data. Well, just get back to the device configuration. Okay good. And I will complete this program. Williams compiled. We just said that the library is just compiled before the program because the dependents are are set so. This project is dependent on the base library project and the UDP services have been compiled without warning or. Well now look to the wing the UDP actor will use to to exploit this security issue. So UDP hacker code look to the code. But first is the prosecution of government that the attacker take two arguments. First one being the address of the server and second one being the report number. We put the the argument to start to store the server address and the LAPD are local variable that will contain the address. First thing we do we create the first request. So [COUGH] I use a local variable for that and the program take a pointer to this variable. But with the type of political leader when she realized the buffer. The full buffer and we initialize the four the fourth field of data. So the first request is it valued requests. So requests do not aim protocol. Resolute requests as it recorded protocol and we have a serial for the request. As is set to one and for this request we pass some data to the request as so we will use all the 64, byte of the buffer and hinder last part of the request. We start data so there is that I started the bar for the cuts that are very important to tell with some other place just to feel the buffer. And I use a local static function to send the request to the server. And also to receive the response and display the response. After that, I will use December for after. Can you bring it and send a new requests and for this request. I will send a badly bad request code but the rest of the error is correct. So what protocol brazil requests as because then it's real set in the I passed the size of one and read 28 byte for the sites. But when I send a request I will send the requests clearly softly than that. So I will just send the other and will not send the data part. So I indicate to the server. Yes this that will come with won this district west is one and read 128, by long. But in fact I just sent a bite and after that I wait for the answer and displayed answer. Just take a look to the request functions so we are in the request function. You see that I first center that up first create a circuit, send the data to the server. I have the address receiving parameter to be able to send to the server. And after that create a big buffer and wait for the answer and displayed answer should answer is a Larson alpha will display the fulfilled of the theater. And I will also display all the their response with a function that do an accident. The function Dombra's also in base library because I was needing dysfunction for many examples. We will see in this course at the end I closed the second and going to see and the Sovereign Decker work. We have to launch the boat. So I will first. I already did that set the UDP server as the default starter program. So I can start from here. We saw that I am in the bargain because we region. So I started here is starting I command shell here a power shell in fact. But I will be able to learn to start the anchor here. We'll also start the devoid version even if it's not needed. We could have won in reality one in the body and one and release is not a problem. And I will start the UDP Aker Zale. I have to spend to give it to information. The address of the server and the port number. So am I have information that the attackers sent. The first request that this wasn't 64 byte long and receive an answer that is also 64 bytes long answer have the request. Do nothing. Have a rocky status and cereals are the same that we put in the request and the size is 64, byte. Here, we are we have the dump of the 64 byte and we saw the very important information. And the answer is sure that if we are programming rail services. If a request contained very important data as a serial number or things like that. It should be first be sent over a secure connection and must probably did. We will not send back. There's very information and the answer to this request. The Ceylon request we send it is only eight byte long and the services return us 128 Byte. And he returned out request code that was not valid because it's what we put in the request. And he said the reason code to invalid request code. What was expected, because it was effectively invalid request code and the size is, 128 byte because it's what? We send in the request. And the server send has many byte, you think we have been sent so we send, yes the eight byte we sent, but sent us all other data that was present in the buffer at this time. Because, we the services is running in debug mode this data was in civilized to cc for each bite this is what we can see here. We know that, if we come we see, cc and output that of a program, they probably have a possible data link under that. We'll know for sure, we'll try it and really smoke, so I will stop the services, cool. Change for the release and I start this over again so I now run that, released version of the server. So when, can I start the hacker again, will change the port number I execute, and we now see clearly data link because. The data that we send in the first request is, also that I will receive in the second answer and it was really not expected. It's not data with the hacker sent and the hacker is responsible for the two requests, so that the raid is not a problem. But the hacker don't have to send this first request in the real world, it can just send this request and get the information that had been sent previously by another client of the same server. And retrieved a very important data this other clients sent to the server. This is your first data tally, so this show how important is to initialize the data we can take another look to the code, if we locate era the receiving process request. First error of the programmer did is, to not initialize the buffer for sure, but the second era did he do, it did not check the return, what the received from function return. This function returns the number of bytes received from the network so checking it and validating it with the size and the editor will be a good way. To avoid this kind of that Alec will step the server zero, I have a new another project that is the Epp several 08 we can look to the code, we'll just close that twitter filed first. It was said as the startup project right now the main function did not change they have no, no real problem in the main function but they're received and processed requests. It's not a good luck more secure first we receive the other sides, we validate their size too. If their request is if the size is smaller than zero, it is the way to receive from functional to indicate an error so will report an error. And as if the size is larger than the buffer with post that we also know that it's not a very written from this function and we will then passed. The size received from return has to the process request the process request will be able to use this information to validate data. Yeah I put the volition in a special phone and a separate static function and in this function we saw that. First we need the result code to be a protocol result request we need the request to be larger or the same side as the political leader. So the political leader needs to be complete and I'll soup the size and skated in data must be the same size that we receive on the network. If one of this condition is not true their request will be not validated but this function will return false. And if this function returns falls the process will not be the request will not be processed and will not send back any information so this is very important if their request is not correct. We do not send back any information that could give a clue to to occur about the process have been or rejected harder process. And if the request is valid we process the value that we process the request and we send the answer so we can try this new version. Disorder just started let's say that we are in release contribution so where I can now start again my hacker changing the port. We said that we sent the first request we get back the first answer work as before but when we send the second request that was clearly valid. The size we specifying data is not valid it's not the same size that the request we send and we did not receive answers. So the director program is simply waiting for an answer that will not come because the server did not send it. This was the sample that the example that showed how look how variable if the programmer is not careful enough, can cause memory leak, not memory leak but data leak. And also we show our occur can provide can exploit such the telling and how easy it is to exploit it this is the end of this video the next video is about memory management.
