Download CATCHING EXCEPTIONS

CATCHING
EXCEPTIONS
CSCE 548 - STUDENT PRESENTATION
LARRY PARKER
Technical Overview
 - Exception handling is an often misused feature
- What is Exception Handling?
• - When something goes wrong & the program or system executes immediate actions
- Try-Catch blocks are used in programming languages
 - Windows operating systems/Objective C++ have structured exception handling
• - 3 types of blocks (try, except, & finally)
 - UNIX-based operating systems/Linux/Mac Os utilize signal handling
Example #1
 Sinful Structured Exception Handling (SEH)
 - Microsoft-Windows operating system
• - Uses Structured Exception Handling
• - Includes keywords (try, except, & finally)
int Filter ( DWORD dwExceptionCode )
{
if ( dwExceptionCode == EXCEPTION_INTEGER_OVERFLOW )
return EXCEPTION_EXECUTE_HANDLER;
else
Example #1 (cont’d)
return EXCEPTION_CONTINUE_SEARCH;
}
void Foo()
{
__try //invokes the exception handler in the first _except block; operating system creates pop-ups
{
DoSomethingScary();
}
__except( Filter( GetExceptionCode() ) ) //the filter expression is called & makes decisions based on exception code
{
printf ("Integer overflow!\n");
return E_FAIL;
}
__finally //If the _try block is exited normally or through an exception, then the _finally block is executed
{
// Clean up from __try block
}
}
Example #2
 Sinful Signal Handling
 - UNIX-based operating systems
• - Signal handlers process various signals
• - Passed into a process
• - Errors that happen internal to a process
• - User-defined signals
 - Problems
• - Unstable application being repaired through recovery or performance clean-up tasks may
cause additional problems
• - Common to UNIX-based operating systems (BSD, System V, & Linux)
Example #2 (cont’d)
• - Signal handlers will resume at the instruction that raised the signal
• - Ex. A SH for numerical error, such as divide by zero, can easily get into an infinite loop
Detection Methods
 - Pattern
• - Using catch(…)
• - Using catch(Exception)
• - Using _except(EXCEPTION_EXECUTE_HANDLER)
 - Code Review
• - Look for catch blocks that catch all exceptions
• - Examine whether exception-safe techniques are in use
• - Search for uninitialized variables
 - Testing Techniques
• - Attach a debugger & cause SEH exception handler to break on all first-chance exceptions
Avoidance of Error
 - Examine code for code that catches exceptions or handles signals
 - Ensure clean-up tasks occur on properly initialized objects
 - Review try-except blocks
• - Ensure no __except blocks handle exceptions
 - Audit signal handles
• - Only safe functions are called
• - Do not ever attempt to handle segmentation faults
Conclusion
 - Do catch only specific exceptions.
 - Do handle only structured exceptions that your code can handle.
 - Do handle signals with safe functions.
 - Do not catch(…).
 - Do not catch (Exception).
 - Do not __except(EXCEPTION_EXECUTE_HANDLER).
 - Do not handle SIG_SEGV signals, except to log.
References
Howard, Michael, David LeBlanc and John Viega. 24 Deadly Sins of Software Security. New York:
McGraw-Hill Co., 2010. Kindle Edition