Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CATCHING EXCEPTIONS CSCE 548 - STUDENT PRESENTATION LARRY PARKER Technical Overview - Exception handling is an often misused feature - What is Exception Handling? • - When something goes wrong & the program or system executes immediate actions - Try-Catch blocks are used in programming languages - Windows operating systems/Objective C++ have structured exception handling • - 3 types of blocks (try, except, & finally) - UNIX-based operating systems/Linux/Mac Os utilize signal handling Example #1 Sinful Structured Exception Handling (SEH) - Microsoft-Windows operating system • - Uses Structured Exception Handling • - Includes keywords (try, except, & finally) int Filter ( DWORD dwExceptionCode ) { if ( dwExceptionCode == EXCEPTION_INTEGER_OVERFLOW ) return EXCEPTION_EXECUTE_HANDLER; else Example #1 (cont’d) return EXCEPTION_CONTINUE_SEARCH; } void Foo() { __try //invokes the exception handler in the first _except block; operating system creates pop-ups { DoSomethingScary(); } __except( Filter( GetExceptionCode() ) ) //the filter expression is called & makes decisions based on exception code { printf ("Integer overflow!\n"); return E_FAIL; } __finally //If the _try block is exited normally or through an exception, then the _finally block is executed { // Clean up from __try block } } Example #2 Sinful Signal Handling - UNIX-based operating systems • - Signal handlers process various signals • - Passed into a process • - Errors that happen internal to a process • - User-defined signals - Problems • - Unstable application being repaired through recovery or performance clean-up tasks may cause additional problems • - Common to UNIX-based operating systems (BSD, System V, & Linux) Example #2 (cont’d) • - Signal handlers will resume at the instruction that raised the signal • - Ex. A SH for numerical error, such as divide by zero, can easily get into an infinite loop Detection Methods - Pattern • - Using catch(…) • - Using catch(Exception) • - Using _except(EXCEPTION_EXECUTE_HANDLER) - Code Review • - Look for catch blocks that catch all exceptions • - Examine whether exception-safe techniques are in use • - Search for uninitialized variables - Testing Techniques • - Attach a debugger & cause SEH exception handler to break on all first-chance exceptions Avoidance of Error - Examine code for code that catches exceptions or handles signals - Ensure clean-up tasks occur on properly initialized objects - Review try-except blocks • - Ensure no __except blocks handle exceptions - Audit signal handles • - Only safe functions are called • - Do not ever attempt to handle segmentation faults Conclusion - Do catch only specific exceptions. - Do handle only structured exceptions that your code can handle. - Do handle signals with safe functions. - Do not catch(…). - Do not catch (Exception). - Do not __except(EXCEPTION_EXECUTE_HANDLER). - Do not handle SIG_SEGV signals, except to log. References Howard, Michael, David LeBlanc and John Viega. 24 Deadly Sins of Software Security. New York: McGraw-Hill Co., 2010. Kindle Edition