界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括：“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

Unsafe Native Invoke

C#/VB.NET/ASP.NET

Abstract

Platform Invocation Service 使用不当会导致受管应用程序很容易受到其他语言的安全漏洞攻击。

Explanation

当受管应用程序使用 P/Invoke 调用以其他编程语言编写的本机（非受管）代码时，会发生 Unsafe Native Invoke 漏洞。

示例 1：以下 C# 代码定义了一个名为 Echo 的类。该类声明了一个本机方法，该方法会使用 C 将控制台上输入的命令回显给用户。


class Echo
{
  [DllImport("mylib.dll")]
  internal static extern void RunEcho();

  static void main(String[] args)
  {
    RunEcho();
  }
}

以下 C 语言代码定义了在 Echo 类中实现的本地方法：


#include <stdio.h>

void __stdcall RunEcho()
{
  char* buf = (char*) malloc(64 * sizeof(char));
  gets(buf);
  printf(buf);
}

因为 Echo 是在受管代码中实现的，所以看上去似乎可以避免诸如 buffer overflow 漏洞之类的内存问题。虽然受管环境在确保内存操作安全方面确实能起到很好的作用，但是这种保护没有扩大到使用 P/Invoke 访问的本机代码中发生的漏洞。尽管有受管运行时环境提供的内存保护机制，但是这个例子中的本机代码仍然很容易受到 buffer overflow 的攻击，因为它在没有执行任何输入检查的情况下就使用了 gets()。同样，虽然 buf 得到分配但并未被释放，因此也是一个 memory leak。

通过对此本机方法实现方式进行源代码审核，可以轻松检测到Example 1 中的漏洞。根据源代码的可用性和项目构建方式，此方法可能并不切合实际或无法实现，但在许多情况下还是可行的。然而，如果能够在托管环境和本机环境之间共享对象，则会进一步加大潜在的风险，因为托管代码中的数据处理不当可能会导致本机代码出现意外漏洞或不安全的操作，从而破坏托管代码中的数据结构，这种情况更加隐蔽。

通过受管应用程序访问的本地代码中出现的漏洞，通常与由本地语言编写的应用程序中存在的漏洞是一样的。这种攻击面临的唯一挑战是：攻击者需要确定受管应用程序是否使用了本地代码执行某些特定的操作。可以用多种方法实现上述目的，包括识别那些通常用本地代码实现的某些特定行为，或者利用受管应用程序中 system information leak 的漏洞（表明系统使用了 P/Invoke）。

References

[1] How to: Call Native DLLs from Managed Code Using PInvoke

[2] Standards Mapping - Common Weakness Enumeration CWE ID 111

[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[5] Standards Mapping - FIPS200 SI

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.dotnet.unsafe_native_invoke