Week 4 lecture cancelled
Software Security - Environment Variables & Attacks
Environment Variables
A set of name=value pairs which can be used in the operating environment of a process
- Unsafe for privileged programs because they can use untrusted inputs provided by users
- Example:
PATHvariable
seed@seedvm:~$ printenv
SHELL=/bin/bash
SESSION_MANAGER=local/seedvm:@/tmp/.ICE-unix/1573,unix/seedvm:/tmp/.ICE-unix/1573
QT_ACCESSIBILITY=1
COLORTERM=truecolor
XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg
SSH_AGENT_LAUNCHER=gnome-keyring
XDG_MENU_PREFIX=gnome-
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
GNOME_SHELL_SESSION_MODE=ubuntu
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
XMODIFIERS=@im=ibus
DESKTOP_SESSION=ubuntu
GTK_MODULES=gail:atk-bridge
...How to Access Environment Variables
Method 1: From the main() function
#include <stdio.h>
void main(int argc, char* argv[], char* envp[])
{ // ^^^^^^^^^^
int i = 0;
while (envp[i] != NULL) {
printf("%s\n", envp[i++]);
}
}Method 2: Using the global variable
The more reliable way.
#include <stdio.h>
extern char** environ;
// ^^^^^^^
void main(int argc, char* argv[], char* envp[])
{
int i = 0;
while (environ[i] != NULL) {
printf("%s\n", environ[i++]);
}
}Other Functions
Programs can also use getenv(var_name) to get an environment variable, as well as:
putenv(): to add environment variablesetenv(): to update environment variableunsetenv(): to delete environment variable
How does a process get an environment variable?
- If a new process is created using
fork()system call, the child process will inherit the parent process’s environment variables - If a process runs a new program in itself, it uses
execve()system call.- Memory space is overwritten and all old environment variables are lost
execve(): to pass environment variables from a process to another process