Skip to content

Latest commit

 

History

History
132 lines (91 loc) · 10.6 KB

mitigations.md

File metadata and controls

132 lines (91 loc) · 10.6 KB

Mitigation Strategies Analysis for google/flatbuffers

Mitigation Strategy: Strict Usage of Generated Accessors

1. Mitigation Strategy: Strict Usage of Generated Accessors

  • Description:

    1. Identify all FlatBuffers data access points: Review the codebase to find every instance where data is read from or written to a FlatBuffer.
    2. Replace direct buffer access: If any code directly accesses the underlying byte buffer (e.g., using pointer arithmetic or manual offset calculations), replace it with the corresponding generated accessor methods provided by the FlatBuffers library after schema compilation.
    3. Enforce accessor usage: Establish a coding standard that prohibits direct buffer access and mandates the use of generated accessors. This can be enforced through code reviews and potentially static analysis tools.
    4. Regular code reviews: Include checks for proper accessor usage in all code reviews.

  • Threats Mitigated:

    • Buffer Over-Reads/Under-Reads (Severity: High): Incorrect offset calculations, when manually accessing the buffer, can lead to reading outside buffer bounds, causing crashes or information leaks. Generated accessors perform bounds checks.
    • Integer Overflow/Underflow (Severity: Medium): While less likely with accessors, manual offset calculations are a primary source of integer overflow vulnerabilities. Accessors significantly reduce this risk by handling offset calculations internally.
    • Logic Errors (Severity: Medium): Using accessors enforces a consistent and type-safe way to access data, reducing the likelihood of logic errors related to data interpretation specific to the FlatBuffers format.

  • Impact:

    • Buffer Over-Reads/Under-Reads: Risk significantly reduced (near elimination if accessors are used exclusively).
    • Integer Overflow/Underflow: Risk reduced (accessors handle most cases; manual calculations are the remaining risk).
    • Logic Errors: Risk reduced (improved code clarity and consistency related to FlatBuffers data handling).

  • Currently Implemented:

    • Partially implemented. Accessors are used in src/network/message_handler.cpp and src/data/data_processor.cpp.

  • Missing Implementation:

    • Missing in src/legacy/old_data_format.cpp, which still uses manual buffer manipulation. This module needs refactoring to use generated accessors.
    • Some utility functions in src/utils/flatbuffer_helpers.cpp perform manual offset calculations. These need review and potential rewriting to rely on generated accessors where possible.

Mitigation Strategy: Validate Table/Struct Existence (Using Generated Methods)

2. Mitigation Strategy: Validate Table/Struct Existence (Using Generated Methods)

  • Description:

    1. Identify optional fields: Review the FlatBuffers schema (.fbs file) to identify all optional fields (fields that are not marked as required).
    2. Check for existence before access: Before accessing any optional field, always use the generated __has_... method (if available in your language binding) or check for a non-null return from the table accessor (which is also generated). This is a direct use of FlatBuffers-generated code.
    3. Handle missing fields gracefully: Implement logic to handle cases where an optional field is not present. This might involve using default values, skipping processing, or logging an error. The handling itself isn't FlatBuffers-specific, but the check is.
    4. Code review enforcement: Enforce these checks during code reviews.

  • Threats Mitigated:

    • Buffer Over-Reads/Under-Reads (Severity: High): Accessing non-existent fields can lead to incorrect offset calculations (if done manually) and out-of-bounds reads. The generated checks prevent this.
    • Logic Errors (Severity: Medium): Prevents unexpected behavior caused by accessing data that isn't present, specifically within the context of a FlatBuffers message.

  • Impact:

    • Buffer Over-Reads/Under-Reads: Risk significantly reduced (prevents a common cause of over-reads when dealing with optional FlatBuffers fields).
    • Logic Errors: Risk reduced (improves robustness and error handling related to the expected structure of FlatBuffers data).

  • Currently Implemented:

    • Mostly implemented. Checks are present in most places where optional fields are accessed.

  • Missing Implementation:

    • Need to audit src/ui/display_manager.cpp to ensure all optional fields in the UI configuration data (assuming it uses FlatBuffers) are checked before access using the generated methods.
    • Add unit tests specifically testing the handling of missing optional fields, verifying the correct behavior of the generated __has_... methods or null checks.

Mitigation Strategy: Schema Validation (Avoid Dynamic Loading)

3. Mitigation Strategy: Schema Validation (Avoid Dynamic Loading)

  • Description:

    1. Compile schemas into code: The primary mitigation is to avoid dynamic schema loading. Compile the .fbs schema files directly into the application code using the flatc compiler. This is a direct action related to the FlatBuffers build process.
    2. Secure schema storage: If dynamic loading is absolutely unavoidable (strongly discouraged), store schema files securely. This part is less FlatBuffers-specific.
    3. Implement checksum verification (if dynamic loading is unavoidable): Calculate a hash of the schema file. This is a general security practice, but it's applied to the FlatBuffers schema.
    4. Reject invalid schemas (if dynamic loading is unavoidable): If verification fails, don't load the schema.

  • Threats Mitigated:

    • Schema Poisoning (Severity: High): Prevents attackers from modifying the .fbs schema file to introduce vulnerabilities by altering the expected data structure.

  • Impact:

    • Schema Poisoning: Risk eliminated (if dynamic loading is avoided) or significantly reduced (if checksum verification is used, though avoidance is far superior).

  • Currently Implemented:

    • Fully implemented. Schemas are compiled into the code. Dynamic schema loading is not used.

  • Missing Implementation:

    • Not applicable, as dynamic loading is avoided.

Mitigation Strategy: Builder Object Resetting

4. Mitigation Strategy: Builder Object Resetting

  • Description:

    1. Identify builder usage: Review the codebase to find all instances where FlatBuffers Builder objects are used.
    2. Reset before reuse: Before reusing a Builder object, always call its Reset() or clear() method (the specific method name depends on the language binding). This is a direct use of the FlatBuffers API.
    3. Document builder usage: Clearly document the lifetime and usage patterns of Builder objects.
    4. Code review enforcement: Enforce proper resetting during code reviews.

  • Threats Mitigated:

    • Object Reuse Without Resetting (State Confusion) (Severity: Medium): Prevents unexpected behavior caused by retained state from previous operations within the FlatBuffers Builder.

  • Impact:

    • Object Reuse Without Resetting: Risk significantly reduced (prevents a class of subtle bugs specific to how FlatBuffers Builder objects are intended to be used).

  • Currently Implemented:

    • Mostly implemented. Builders are generally reset before reuse.

  • Missing Implementation:

    • Need to audit src/network/message_builder.cpp to ensure all Builder objects are consistently reset.
    • Add unit tests specifically testing the reuse of Builder objects, verifying the correct behavior of the Reset() or clear() methods.

Mitigation Strategy: Verifier Class Usage

5. Mitigation Strategy: Verifier Class Usage

  • Description:

    1. Identify Deserialization Points: Locate all code sections where FlatBuffers data is received and deserialized.
    2. Instantiate Verifier: Before accessing any data from the FlatBuffer, create an instance of the FlatBuffers Verifier class, providing the buffer's data pointer and size. This is a direct use of the FlatBuffers API.
    3. Verify Buffer: Call the VerifyBuffer method on the Verifier object, passing the root type of your FlatBuffer (obtained from the generated code). This is a direct use of the FlatBuffers API.
    4. Handle Verification Result: Check the return value of VerifyBuffer. If it returns false, the buffer is invalid according to FlatBuffers' internal consistency checks and should not be accessed. Log an error and handle the situation. If it returns true, the buffer is considered structurally valid according to the schema, and you can proceed (still using generated accessors and other mitigations).
    5. Code Review: Ensure that all deserialization points include the Verifier step during code reviews.

  • Threats Mitigated:

    • Buffer Over-Reads/Under-Reads (Severity: High): The Verifier performs checks for basic structural integrity, including valid offsets and sizes within the FlatBuffer, reducing the risk of out-of-bounds access.
    • Integer Overflow/Underflow (Severity: Medium): The Verifier performs some checks related to integer sizes used internally by FlatBuffers, mitigating some overflow risks.
    • Invalid FlatBuffers Data (Severity: Medium): Detects structurally invalid FlatBuffers data, preventing crashes or unexpected behavior that could arise from malformed buffers.

  • Impact:

    • Buffer Over-Reads/Under-Reads: Risk reduced (provides a FlatBuffers-specific level of structural validation).
    • Integer Overflow/Underflow: Risk reduced (some checks are performed by the Verifier).
    • Invalid FlatBuffers Data: Risk significantly reduced (detects many common errors in the FlatBuffers binary format).

  • Currently Implemented:

    • Partially implemented. The Verifier is used in src/network/message_handler.cpp.

  • Missing Implementation:

    • The Verifier is not used in src/data/local_data_loader.cpp. This is a critical oversight.
    • Need to add unit tests specifically testing the Verifier's behavior with both valid and intentionally invalid FlatBuffers.