Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bride of Buffer Overflow

Published byOliver Thompson Modified over 6 years ago

Similar presentations

Presentation on theme: "Bride of Buffer Overflow"— Presentation transcript:

1 Bride of Buffer Overflow
Chapter 7 Bride of Buffer Overflow

2 Chapter Synopsis Integers Wrap around errors
Truncation and sign extension Conversions between unsigned and signed Methods to detect and prevent problems Runtime Protection Safe Programming Lanuages Safer C Dialects Dynamic Buffer Overflow protections

3 The Problem Numbers in computers are not integers but only an approximation. They are bounded, have a sign, representation, etc. Many arithmetic operations, many conversions have a risk of returning non-sense values due to machine limitations. When this non-sense value is used for memory allocation, bound a string operation or index into a buffer, we have a buffer overflow.

4 The 4 bit number wheels

5 An example An Integer Overflow causing a Buffer overflow: u_int nresp; nresp = packet_get_int(); if ( nresp > 0 ) { response = xmalloc(nresp*sizeof(char *)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); } Value of nresp = causes problems.

6 Other Problems Subtracting from 0 can also cause problems.
(example, page 238)‏ (next slide)

7 Bad subtract from 0 unsigned int readamt; readamt =getstringsize(...);
if ( readamt > 1024 ) return -1; readamt--; // don't allocate space for '\n' buf = malloc(readamt)

8 Truncation and sign extension
When integers get truncated, the most significant part is lost; when they get expanded, the most significant bit is extended, sometimes with unexpected results. Examples: -1 truncated to 4 bits is 15; 4 bit 7 expanded is still 7, but 4 bit 15 (unsigned) can become -1!

9 Conversion between signed and unsigned
The problem is the high-order bit: the semantics are different, the meaning is different. Bad example: char *a; short len = ????; if (len < 1024 ) a = malloc((int)len); .

10 What to do? Use Unsigned types (watch out, though)‏
Expect bad assumptions Restrict numeric User input: use sanity checks Sanity check values used to allocate and access memory Respect compiler warnings. Use best practices for your compiler Understand Integer Conversion rules Verify overflow of operators

11 Use Best Practices for CL from MSDN
Compile with highest possible warning level: /W4 Watch out for integer related compiler warnings Investigate all #pragma disabling overflows Enable runtime integer error checks for conversion overflows with /RTCc (for debugging only)‏

12 Use Best Practices for gcc
Compile with -wconversion -wsign-compare Check all #pragma disabling diagnostics. Enable runtime error checks with -ftrapv (not for production runs)‏

13 Understand Integer Conversion rules
Plethora of rules but most important ones: Less precision is usually upcast to higher precision but An unsigned type can be implicitly cast to a signed type even if not all values can be represented.

14 Verify conditions for operators that can overflow

15 Use Special Libraries SafeInt IntSafe

16 Safer Programming Languages/Dialects
Safe Programming Languages like: Java C# Python Ruby Safe dialects of C/C++ like: Ccured Cyclone

17 Dynamic Buffer Overflow Protections
Not a fix: Non-executable memory segments Compile-Time Instrumentation (“canaries”)‏ Virtual Execution Environments Hardened System Libraries

Download ppt "Bride of Buffer Overflow"

Similar presentations

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.

Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
INSTRUCTION SET ARCHITECTURES

INSTRUCTION SET ARCHITECTURES
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Types and Arithmetic Operators

Types and Arithmetic Operators
Integer Overflows James Walden Northern Kentucky University.

Integer Overflows James Walden Northern Kentucky University.
ISBN 0-321-19362-8 Chapter 7 Expressions and Assignment Statements.

ISBN Chapter 7 Expressions and Assignment Statements.
Computer Science 1620 Other Data Types. Quick Review: checklist for performing user input: 1) Be sure variable is declared 2) Prompt the user for input.

Computer Science 1620 Other Data Types. Quick Review: checklist for performing user input: 1) Be sure variable is declared 2) Prompt the user for input.
Assembly Language and Computer Architecture Using C++ and Java

Assembly Language and Computer Architecture Using C++ and Java
Working with the data type: char  2000 Prentice Hall, Inc. All rights reserved. Modified for use with this course. Introduction to Computers and Programming.

Working with the data type: char  2000 Prentice Hall, Inc. All rights reserved. Modified for use with this course. Introduction to Computers and Programming.
Representation and Conversion of Numeric Types 4 We have seen multiple data types that C provides for numbers: int and double 4 What differences are there.

Representation and Conversion of Numeric Types 4 We have seen multiple data types that C provides for numbers: int and double 4 What differences are there.
1 Agenda Variables (Review) Example Input / Output Arithmetic Operations Casting Char as a Number (if time allow)

1 Agenda Variables (Review) Example Input / Output Arithmetic Operations Casting Char as a Number (if time allow)
Using Java's Math & Scanner class. Java's Mathematical functions (methods) (1)

Using Java's Math & Scanner class. Java's Mathematical functions (methods) (1)
Computer Science 210 Computer Organization Introduction to C.

Computer Science 210 Computer Organization Introduction to C.
CENG 311 Machine Representation/Numbers

CENG 311 Machine Representation/Numbers
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
1-1 University of Hail College of Computer Science and Engineering Department of computer Science and Software Engineering Course: ICS313: Fundamentals.

1-1 University of Hail College of Computer Science and Engineering Department of computer Science and Software Engineering Course: ICS313: Fundamentals.
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.

Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
COMP 116: Introduction to Scientific Programming Lecture 28: Data types.

COMP 116: Introduction to Scientific Programming Lecture 28: Data types.

Similar presentations

Ads by Google