Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS2S562 Secure Software Development

Published byHenrik Lange Modified over 5 years ago

Similar presentations

Presentation on theme: "CS2S562 Secure Software Development"— Presentation transcript:

1 CS2S562 Secure Software Development
Integer Security

2 Recap: Risk = S x L x R Severity - How serious are the consequences
1 = low (denial-of-service attack, abnormal termination) 2 = medium (data integrity violation, unintentional information disclosure) 3 = high (run arbitrary code, privilege escalation) Likelihood - How likely is it an exploitable vulnerability 1 = unlikely 2 = probable 3 = likely Remediation Cost - How expensive is it to fix 3 = high (manual detection and correction) 2 = medium (automatic detection and manual correction) 1 = low (automatic detection and correction)

3 Recap: String Security
String vulnerabilities: Buffer overflow 3rd most frequent vulnerability in software generally Use string class wherever possible, not char[ ] Use the safe str…_s() methods If using char[ ] : use i < xxx.length_s() for safe upper boundary, not <= check also that lower boundary never negative If using string class: should be null terminated (even if used with str…_s() methods) check if pointer to string is != NULL before use Lab & Lecture Self Study

4 Looking Ahead… In Coursework:
You will be asked to demonstrate the use of the String class and char[ ] in a secure way. Keep lab and self study notes safe (in you head, on paper, on file) You will also be asked to demonstrate the secure use of integers. Let’s investigate this now…

5 Integer Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C Unsigned integer wrap 3 27 Signed integer overflows Loss of data due to type-casting 2 18 Division and remainder resulting in divide-by-zero 1 6 Integer <–> pointer conversions C++ Out of range enumeration values 4 Negative bit shifts Incorrect integer precisions Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

6 Unsigned Integers C++ types unsigned char unsigned short int
unsigned long int unsigned long long int (C++11) Where is the problem? Programmers know the lengths (in bytes) of all of these, don’t they? Here is the rub: The amount of bytes in the above types depends on compiler and platform used

7 Unsigned Integers Therefore use C99 (or higher) data types:
In C: <inttypes.h>, C++: cinttypes header (alternatively: C: <stdint.h>, C++: cstdint header) Defined length  portability & compiler independence good for ‘if’ checks e.g. uint32_t x=5; From Wikipedia:

8 Unsigned Integers Why should I use an unsigned integer?
Convey to reader the expected range of values that a variable may take on. They are more efficient. Modulus arithmetic is completely defined. Overflowing an unsigned data type is defined, whereas overflowing a signed integer results in undefined behaviour You can safely perform shift operations Larger dynamic range. So, what’s the problem?

9 Unsigned Integer Wrap The number 14 in computer memory: 1 16 bit 1 bit
1 byte 1 byte 1 32,768 128 16 8 4 2 1 215 27 22 21 20 = 14

10 Unsigned Integer Wrap If we add 1 then the result is: 1 16 bit 1 byte
1 32,768 128 16 8 4 2 1 215 27 22 21 20 = 15

11 Unsigned Integer Wrap Adding 1 more “flips” the first 4 bits to ‘0’: 1
1 byte 1 byte 1 1 32,768 128 16 8 4 2 1 215 27 22 21 20 = 16 = 15

12 Unsigned Integer Wrap The highest number possible is: 1 16 bit 1 byte
32,768 128 16 8 4 2 1 215 27 22 21 20 32, , , = 65,535

13 Unsigned Integer Wrap And now we add 1 ….
… and the int wraps round to zero 16 bit 1 byte 1 byte 32,768 128 16 8 4 2 1 215 27 22 21 20 = 0

14 Unsigned Integer Wrap Operators that can cause unsigned integer wrapping + Yes -= << < No - *= >> > * /= & >= / %= | <= % <<= ^ == ++ >>= ~ != -- &= ! && = |= un + || += ^= un - ?: Table data source: CERT.org

15 The Most Famous Integer Wrap Fault
Level 256 in PacMan thought to be unreachable…

16 Unsigned Integer Wrap Example
Faulty void addThem(unsigned int ui_a, unsigned int ui_b) { unsigned int ui_sum = ui_a + ui_b;    /* ... */ }

17 Unsigned Integer Wrap Example
Correct #include <limits.h> void addThem(unsigned int ui_a, unsigned int ui_b) { unsigned int ui_sum;    if (UINT_MAX - ui_a < ui_b) {      /* Handle error */    } else {      ui_sum = ui_a + ui_b;    }    /* ... */ } This is a ‘pre-condition’ test In lab design a post-condition test

18 Unsigned Integer Wrap Example
Better #include <limits.h> #include <inttypes.h> void addThem(uint16_t ui_a, uint16_t ui_b) { uint16_t ui_sum;    if (UINT16_MAX - ui_a < ui_b) {      /* Handle error */    } else {      ui_sum = ui_a + ui_b;    }    /* ... */ } This is a ‘pre-condition’ test In lab design a post-condition test

19 Unsigned Integer Wrap Example
Not just faulty, potentially dangerous May create exploitable code e.g.: buffer overflow void storeValues(unsigned int ui_a, unsigned int ui_b) { unsigned int ui_sum = ui_a + ui_b;    stuff->aBuffer = malloc ( ui_sum * sizeof(float) ); /* use of aBuffer (that may be too small) here…*/ }

20 Side Note: Variable Names
OK, you use uint16_t or int32_t now But: the variable is just called ‘x’ So: how can you know later in your code how many bits ‘x’ is long and what type it actually is? Answer: give variables a meaningful name that includes the amount of bits and the type, e.g. uint16_t ui16_x; int64 i64_length; float f_hight; // floats are standardised to 32 bits, no need for ‘f32_’ double d_width; // doubles are standardised to 64 bits Naming rules like this (there are many versions) are enforced in many companies in the computing industry

21 Integer Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C Unsigned integer wrap 3 27 Signed integer overflows Loss of data due to type-casting 2 18 Division and remainder resulting in divide-by-zero 1 6 Integer <–> pointer conversions C++ Out of range enumeration values 4 Negative bit shifts Incorrect integer precisions Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

22 Signed Integer Overflow
Operators that can cause signed integer overflow + Yes -= << < No - *= >> > * /= & >= / %= | <= % <<= ^ == ++ >>= ~ != -- &= ! && = |= unary + || += ^= unary - ?: Table data source: CERT.org

23 Signed Integers C++ types And the rub again: char short int int
long int long long int (C++11) And the rub again: The amount of bytes in the above types depends on compiler and platform used It’s not that simple

24 Signed Integers Therefore use C99 (or higher) data types
In C: <inttypes.h>, C++: cinttypes header (alternatively: C: <stdint.h>, C++: cstdint header) Defined length  portability & compiler independence good for ‘if’ checks e.g. int64_t x=5; From Wikipedia:

25 Signed Integer Overflow
The number 14 in computer memory: 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 = 14

26 Signed Integer Overflow
The biggest positive 16 bit signed integer: 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 16, , = 32,767

27 Signed Integer Overflow
What happens if we add just one more ? 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 16, , = 32,767

28 Signed Integer Overflow
What happens if we add just one more ? #include <stdio.h> int main() { short x = 32767; printf("The short is now: %d \n", x); x=x+1; printf("And now: %d Oh! ", x); return 0; }

29 Signed Integer Overflow
What happens if we add just one more ? Source: Can’t Sleep 

30 Signed Integer Overflow
We created the biggest negative 16 bit signed integer: 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 -32, … = -32,768

31 Signed Integer Overflow
And -1 is: 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 -32, ,284 + … = -1

32 Signed Integer Overflow
And -2 is: 16 bit Sign bit 1 byte 1 byte 1 16,284 128 16 8 4 2 1 215 27 22 21 20 -32, ,284 + … = -2

33 Signed Integer Overflow
Therefore Not a wrap but an overflow And another rub: The C and C++ standards do not define how compilers should encode an overflow. The behaviour on the last slides is the most common one, but not the only one possible Signed integer overflow is therefore undefined behaviour

34 Signed Integer Overflow Example
Faulty void addThem(int si_a, si_b) { int si_sum = si_a + si_b;    /* ... */ }

35 Signed Integer Overflow Example
Better #include <inttypes.h> void addThem(int16_t si_a, int16_t si_b) { int16_t si_sum;    if (((si_b > 0) && (si_a > (INT16_MAX - si_b))) ||        ((si_b < 0) && (si_a < (INT16_MIN - si_b)))) {      /* Handle error */   } else {      si_sum = si_a + si_b;   }   /* ... */ } In lab design tests for: Subtraction Multiplication Division

36 In The Lab Operators you write secure methods for (to be used in coursework) + Yes -= << < No - *= >> > * /= & >= / %= | <= % <<= ^ == ++ >>= ~ != -- &= ! && = |= unary + || += ^= unary - ?: Table data source: CERT.org

37 Integer Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C Unsigned integer wrap 3 27 Signed integer overflows Loss of data due to type-casting 2 18 Division and remainder resulting in divide-by-zero 1 6 Integer <–> pointer conversions C++ Out of range enumeration values 4 Negative bit shifts Incorrect integer precisions Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

38 Type-Casting Error Very simple

39 Type-Casting Error Ariane 5 Rocket 10 year of development £5b
June 4, 1996, first launch Exploded 40s after lift-off Rocket & cargo value: £350m Cause of the failure: software error in the inertial reference system the 64 bit floating point number of horizontal speed was converted to a 16 bit signed integer (type-casting). The number was larger than 32,767 (i.e. the largest int storeable in a 16 bit signed int) and thus the conversion failed. Graphic from: Dharshana Kasun Warusavitharana

40 Integer Vulnerabilities
Lang. Description Severity Likelihood Remediation Cost Risk C Unsigned integer wrap 3 27 Signed integer overflows Loss of data due to type-casting 2 18 Division and remainder resulting in divide-by-zero 1 6 Integer <–> pointer conversions C++ Out of range enumeration values 4 Negative bit shifts Incorrect integer precisions Self Study (aka ‘homework’) Table data source CERT.org Possible Values: 1, 2, 3, , 8, , 18, 27 Note: ‘C’ in above table means ‘C and C++’

41 End of Lecture

Download ppt "CS2S562 Secure Software Development"

Similar presentations

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.

Bellevue University CIS 205: Introduction to Programming Using C++ Lecture 3: Primitive Data Types.
Computer Science 1620 Other Data Types. Quick Review: checklist for performing user input: 1) Be sure variable is declared 2) Prompt the user for input.

Computer Science 1620 Other Data Types. Quick Review: checklist for performing user input: 1) Be sure variable is declared 2) Prompt the user for input.
More about Numerical Computation CS-2301, B-Term 20091 More about Numerical Computation CS-2301, System Programming for Non-Majors (Slides include materials.

More about Numerical Computation CS-2301, B-Term More about Numerical Computation CS-2301, System Programming for Non-Majors (Slides include materials.
Floating point variables of different lengths. Trade-off: accuracy vs. memory space Recall that the computer can combine adjacent bytes in the RAM memory.

Floating point variables of different lengths. Trade-off: accuracy vs. memory space Recall that the computer can combine adjacent bytes in the RAM memory.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Outline Variables 1.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Outline Variables 1.
Carnegie Mellon 1 This Week: Integers Integers  Representation: unsigned and signed  Conversion, casting  Expanding, truncating  Addition, negation,

Carnegie Mellon 1 This Week: Integers Integers  Representation: unsigned and signed  Conversion, casting  Expanding, truncating  Addition, negation,
C programming for Engineers Lcc compiler – a free C compiler available on the web. Some instructions.

C programming for Engineers Lcc compiler – a free C compiler available on the web. Some instructions.
Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.

Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.
COMP 110-001 Primitive and Class Types Yi Hong May 14, 2015.

COMP Primitive and Class Types Yi Hong May 14, 2015.
ECE 103 Engineering Programming Chapter 4 Operators Herbert G. Mayer, PSU CS Status 6/19/2015 Initial content copied verbatim from ECE 103 material developed.

ECE 103 Engineering Programming Chapter 4 Operators Herbert G. Mayer, PSU CS Status 6/19/2015 Initial content copied verbatim from ECE 103 material developed.
Introduction to Algorithmic Processes CMPSC 201C Fall 2000.

Introduction to Algorithmic Processes CMPSC 201C Fall 2000.
Lecture 3: More Java Basics Michael Hsu CSULA. Recall From Lecture Two  Write a basic program in Java  The process of writing, compiling, and running.

Lecture 3: More Java Basics Michael Hsu CSULA. Recall From Lecture Two  Write a basic program in Java  The process of writing, compiling, and running.
Lesson Objectives Aims You should know about: Binary numbers ‘n’ that.

Lesson Objectives Aims You should know about: Binary numbers ‘n’ that.
Data Representation COE 308 Computer Architecture

Data Representation COE 308 Computer Architecture
Bitwise Operations C includes operators that permit working with the bit-level representation of a value. You can: - shift the bits of a value to the left.

Bitwise Operations C includes operators that permit working with the bit-level representation of a value. You can: - shift the bits of a value to the left.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill

Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Variables, Operators, and Expressions

Variables, Operators, and Expressions
Today Variable declaration Mathematical Operators Input and Output Lab

Today Variable declaration Mathematical Operators Input and Output Lab
Computer Graphics Basic Maths for Graphics in C++

Computer Graphics Basic Maths for Graphics in C++

Similar presentations

Ads by Google