Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integer Overflows James Walden Northern Kentucky University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Integer Overflows James Walden Northern Kentucky University."— Presentation transcript:

1 Integer Overflows James Walden Northern Kentucky University

2 CSC 666: Secure Software Engineering Topics 1.Computer Integers 2.Integers in C and Java 3.Overflow Examples 4.Checking for Overflows

3 CSC 666: Secure Software Engineering Comair Integer Overflow December 25, 2004 Flight crew scheduling software stopped. Cancelled all 1100 flights that day. What happened? Winter weather led to many crew changes. Number of changes > 32,767.

4 CSC 666: Secure Software Engineering Integers Computer integers are not the same set of numbers as mathematical integers.  Finite set, not infinite.  What happens when integer calculations result in a number outside that set?

5 CSC 666: Secure Software Engineering Unsigned Integers 000 001 010 011 100 101 110 111 0 1 2 3 4 5 6 7

6 CSC 666: Secure Software Engineering Two’s Complement Two’s complement = One’s complement + 1. Sign is represented by most significant bit. Range: -2 n-1..2 n-1 -1, only one representation of 0. +75 0 1 0 0 1 0 1 1 Comp 1 0 1 1 0 1 0 0 +1 0 0 0 0 0 0 0 1 -75 1 0 1 1 0 1 0 1

7 CSC 666: Secure Software Engineering Two’s Complement 000 001 010 011 100 101 110 111 0 1 2 3 -4 -3 -2

8 CSC 666: Secure Software Engineering C Integers TypeBitsMin ValueMax Value signed char8-128127 unsigned char80255 short16-3276832767 unsigned short16065535 int32-2,147,483,6482,147,483,647 unsigned int3204,294,967,295 long32-2,147,483,6482,147,483,647 unsigned long3204,294,967,295 long 64-9.223 x 10 18 9.223 x 10 18 unsigned long long6401.844 x 10 19

9 CSC 666: Secure Software Engineering Java Integers TypeBitsMin ValueMax Value byte8-128127 short16-3276832767 char16065535 int32-2,147,483,6482,147,483,647 long64-9.223 x 10 18 9.223 x 10 18

10 CSC 666: Secure Software Engineering Java Factorial Program public static void main(String args[]) { long product = 1; for(int i = 1; i <= 21; i++) { System.out.print(i); System.out.print("! = "); product *= i; System.out.println(product); }

11 CSC 666: Secure Software Engineering Output 1! = 1 2! = 2 3! = 6 …. 20! = 2432902008176640000 21! = -4249290049419214848

12 CSC 666: Secure Software Engineering Java BigInteger Class import java.math.BigInteger; public class BigFactorials { public static void main(String args[]) { BigInteger product = BigInteger.ONE; BigInteger index = BigInteger.ONE; for(int i = 1; i <= 21; i++) { System.out.print(i); System.out.print("! = "); product = product.multiply(index); System.out.println(product); index = index.add(BigInteger.ONE); }

13 CSC 666: Secure Software Engineering Output 1! = 1 2! = 2 3! = 6 …. 20! = 2432902008176640000 21! = -4249290049419214848

14 CSC 666: Secure Software Engineering Problems of Integer Overflows Difficult to detect after they’ve happened. –Compilers generally ignore them. –Assembly code can check carry flag, but high level languages can’t without calling assembly code. Difficult to avoid. –Subtle bugs can result in integer overflows.

15 CSC 666: Secure Software Engineering Integer Overflows in Voting Broward County 2004 election Amendment 4 vote was reported as tied. Software from ES&S Systems reported a large negative number of votes. Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.

16 CSC 666: Secure Software Engineering TKADV2009-002 Integer overflows in Amarok media player.  Reads input size + input from file.  Allocates input size + 1 bytes, which can be very small.  Reads file data into very small buffer, leading to a buffer overflow.

17 CSC 666: Secure Software Engineering Strip Extension void StripExtension(char * filename) { unsigned short int newSize = strlen(filename) - 4; char * buffer = (char *)malloc(newSize + 1); strncpy(buffer, filename, newSize); buffer[newSize] = ‘\0’; printf(“%s”, buffer); free(buffer); }

18 CSC 666: Secure Software Engineering Valid Use What would happen if StripExtension were called as follows? StripExtension(“a.txt”);

19 CSC 666: Secure Software Engineering Invalid Use What would happen if StripExtension were called as follows? // User failed to include the extension. StripExtension(“a”);

20 CSC 666: Secure Software Engineering Answer  newSize = 0xffffd = (1 minus 4) = -3  newSize is an unsigned short integer  This value is 65533.  The function creates a 65534-byte buffer.

21 CSC 666: Secure Software Engineering Unsigned Addition An unsigned addition unsigned int x, y, sum; sum = x + y; Precondition if( x > UINT_MAX – y) /* error */ Postcondition if( (x >= 0 && sum y) ) /* error */

22 CSC 666: Secure Software Engineering Signed Addition Preconditions xyPrecondition Positive if (x > INT_MAX – y) /* error */ PositiveNegativeNone NegativePositiveNone Negative if (x < INT_MIN – y) /* error */

23 CSC 666: Secure Software Engineering Integer Multiplication Overflow CESA-2004-001: libpng info_ptr->row_pointers = (png_bytepp)png_malloc(png_ptr, info_ptr- >height * sizeof(png_bytep)); If height > INT_MAX / sizeof(png_bytep) Size of new buffer will be a small integer. User data in image file can be used to generate a buffer overflow attack.

24 CSC 666: Secure Software Engineering Widening Conversions A conversion from a type with a smaller range of values to type with a larger range of values. Examples: byte -> short, short -> long Sign extension Propagates signed bit from source type to all unused bits in destination type. Magnitude and sign are preserved.

25 CSC 666: Secure Software Engineering Widening Conversion Example Source type: byte Value: -7 1 1 1 1 1 0 0 1 Destination type: short Value: -7 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1

26 CSC 666: Secure Software Engineering Narrowing Conversions Conversions from a wider type to a narrower type. Examples: long -> byte, int -> short Truncation Bits from source type that don’t fit into narrower destination type are discarded. Magnitude and sign may change.

27 CSC 666: Secure Software Engineering Narrowing Conversion Example Source Type: short Value: 257 0 0 0 0 0 0 0 1 Destination Type: byte Value:1 0 0 0 0 0 0 0 1

28 CSC 666: Secure Software Engineering Sign Extension Vulnerability CERT CA-1996-22: bash yy_string_get() reads user data as chars. Each char converted to an int when parsed. A char value of 255 sign extended to int -1. Integer -1 means command separator. Example exploit bash -c 'ls\377who'

29 CSC 666: Secure Software Engineering Range Checking Check that integer ranges are valid. Be more specific than INT_MIN, INT_MAX. Liquid water temperatures range 0..100. Use type system to check. Some languages allow integer ranges. Create abstract data types in languages that don’t provide integer range types.

30 CSC 666: Secure Software Engineering Proposal: Ranged Integers in C All integer types can be ranged. Static: range determined at compile time. Dynamic: range determined at run time. Semantics Saturation: values beyond range = max. Wrap: values wrap to bottom of range. Examples Saturation: int 0|..|100 temperature = 0 Wrap: long min max circular;

31 CSC 666: Secure Software Engineering Compiler Checks Microsoft VS 2005 CL  Runtime integer error checks: /RTCc  Use highest warning level /W4  Check for #pragma warning(disable, C####) GCC  Runtime integer error checks: -ftrapv  Use integer-relevant warnings: -Wconversion –Wsign-compare  Check for #pragma GCC diagnostic ignored option

32 CSC 666: Secure Software Engineering Secure Integer Libraries IntegerLib –Designed for C, but usable in C++. –Available from CERT. IntSafe –C library written by Michael Howard. –Uses architecture specific inline assembly. SafeInt –C++ template class from David LeBlanc.

33 CSC 666: Secure Software Engineering SafeInt C++ Class int main(int argc, char *const *argv) { try { SafeInt s1(strlen(argv[1])); SafeInt s2(strlen(argv[2])); char *buff = (char *) malloc(s1 + s2 + 1); strcpy(buff, argv[1]); strcat(buff, argv[2]); } catch(SafeIntException err) { abort(); }

34 CSC 666: Secure Software Engineering When to use Secure Int Libraries? Use Secure Integer libraries when Integers come from untrusted sources. Don’t use Secure Integer libraries when Integers not influenced by external sources. Tight loops: check int values before loop.

35 CSC 666: Secure Software Engineering Integer Overflow: Key Points Integer arithmetic. –Two’s complement format signed ints. –Know your language’s integer conversions. Impact of integer overflows –Can be used to defeat bounds checks. –Influence important data, like vote counts. Mitigating integer overflows. –Precondition or postcondition testing. –Use safe integer libraries where possible.

36 References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007. 2.Jeff Gennari et. al., Ranged Integers for the C Programming Language. CMU/SEI-2007-TN-027, 2007. 3.Michael Howard and David LeBlanc, Writing Secure Code, 2 nd edition, Microsoft Press, 2003. 4.Robert C. Seacord, Secure Coding in C and C++, Addison- Wesley, 2006. 5.Robert C. Seacord, CERT Secure Coding Standards: Integers, https://www.securecoding.cert.org/confluence/display/seccode/04. +Integers+(INT), 2009. https://www.securecoding.cert.org/confluence/display/seccode/04. +Integers+(INT) 6.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002. 7.David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure- Programs-HOWTO/index.html, 2003.http://www.dwheeler.com/secure-programs/Secure- Programs-HOWTO/index.html

Download ppt "Integer Overflows James Walden Northern Kentucky University."

Similar presentations

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
© 2003 Xilinx, Inc. All Rights Reserved Looking Under the Hood.

© 2003 Xilinx, Inc. All Rights Reserved Looking Under the Hood.
CS 61C L03 Introduction to C (1)Harvey / Wawrzynek Fall 2003 © UCB 8/29/2003  Brian Harvey (www.cs.berkeley.edu/~bh) John Wawrzynek  (Warznek) (www.cs.berkeley.edu/~johnw)

CS 61C L03 Introduction to C (1)Harvey / Wawrzynek Fall 2003 © UCB 8/29/2003  Brian Harvey ( John Wawrzynek  (Warznek) (
CHAPTER 4: Representing Integer Data The Architecture of Computer Hardware and Systems Software: An Information Technology Approach 3rd Edition, Irv Englander.

CHAPTER 4: Representing Integer Data The Architecture of Computer Hardware and Systems Software: An Information Technology Approach 3rd Edition, Irv Englander.
Assembly Language and Computer Architecture Using C++ and Java

Assembly Language and Computer Architecture Using C++ and Java
Assembly Language and Computer Architecture Using C++ and Java

Assembly Language and Computer Architecture Using C++ and Java
CS 61C L2 Introduction to C (1) A Carle, Summer 2006 © UCB inst.eecs.berkeley.edu/~cs61c CS61C : Machine Structures Lecture 2: Introduction To C 2006-06-27.

CS 61C L2 Introduction to C (1) A Carle, Summer 2006 © UCB inst.eecs.berkeley.edu/~cs61c CS61C : Machine Structures Lecture 2: Introduction To C
Introduction to C Programming Overview of C Hello World program Unix environment C programming basics.

Introduction to C Programming Overview of C Hello World program Unix environment C programming basics.
1 Lecture 7: Computer Arithmetic Today’s topics:  Chapter 2 wrap-up  Numerical representations  Addition and subtraction Reminder: Assignment 3 will.

1 Lecture 7: Computer Arithmetic Today’s topics:  Chapter 2 wrap-up  Numerical representations  Addition and subtraction Reminder: Assignment 3 will.
COMP3221 lec07-numbers-III.1 Saeid Nooshabadi COMP 3221 Microprocessors and Embedded Systems Lecture 7: Number Systems - III

COMP3221 lec07-numbers-III.1 Saeid Nooshabadi COMP 3221 Microprocessors and Embedded Systems Lecture 7: Number Systems - III
Data Representation ICS 233

Data Representation ICS 233
Secure Coding in C and C++ Integer Security

Secure Coding in C and C++ Integer Security
Binary numbers and arithmetic. ADDITION Addition (decimal)

Binary numbers and arithmetic. ADDITION Addition (decimal)
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Software Security.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Software Security.
Carnegie Mellon 1 This Week: Integers Integers  Representation: unsigned and signed  Conversion, casting  Expanding, truncating  Addition, negation,

Carnegie Mellon 1 This Week: Integers Integers  Representation: unsigned and signed  Conversion, casting  Expanding, truncating  Addition, negation,
1 CS/COE0447 Computer Organization & Assembly Language Chapter 3.

1 CS/COE0447 Computer Organization & Assembly Language Chapter 3.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Architecture

Computer Architecture
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
James Walden Northern Kentucky University

James Walden Northern Kentucky University

Similar presentations

Ads by Google