Integer Overflows James Walden Northern Kentucky University.

Slides:



Advertisements
Similar presentations
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Advertisements

© 2003 Xilinx, Inc. All Rights Reserved Looking Under the Hood.
CS 61C L03 Introduction to C (1)Harvey / Wawrzynek Fall 2003 © UCB 8/29/2003  Brian Harvey ( John Wawrzynek  (Warznek) (
CHAPTER 4: Representing Integer Data The Architecture of Computer Hardware and Systems Software: An Information Technology Approach 3rd Edition, Irv Englander.
Assembly Language and Computer Architecture Using C++ and Java
Assembly Language and Computer Architecture Using C++ and Java
CS 61C L2 Introduction to C (1) A Carle, Summer 2006 © UCB inst.eecs.berkeley.edu/~cs61c CS61C : Machine Structures Lecture 2: Introduction To C
Introduction to C Programming Overview of C Hello World program Unix environment C programming basics.
1 Lecture 7: Computer Arithmetic Today’s topics:  Chapter 2 wrap-up  Numerical representations  Addition and subtraction Reminder: Assignment 3 will.
COMP3221 lec07-numbers-III.1 Saeid Nooshabadi COMP 3221 Microprocessors and Embedded Systems Lecture 7: Number Systems - III
Data Representation ICS 233
Secure Coding in C and C++ Integer Security
Binary numbers and arithmetic. ADDITION Addition (decimal)
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Software Security.
Carnegie Mellon 1 This Week: Integers Integers  Representation: unsigned and signed  Conversion, casting  Expanding, truncating  Addition, negation,
1 CS/COE0447 Computer Organization & Assembly Language Chapter 3.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Architecture
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
James Walden Northern Kentucky University
College of Engineering Representing Numbers in a Computer Section B, Spring 2003 COE1361: Computing for Engineers COE1361: Computing for Engineers 1 COE1361:
Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.
Operations on Bits Arithmetic Operations Logic Operations
Software attacks int ConcatString(char *buf1, char *buf2, size_t len1, size_t len2) { char buf[256]; if((len1 + len2) > 256) return -1; memcpy(buf, buf1,
Static Analysis James Walden Northern Kentucky University.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
CSCE 548 Integer Overflows Format String Problem.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.
Data Representation in Computer Systems. 2 Signed Integer Representation The conversions we have so far presented have involved only positive numbers.
07/12/ Data Representation Two’s Complement & Binary Arithmetic.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
1 Lecture 5 More Programming Constructs Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung Institute of Technology.
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
CS 105 “Tour of the Black Holes of Computing” Topics Numeric Encodings Unsigned & Two’s complement Programming Implications C promotion rules Basic operations.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
A data type in a programming language is a set of data with values having predefined characteristics.data The language usually specifies:  the range.
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
C is a high level language (HLL)
09/03/20161 Information Representation Two’s Complement & Binary Arithmetic.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
Announcements Assignment 2 Out Today Quiz today - so I need to shut up at 4:25 1.
Lecture 4: Representing Negative Numbers CS 2011 Spring 2016, Dr. Rozier.
CSC 482/582: Computer Security
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Content Coverity Static Analysis Use cases of Coverity Examples
Sabrina Wilkes-Morris CSCE 548 Student Presentation
Bride of Buffer Overflow
Chapter 6 CS 3370 – C++ Functions.
Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation
CSC 482/582: Computer Security
Module 30 (Unix/Linux Security Issues II)
This Week: Integers Integers Summary
Instructor: David Ferry
CHAPTER 4: Representing Integer Data
CS1010 Programming Methodology
Secure Coding Rules for C++ Copyright © Curt Hill
High Coverage Detection of Input-Related Security Faults
Chapter 1 C for Embedded Systems.
Chapter 1 C for Embedded Systems.
Bride of Buffer Overflow
Representing Information (2)
Secure Coding in C and C++ Integer Security
Representing Information (2)
C Security Pre Function
Bits, Bytes, and Integers Part 2 3rd Lectures
Summary of what we learned yesterday
Computer Organization COMP 210
Operations and Arithmetic
Testing & Security Dr. X.
Presentation transcript:

Integer Overflows James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Topics 1.Computer Integers 2.Integers in C and Java 3.Overflow Examples 4.Checking for Overflows

CSC 666: Secure Software Engineering Comair Integer Overflow December 25, 2004 Flight crew scheduling software stopped. Cancelled all 1100 flights that day. What happened? Winter weather led to many crew changes. Number of changes > 32,767.

CSC 666: Secure Software Engineering Integers Computer integers are not the same set of numbers as mathematical integers.  Finite set, not infinite.  What happens when integer calculations result in a number outside that set?

CSC 666: Secure Software Engineering Unsigned Integers

CSC 666: Secure Software Engineering Two’s Complement Two’s complement = One’s complement + 1. Sign is represented by most significant bit. Range: -2 n-1..2 n-1 -1, only one representation of Comp

CSC 666: Secure Software Engineering Two’s Complement

CSC 666: Secure Software Engineering C Integers TypeBitsMin ValueMax Value signed char unsigned char80255 short unsigned short int32-2,147,483,6482,147,483,647 unsigned int3204,294,967,295 long32-2,147,483,6482,147,483,647 unsigned long3204,294,967,295 long x x unsigned long long x 10 19

CSC 666: Secure Software Engineering Java Integers TypeBitsMin ValueMax Value byte short char int32-2,147,483,6482,147,483,647 long x x 10 18

CSC 666: Secure Software Engineering Java Factorial Program public static void main(String args[]) { long product = 1; for(int i = 1; i <= 21; i++) { System.out.print(i); System.out.print("! = "); product *= i; System.out.println(product); }

CSC 666: Secure Software Engineering Output 1! = 1 2! = 2 3! = 6 …. 20! = ! =

CSC 666: Secure Software Engineering Java BigInteger Class import java.math.BigInteger; public class BigFactorials { public static void main(String args[]) { BigInteger product = BigInteger.ONE; BigInteger index = BigInteger.ONE; for(int i = 1; i <= 21; i++) { System.out.print(i); System.out.print("! = "); product = product.multiply(index); System.out.println(product); index = index.add(BigInteger.ONE); }

CSC 666: Secure Software Engineering Output 1! = 1 2! = 2 3! = 6 …. 20! = ! =

CSC 666: Secure Software Engineering Problems of Integer Overflows Difficult to detect after they’ve happened. –Compilers generally ignore them. –Assembly code can check carry flag, but high level languages can’t without calling assembly code. Difficult to avoid. –Subtle bugs can result in integer overflows.

CSC 666: Secure Software Engineering Integer Overflows in Voting Broward County 2004 election Amendment 4 vote was reported as tied. Software from ES&S Systems reported a large negative number of votes. Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.

CSC 666: Secure Software Engineering TKADV Integer overflows in Amarok media player.  Reads input size + input from file.  Allocates input size + 1 bytes, which can be very small.  Reads file data into very small buffer, leading to a buffer overflow.

CSC 666: Secure Software Engineering Strip Extension void StripExtension(char * filename) { unsigned short int newSize = strlen(filename) - 4; char * buffer = (char *)malloc(newSize + 1); strncpy(buffer, filename, newSize); buffer[newSize] = ‘\0’; printf(“%s”, buffer); free(buffer); }

CSC 666: Secure Software Engineering Valid Use What would happen if StripExtension were called as follows? StripExtension(“a.txt”);

CSC 666: Secure Software Engineering Invalid Use What would happen if StripExtension were called as follows? // User failed to include the extension. StripExtension(“a”);

CSC 666: Secure Software Engineering Answer  newSize = 0xffffd = (1 minus 4) = -3  newSize is an unsigned short integer  This value is  The function creates a byte buffer.

CSC 666: Secure Software Engineering Unsigned Addition An unsigned addition unsigned int x, y, sum; sum = x + y; Precondition if( x > UINT_MAX – y) /* error */ Postcondition if( (x >= 0 && sum y) ) /* error */

CSC 666: Secure Software Engineering Signed Addition Preconditions xyPrecondition Positive if (x > INT_MAX – y) /* error */ PositiveNegativeNone NegativePositiveNone Negative if (x < INT_MIN – y) /* error */

CSC 666: Secure Software Engineering Integer Multiplication Overflow CESA : libpng info_ptr->row_pointers = (png_bytepp)png_malloc(png_ptr, info_ptr- >height * sizeof(png_bytep)); If height > INT_MAX / sizeof(png_bytep) Size of new buffer will be a small integer. User data in image file can be used to generate a buffer overflow attack.

CSC 666: Secure Software Engineering Widening Conversions A conversion from a type with a smaller range of values to type with a larger range of values. Examples: byte -> short, short -> long Sign extension Propagates signed bit from source type to all unused bits in destination type. Magnitude and sign are preserved.

CSC 666: Secure Software Engineering Widening Conversion Example Source type: byte Value: Destination type: short Value:

CSC 666: Secure Software Engineering Narrowing Conversions Conversions from a wider type to a narrower type. Examples: long -> byte, int -> short Truncation Bits from source type that don’t fit into narrower destination type are discarded. Magnitude and sign may change.

CSC 666: Secure Software Engineering Narrowing Conversion Example Source Type: short Value: Destination Type: byte Value:

CSC 666: Secure Software Engineering Sign Extension Vulnerability CERT CA : bash yy_string_get() reads user data as chars. Each char converted to an int when parsed. A char value of 255 sign extended to int -1. Integer -1 means command separator. Example exploit bash -c 'ls\377who'

CSC 666: Secure Software Engineering Range Checking Check that integer ranges are valid. Be more specific than INT_MIN, INT_MAX. Liquid water temperatures range Use type system to check. Some languages allow integer ranges. Create abstract data types in languages that don’t provide integer range types.

CSC 666: Secure Software Engineering Proposal: Ranged Integers in C All integer types can be ranged. Static: range determined at compile time. Dynamic: range determined at run time. Semantics Saturation: values beyond range = max. Wrap: values wrap to bottom of range. Examples Saturation: int 0|..|100 temperature = 0 Wrap: long min max circular;

CSC 666: Secure Software Engineering Compiler Checks Microsoft VS 2005 CL  Runtime integer error checks: /RTCc  Use highest warning level /W4  Check for #pragma warning(disable, C####) GCC  Runtime integer error checks: -ftrapv  Use integer-relevant warnings: -Wconversion –Wsign-compare  Check for #pragma GCC diagnostic ignored option

CSC 666: Secure Software Engineering Secure Integer Libraries IntegerLib –Designed for C, but usable in C++. –Available from CERT. IntSafe –C library written by Michael Howard. –Uses architecture specific inline assembly. SafeInt –C++ template class from David LeBlanc.

CSC 666: Secure Software Engineering SafeInt C++ Class int main(int argc, char *const *argv) { try { SafeInt s1(strlen(argv[1])); SafeInt s2(strlen(argv[2])); char *buff = (char *) malloc(s1 + s2 + 1); strcpy(buff, argv[1]); strcat(buff, argv[2]); } catch(SafeIntException err) { abort(); }

CSC 666: Secure Software Engineering When to use Secure Int Libraries? Use Secure Integer libraries when Integers come from untrusted sources. Don’t use Secure Integer libraries when Integers not influenced by external sources. Tight loops: check int values before loop.

CSC 666: Secure Software Engineering Integer Overflow: Key Points Integer arithmetic. –Two’s complement format signed ints. –Know your language’s integer conversions. Impact of integer overflows –Can be used to defeat bounds checks. –Influence important data, like vote counts. Mitigating integer overflows. –Precondition or postcondition testing. –Use safe integer libraries where possible.

References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, Jeff Gennari et. al., Ranged Integers for the C Programming Language. CMU/SEI-2007-TN-027, Michael Howard and David LeBlanc, Writing Secure Code, 2 nd edition, Microsoft Press, Robert C. Seacord, Secure Coding in C and C++, Addison- Wesley, Robert C. Seacord, CERT Secure Coding Standards: Integers, +Integers+(INT), Integers+(INT) 6.John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, David Wheeler, Secure Programming for UNIX and Linux HOWTO, Programs-HOWTO/index.html, Programs-HOWTO/index.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.