integer overflows james walden northern kentucky university
Post on 19-Dec-2015
227 views
TRANSCRIPT
CSC 666: Secure Software Engineering
Topics
1. Computer Integers
2. Integers in C and Java
3. Overflow Examples
4. Checking for Overflows
CSC 666: Secure Software Engineering
Comair Integer Overflow
December 25, 2004Flight crew scheduling software stopped.
Cancelled all 1100 flights that day.
What happened?Winter weather led to many crew changes.
Number of changes > 32,767.
CSC 666: Secure Software Engineering
Integers
Computer integers are not the same set of numbers as mathematical integers.
Finite set, not infinite. What happens when integer calculations
result in a number outside that set?
CSC 666: Secure Software Engineering
Unsigned Integers
000
001
010
011
100
101
110
111
0
1
2
3
4
5
6
7
CSC 666: Secure Software Engineering
Two’s Complement
Two’s complement = One’s complement + 1.Sign is represented by most significant bit.Range: -2n-1..2n-1-1, only one representation of 0.
+75 0 1 0 0 1 0 1 1
Comp
1 0 1 1 0 1 0 0
+1 0 0 0 0 0 0 0 1
-75 1 0 1 1 0 1 0 1
CSC 666: Secure Software Engineering
Two’s Complement
000
001
010
011
100
101
110
111
0
1
2
3
-4
-3
-2
-1
CSC 666: Secure Software Engineering
C Integers
Type Bits Min Value Max Value
signed char 8 -128 127
unsigned char 8 0 255
short 16 -32768 32767
unsigned short 16 0 65535
int 32 -2,147,483,648 2,147,483,647
unsigned int 32 0 4,294,967,295
long 32 -2,147,483,648 2,147,483,647
unsigned long 32 0 4,294,967,295
long long 64 -9.223 x 1018 9.223 x 1018
unsigned long long 64 0 1.844 x 1019
CSC 666: Secure Software Engineering
Java Integers
Type Bits Min Value Max Value
byte 8 -128 127
short 16 -32768 32767
char 16 0 65535
int 32 -2,147,483,648 2,147,483,647
long 64 -9.223 x 1018 9.223 x 1018
CSC 666: Secure Software Engineering
Java Factorial Programpublic static void main(String args[]){
long product = 1;for(int i = 1; i <= 21; i++){
System.out.print(i);System.out.print("! = ");product *= i;System.out.println(product);
}}
CSC 666: Secure Software Engineering
Output
1! = 1
2! = 2
3! = 6
….
20! = 2432902008176640000
21! = -4249290049419214848
CSC 666: Secure Software Engineering
Java BigInteger Classimport java.math.BigInteger;public class BigFactorials{
public static void main(String args[]){
BigInteger product = BigInteger.ONE;BigInteger index = BigInteger.ONE;
for(int i = 1; i <= 21; i++){
System.out.print(i);System.out.print("! = ");product = product.multiply(index);System.out.println(product);index = index.add(BigInteger.ONE);
}}
}
CSC 666: Secure Software Engineering
Output
1! = 1
2! = 2
3! = 6
….
20! = 2432902008176640000
21! = -4249290049419214848
CSC 666: Secure Software Engineering
Problems of Integer Overflows
Difficult to detect after they’ve happened.– Compilers generally ignore them.– Assembly code can check carry flag, but high
level languages can’t without calling assembly code.
Difficult to avoid.– Subtle bugs can result in integer overflows.
CSC 666: Secure Software Engineering
Integer Overflows in Voting
Broward County 2004 electionAmendment 4 vote was reported as tied.
Software from ES&S Systems reported a large negative number of votes.
Discovery revealed that Amendment 4 had passed by a margin of over 60,000 votes.
CSC 666: Secure Software Engineering
TKADV2009-002
Integer overflows in Amarok media player. Reads input size + input from file. Allocates input size + 1 bytes, which can be
very small. Reads file data into very small buffer, leading
to a buffer overflow.
CSC 666: Secure Software Engineering
Strip Extension
void StripExtension(char * filename){
unsigned short int newSize = strlen(filename) - 4;char * buffer = (char *)malloc(newSize + 1);strncpy(buffer, filename, newSize);buffer[newSize] = ‘\0’;printf(“%s”, buffer);free(buffer);
}
CSC 666: Secure Software Engineering
Valid Use
What would happen if StripExtension were called as follows?
StripExtension(“a.txt”);
CSC 666: Secure Software Engineering
Invalid Use
What would happen if StripExtension were called as follows?
// User failed to include the extension.
StripExtension(“a”);
CSC 666: Secure Software Engineering
Answer
newSize = 0xffffd = (1 minus 4) = -3 newSize is an unsigned short integer This value is 65533. The function creates a 65534-byte buffer.
CSC 666: Secure Software Engineering
Unsigned Addition
An unsigned additionunsigned int x, y, sum;
sum = x + y;
Preconditionif( x > UINT_MAX – y) /* error */
Postconditionif( (x >= 0 && sum < y) || (x < 0 && sum > y) )
/* error */
CSC 666: Secure Software Engineering
Signed Addition Preconditions
x y Precondition
Positive Positive if (x > INT_MAX – y) /* error */
Positive Negative None
Negative Positive None
Negative Negative if (x < INT_MIN – y) /* error */
CSC 666: Secure Software Engineering
Integer Multiplication Overflow
CESA-2004-001: libpnginfo_ptr->row_pointers =
(png_bytepp)png_malloc(png_ptr, info_ptr->height * sizeof(png_bytep));
If height > INT_MAX / sizeof(png_bytep)Size of new buffer will be a small integer.
User data in image file can be used to generate a buffer overflow attack.
CSC 666: Secure Software Engineering
Widening Conversions
A conversion from a type with a smaller range of values to type with a larger range of values.
Examples: byte -> short, short -> long
Sign extensionPropagates signed bit from source type to all unused bits in destination type.
Magnitude and sign are preserved.
CSC 666: Secure Software Engineering
Widening Conversion Example
Source type: byte
Value: -7
1 1 1 1 1 0 0 1
Destination type: short
Value: -7
1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 1
CSC 666: Secure Software Engineering
Narrowing Conversions
Conversions from a wider type to a narrower type.
Examples: long -> byte, int -> short
TruncationBits from source type that don’t fit into narrower destination type are discarded.
Magnitude and sign may change.
CSC 666: Secure Software Engineering
Narrowing Conversion Example
Source Type: short
Value: 257
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1
Destination Type: byte
Value:1
0 0 0 0 0 0 0 1
CSC 666: Secure Software Engineering
Sign Extension Vulnerability
CERT CA-1996-22: bashyy_string_get() reads user data as chars.
Each char converted to an int when parsed.
A char value of 255 sign extended to int -1.
Integer -1 means command separator.
Example exploitbash -c 'ls\377who'
CSC 666: Secure Software Engineering
Range Checking
Check that integer ranges are valid.Be more specific than INT_MIN, INT_MAX.
Liquid water temperatures range 0..100.
Use type system to check.Some languages allow integer ranges.
Create abstract data types in languages that don’t provide integer range types.
CSC 666: Secure Software Engineering
Proposal: Ranged Integers in C
All integer types can be ranged.Static: range determined at compile time.
Dynamic: range determined at run time.
SemanticsSaturation: values beyond range = max.
Wrap: values wrap to bottom of range.
ExamplesSaturation: int 0|..|100 temperature = 0
Wrap: long min<..>max circular;
CSC 666: Secure Software Engineering
Compiler Checks
Microsoft VS 2005 CL Runtime integer error checks: /RTCc Use highest warning level /W4 Check for #pragma warning(disable, C####)
GCC Runtime integer error checks: -ftrapv Use integer-relevant warnings: -Wconversion
–Wsign-compare Check for #pragma GCC diagnostic ignored
option
CSC 666: Secure Software Engineering
Secure Integer Libraries
IntegerLib– Designed for C, but usable in C++.– Available from CERT.
IntSafe– C library written by Michael Howard.– Uses architecture specific inline assembly.
SafeInt– C++ template class from David LeBlanc.
CSC 666: Secure Software Engineering
SafeInt<T> C++ Class
int main(int argc, char *const *argv) {try {
SafeInt<unsigned long> s1(strlen(argv[1]));SafeInt<unsigned long> s2(strlen(argv[2])); char *buff = (char *) malloc(s1 + s2 + 1);strcpy(buff, argv[1]);
strcat(buff, argv[2]);} catch(SafeIntException err) {
abort(); }}
CSC 666: Secure Software Engineering
When to use Secure Int Libraries?
Use Secure Integer libraries whenIntegers come from untrusted sources.
Don’t use Secure Integer libraries whenIntegers not influenced by external sources.
Tight loops: check int values before loop.
CSC 666: Secure Software Engineering
Integer Overflow: Key Points
Integer arithmetic.– Two’s complement format signed ints.– Know your language’s integer conversions.
Impact of integer overflows– Can be used to defeat bounds checks.– Influence important data, like vote counts.
Mitigating integer overflows.– Precondition or postcondition testing.– Use safe integer libraries where possible.
References
1. Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, 2007.
2. Jeff Gennari et. al., Ranged Integers for the C Programming Language. CMU/SEI-2007-TN-027, 2007.
3. Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003.
4. Robert C. Seacord, Secure Coding in C and C++, Addison-Wesley, 2006.
5. Robert C. Seacord, CERT Secure Coding Standards: Integers, https://www.securecoding.cert.org/confluence/display/seccode/04.+Integers+(INT), 2009.
6. John Viega and Gary McGraw, Building Secure Software, Addison-Wesley, 2002.
7. David Wheeler, Secure Programming for UNIX and Linux HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html, 2003.