Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Integer Overflows Add Up to Real Security Problems



 By: Larry Seltzer
2004-03-11
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Integer Overflows Add Up to Real Security Problems
  2. ' How Integer Errors are '

Rate This Article:
Poor Best
Integer Overflows Add Up to Real Security Problems
( Page 1 of 2 )

How can a security hole occur in software just by adding two numbers together? "Integer overflows" are the hot topic in vulnerability nowadays and Security Center Editor Larry Seltzer describes in detail how it happens.Most security vulnerabilities are software bugs—in the strict sense of the word. And most of these bugs would be considered innocuous, perhaps in an environment where people arent trying to break the program. But then, we come to the Internet.

The most famous class of such bugs is the buffer overflow, by now the kind of term that makes it into your local paper when another Windows flaw makes the news. But in recent years a new type of vulnerability is being exploited more frequently: Integer manipulation bugs.

Not all integer manipulation bugs are integer overflows—some of them are underflows. Still, the class of error is usually referred to generically as overflows.

The basic problem is that integers in computers have a finite range. For instance, the rage of a signed 16-bit integer is -32767 to 32767.

Resource Library:
What happens if arithmetic moves the value out of that range? The number could easily turn out to be massively larger or smaller than the expectation of the programs logic. Another example is a number that turns out to be negative instead of positive, changing the result of an "if (a<b)" comparison from what it was originally designed to be.

And then there are errors relating to the effects of integer promotion. When operations are made on integers of different sizes, say a short and a long, the smaller one is promoted temporarily to the larger size, and the result is potentially truncated back to the smaller size.

So what can go wrong just because a number is not what it should be? Some of those numbers are used for important stuff.

Consider this example (lifted without permission from Michael Howards excellent article on MSDN: Reviewing Code For Integer Manipulation Vulnerabilities): 

	bool func(size_t cbSize) {
	   if (cbSize < 1024) {
	      // we never deal with a string trailing null
	      char *buf = new char[cbSize-1];
	      memset(buf,0,cbSize-1);

	      // do stuff

	      delete [] buf;

	      return true;
	   } else {
	      return false;
	   }
	}

For the non-C coders out there, this function tests to see whether the variable cbSize is less than 1024, allocates it and then zeros out a buffer of cbSize-1 bytes, and then deletes it.

The program carefully checks to make sure the number isnt too big, but what if its too small?

We can see that size_t is unsigned, so it cant become negative, but it can get to be zero. When you subtract 1 from it, the value 0 wraps around to the 32-bit value 0xFFFFFFFF.

Oops—you just allocated a 4GB block of memory, and unhappily, HAL wont be opening the pod bay door.

Next Page: How Integer Errors are Exploited





  Reader Comments: Integer Overflows Add Up to Real Security Problems
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}RȲ1P9k^Y_; k'NCʶYҒd3g~q~|ɬ*|6=={7 Uw?H9wur5g6%SE]"I͝{C(~p(IFA)v@{iFu;A&pTwd>J`OS;SM Ɠ5Y1 |+[S}LF6\3Ѣb >I= ¹MJDERzGEQ=-Dm:\'w*GUnSpca_ʞ0HYɼM"h4"j>vn3 w2`~|%k`Tx>? C5CUVekF֠}luy!l 1#o ݿ!Hݤo޸@d`jId:@:",C63!p55\ap)zHZ6tG-#HPN$=+AbArxưcIH|6XB¼'@=:tQV _սyo@סn܍}wdo&a-wQKw T6'>6L( |HCɤ:ZdQ}9e, f4öCCٰ5RrXJyy/^yxx(>X>-\hwF}sj_.;gW~`hv4򺮕}u=Ms^_wD_j0QEVKi/ ZHWP u.kzQҏ[-_ Kj%٥~hY̞ofV҈ gUUY:bni_Wם^gGם)7f٘Y^ jiUd\]1-U5m{#krҾ{ ܙOtHM Wh:s0N/z 6O|nx8=kh`cR^ٗ{dNOWm2 ᭫GcRdt,'Yu'P[,/ RrZ~DX*,>Ja͢4-I` o$SNE ;- uvPy۬ MZ!rƒ) uK_3Q8nZK}0[RFp&\ ДQCלذ 1"%hJyOՋ"}Et"Aͩ4 (J!b^3E !\J!=! g|8Jn.b? [Z&чfmٜ҅%]WcLQcL .Cuv}BzW^?]{և6LqJjhX.B2iKB0qkꛛZ'_@r /*r[h 2ud8԰1nґ>âxgtA`:)ҧ!>RӚMCqRO#Gs>H2胎6mb8-" ,70}HOqI 4wX(|}ZcOg6/|\a֔^탉i$>6(Z\?`c VC@B랂9׿ޚB"Qފҡ4aqj =*~3=w}   @lߣ5#~[-[Z6x O͙A }(~9-WRC/0""D% R h4AGEBENA7gw$]Vi+RaD4T*nOu$cwV*2ڹLX)gQY,p[/)͙J2d0U Q򍜘=b`&Qea*0pRx5Vn,`oʡW鐦 2,XCtH{4l` [NHNt0iH\UNa9熳a\9:<f335g{80q}`] k9tݴyBSˁ2&$vTD>L˄Fr&6=g=϶Y$tuK\w;u`|d:Nk'hm7?x@O-\nb4դ/4뼜3?rGֶ-o + jJ=WsFA|5 i!sL&Ze on<Gy5&㓫(\=PӔf+b*q (> tP\O &ō4)BЊO}=?ٲJb-Yֽ$Uv/KƠR. B[+Ҟ K rL%kZԕ1%/D4$"] `}.EOqHLl-m7@=p=F0_ܰ큡K*+ &G,mk9^a5sV@6@@7hM TlVCax5ZǮAwmrsAz?{vl.>q *l|2ː 7q'JkX"lM M=t%<42.|O\V,'0sgеSҝa|ia;m/ eKKZQ>Om V!҇DD+ه0`,E=_GMR^ z0i\W+JIUӤck@Lf2,rGmAu،;s<}Zj\X,>9R>5 < đOT׃RUaT(j];12­q͝a&1 DR)Ö1Swhi'T'咢TS< ֚pDr@uߘ@g>Аah"pHEAxZkhp\@U.)L-9Iz  [ hg [QznSCz+ `RI?I BL!2B3ݧ==1g匬~`" lRPZUU+òZp~W`q,(xO?b5xh/Op{/Ne6ZORz7gn-%WGשUXT8ᄱe1_0kfW S#sq_TҔWDF(/9 .KTNjZ|jVQ=/YQSfca "+0fjאj}lݤS*'Ș-qVCYw7亢#݀ޝnF+ F `(0ff{B; P{I-~O9b:skh豸< QB|7F8b&aj4X[ ↪%}g{oR64F@2<"C8\vl:ӁZFB -Қ8k*zc_7)~(zC9km{~>sTU]~T'-FRV%~틨II#G"ZAY_Mkɒ8khs)p B0_\PF.^%R2i$yF(%!%KOPlXC=B3tMnio[k21簤v ˽'jD@KYJ7eNV*\%T/IjEtn:0ȘُYD[^:L&rOfss]``On;ܝ90F4H jYʠ5ZV-~#0Lpĵ)$jQç,D,t2jUk`Wɠ< j;!$|{W !&1ǷWXL\tKO%EDOCVi&gX&J*6ǟM1݋{G=L _BQ`о(&ю pmOɪO@T #NEw%]w)il{ٗN[OxDŽst'_u{~{y@DyYqKKxiïRXD\>h-6:%5>6 `i8~{H(&}ׇ́{5geUsA0lg~hy+ @4+G~{!\?t.ŗlk~w.R ~J`&!upyU4*$yup|hq\36MF1SW5!g62l&ik-,ҽ>i_sfiZ ^/k=W17U8\F`vYF_aݪ,d"0!&*tzȃ}E9ǀzB*q]>G:Ky6P^S(+RJ"4FYO |Ng <@9FWhYɉڎB>}YVS\ |~nFџ`m e܃*WVz[k'tnH|I NAN:os_,ĨC9r 7{KP -Muodb&ubNL5W"v=O?G0 cdQ(S1|$-zbeanKlx0eR蔈'='C8 z>RB'Դ5˓4/iY(Eqjhdꒈ~~(i&'ءXԛ].7'8 $O kzisq/Rsa%yt42kEe85(~uMHmQFiI g֢Ѭ]}+ ɏh8=Na.< _,wuϏ5m_w|G:Q'-gFq?Iȸt2Ti\'3X6 w{ѺB ?݁C5#ᛷ 6n2'|2J$hﭱ~QE V7N{m,da}?H+Fyc(!OKSiϑ٘NBERTUukln(rYpJeOV ;ld+NE$,nP2vAK JG3`ȾqG7bcoJP}|F.=]awQ{]x͞6vYiEU.J\ -"PnǸZY|>O%0)7v}}Q˻b۲mr&c_S Ṃ0V 2U=۵9RIkJ}wLĞ~v*jUyX!jso0T:!u;~T-Xmax;}ң@W%9`Iq8k37KJXwDf@RJ߀7|W7&ׅ*DylN`9*1wchp'"a@‚scוмxL,xlP 7yY% g R*~L0v({P6ɼ1QVȃҷ oA!# &.0.cspeI@vGl++vT;ɒ: nӈӥ6/˵dW\)DSY%Wޮ8WjRC07%oJ5)һ<׋Wd)9IU11{T˙ecP JT5I$K"9Is+'3(*T6eҫkSQ_:SUΥ qR8+U@%gЭ71G Ki(=AsW})_h{NqCIVJbB>Nbz<aD4Gb|&iSc7Da-R)T> jݷY ɳPgF&?qD@*-ic;ě[UߊʒIZySΪ酘+¢q]n>LT7O0$0 a.1jqC,V܊KhCW璾O>Na=$S{لX_4 y S5]%M[,πkgCC)?DZoooo?Y1SKz}e{{jn*ЅG#:Z*%܎RX~ vEdH05„ɷx&@eE8,"`ŶϠw065T2+(EgP6*J,&M}+u1-4EU#t?0A }y/|-K+׶T/X]7p@x [ Z)0H_-4s,&kP6Ws~ ұ;fzL.̹R,mT@y.':a_z tX77!'kPͧ3Kר cz$<"\z!_C#E]?;;G-j_fD)["֟6>/Atyj5n'*l8j , :RrQ6qM]f<I@ah' kP%"ȳ|[rO5A4.RV5&ُnTe kuբ H x4W?_.qcccc_cZ-+կ1l.{K9>>.kzr%g MZ\󻔆08ȶH.^섻Aw9& q&'31[Qs]ZOS 8Ee'=6)Ǯ"Jfad7|$ƽ⊙lE}`LĢhG꨾X/Za(8Eg :ᛒWZ-eFO/|T3/b#-Ѩ#o>I11K= o~{@ q 81q,-D|E|z['AU}>l1d.a+62 1jLl/ul߶?#?:};ozxX2 LG XȟT@SCOE=q>9 CRO⺢ 2ħ,a]ąي_L!̆\oX|J71>B$!i F˞0Iݹa?Ð3{cLZ"_Z1ш@Q>~1&IJE< ,iMmahnϮ0)mDRRiFcc36#|- Q$xφRǠ{=r\11Faŷ^$l;b21#bHchK+D:b)A_.JeEt0 7 cn Q&@Ԕu7SI8n0SN\<7Yef xpƧx} 5tHM< 2BL{kQ.閣FMQpV#ߛ~Sg8 X<ں9Pw>v.Wם~yj0cA湾,Ǜ,# rzٺh3;eFq(M1B*rKxu< /W%Lqx&0q̟E~D(/& ƕ>;[ [ Cup:OOПgg:>/6 5NMo )n}>eЌLjV}QuxS3S+S~ ˏ[xKZNyʻ9'@vN1/?CN?|:Yg}yC:9CL2ϽB^N'(ٮy3>E">"@\9_^E^y79gP~S(GN_^%e\]_O7GtAtsU\W9_\O{99Y_c@M^9w &~P~W{ÿmN9$)gVpv*esS^)4rR}~ )P9PϪ ~2*R@^W~ k{^WKͮ0TntKT쵆cn-:Aba/! c|U$X2M&#(R^>Ȧc˼=>w懴Ixմ] &J2˯-cENz%.~QFxdB$dZc+mFDt9|,y|8SNtw<1 }^1 B8 vt{zUtKn \ x %> #rl=Mp.nm;yx#ֽ2"\;Yo%P/YCIsDgev' AѺ`*O WY-KaaP$П}LExZnamzם'4`/[烫և6{̦d󰡲iʪ9(Ѱ~HWEjorx sG)螩z$_ MW+ 7\xɜ;cvU@7maIP5ZUj;5 #1&Q5YUdN.jUeRL3BAyG l]{̾ZCO3CX)x̺nk %<tluIU|y3 aw8c+x;r$I ?,(sY\FdlO]BfCVyx; V0wjv1R {{[2gډe:`ٔI8SkB#ӄY"D˼nj<@ G!-cx uY<X!ꞠW K'Dr&ߢ)tφ T/AD[e^Yfqǭd<@T6?rqZ:"9<;${)F(V >ܰQaw./ ]@NE]rA;o+ħn3E ~m :o=1I55~ɑ ( V kDF,VmD8O23p{^f$bmXnJGP;==ق|8=;ztF"2 ]3CK~CXxZ Hv2,)Ŗc8/c Id̳~1I>ಓJ_`'cE/'<#41n ݹ]c 6{Nz̄0Qtor ^|X]~uQ쭨F|m)۹b,ӧ6&ٍ۹"=מ X?(xkläd |A«U/=ׇ"2cT =e5t(E,Ma-ăW v,='ID/j˦UM$f@gQl(VxRDN=]szlo()y+J9*نxZ*(sg-@ E/ē_| %σ 8>eCgIrT~{J}*P=gZP;] v"4%Yz'{io=G}c_VeńK!8F1d\*KxrHIhC>~EE~&O `A0^|eD$uЧ FϨnC>XZe.,s(ŬBSd<)OoZ-[$@5E`7CZ24 ^ąخ;Oq^gd9f7 9cHPWWݜ햏 /Xo| 8jO.dzl}π!XsCQ%ɷ` }ݟ-Hˍtd_d%\!d⢳ @WD0;"6ic.KE&(Xp\gAΙَz&gw>G-\/Hxkyf%SWJP'jdV@8̛ m+~HױI$`:Vږ+yL1e~}J<3G(u",@zP`y%K@4zW pS`hwq# 1tVBR(at!L?U)?c5VIٶ7G,cݰ Qa[:6 n ۊ uy˷DM\7'me#FP1W)?%Il} ra|X ^|޹+o=ȉe6뙣]g0^n,eH}+qd.'DI Ik.-wvua4,Lb9"[^'QI 8`RжX3"@a)5BLN7 S 3pRaL (b[и<1rm˘sq9v93E~2㡺_0U9sm j ֺW6xozc|[0XjPtP>9-0$a1+=c-hw͙!׆!0ѕDM1F(ͦ,1f Ax =`#hxb "nh1)d'k%I 'R%la,!r3 Ej F.3R04xqBQəȩ8v}_|JѬd;j +39ʧ3~7ȅ^`\YG7^y{b`!˾tں:!{`gg^vTvQKeÐy6#xL g UjT;IxdMn+:cSEᘸe=WFs(1{l~ )CUs̥D/4^JC\qrx6 }OTar$~XXqg;f†[hx.b&;f1Բo:S` '