How to Defend Against Deadly Integer Overflow Attacks
A hack on software integer overflow defects poses two serious risk problems: it reflects an obvious security threat and signifies a setback to software's overall quality. Through static testing, software programmers have the ability to be more accountable for driving software integrity by eliminating challenging integer overflow defects in their software. Here, Knowledge Center contributor Sumant Kowshik explains how to defend against deadly, hard-to-find integer overflow defects that hackers can exploit.It is impossible today to escape the drumbeat of successful, malicious attacks reported in the media and on the Internet. As software developers, ensuring the integrity of our code requires constant vigilance and discipline. The situation we find software in today is similar to the pressure physical currency has been under for decades, but with one important exception: with currency, governments continually innovate new technology to make counterfeiting more difficult for criminals. But with software, criminals continually innovate new means to assault our code. Of all the attacks directed at source code, integer overflows are one of the most pernicious. These potential exploits can easily lurk in your software because the conditions for triggering them are rarely, if ever, exercised by conventional test suites. These vulnerabilities are prime targets for hackers looking for points of infiltration.
Generally speaking, an integer overflows occurs when an unchecked add, subtract or multiply operation that looks innocuous to a programmer is pushed to its limits by special inputs crafted by a malicious user. When executed successfully, the result of the integer overflow can be a compromised system or denial of service. Because of the high cost of integer overflow exploits, programmers must find a way to pinpoint these vulnerabilities and eliminate them prior to the release of your code.