How to Defend Against Deadly Integer Overflow Attacks

By Sumant Kowshik  |  Posted 2009-02-17 Print this article Print

A hack on software integer overflow defects poses two serious risk problems: it reflects an obvious security threat and signifies a setback to software's overall quality. Through static testing, software programmers have the ability to be more accountable for driving software integrity by eliminating challenging integer overflow defects in their software. Here, Knowledge Center contributor Sumant Kowshik explains how to defend against deadly, hard-to-find integer overflow defects that hackers can exploit.

It is impossible today to escape the drumbeat of successful, malicious attacks reported in the media and on the Internet. As software developers, ensuring the integrity of our code requires constant vigilance and discipline. The situation we find software in today is similar to the pressure physical currency has been under for decades, but with one important exception: with currency, governments continually innovate new technology to make counterfeiting more difficult for criminals. But with software, criminals continually innovate new means to assault our code.

Of all the attacks directed at source code, integer overflows are one of the most pernicious. These potential exploits can easily lurk in your software because the conditions for triggering them are rarely, if ever, exercised by conventional test suites. These vulnerabilities are prime targets for hackers looking for points of infiltration.

Generally speaking, an integer overflows occurs when an unchecked add, subtract or multiply operation that looks innocuous to a programmer is pushed to its limits by special inputs crafted by a malicious user. When executed successfully, the result of the integer overflow can be a compromised system or denial of service. Because of the high cost of integer overflow exploits, programmers must find a way to pinpoint these vulnerabilities and eliminate them prior to the release of your code.

The defensive solution to avoid these vulnerabilities in code is to perform a bounds check on every value that is user-modifiable before using it in an arithmetic operation. However, for most applications, this would be an onerous task, as a user-supplied value can propagate across multiple function call boundaries to program points where the source of a value in an arithmetic operation is unclear.

Static analysis-based tools are useful aids in checking programs for these vulnerabilities. However, given the nature of the problem, the static analysis tool should be able to track values accurately across true inter-procedural paths. Recently, SAT-based analyses have demonstrated the capacity to perform the analysis required to detect integer overflow vulnerabilities, and programmers need to ensure code is protected. The bit-accurate representation of data and control flow using SAT constraints, coupled with SAT solvers, ensure that the tools report potential vulnerabilities while maintaining a small rate of false alarms.

Dr. Sumant Kowshick is a static analysis expert and Coverity Engineer. Sumant is involved in the research and engineering of many aspects of Coverity's C/C++ static analysis. Most recently, Sumant co-invented and developed the first commercial SAT-based analysis, which received several industry awards for being one of the best innovations in embedded system tools. More generally, Sumant is broadly interested in the problem of building dependable and secure software. Prior to joining Coverity, Sumant got his PhD in Computer Science from the University of Illinois at Urbana-Champaign, and a B.Tech in Computer Science from The Indian Institute of Technology, Madras, India. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel