Course 2: Programming Issues, 8: Integer Overflows <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>April 4, ...
Learning objectives <ul><li>Know the internal representation of integers </li></ul><ul><li>Be able to determine when an in...
Integers <ul><li>Fixed number of bytes </li></ul><ul><li>Signed and unsigned </li></ul><ul><li>Types: </li></ul><ul><ul><l...
Internal Representation <ul><li>Signed Short:  </li></ul><ul><ul><li>-1 is FFFF </li></ul></ul><ul><ul><li>32767 is 7FFF <...
Signed Short Overflows <ul><li>-(-32768) is -32768! </li></ul><ul><li>32767 + 1 is 0 </li></ul>
Internal Representation, Unsigned <ul><li>Unsigned Short:  </li></ul><ul><ul><li>65535 is FFFF </li></ul></ul><ul><ul><li>...
Unsigned Short Overflows <ul><li>65535 +1 = 0! </li></ul><ul><li>0-1 is 65535 </li></ul>
Example Integer Overflow <ul><li>size_t free_length; // unsigned </li></ul><ul><li>free_length = (sizeof(buffer1) -1)    -...
Silent Signed to Unsigned Conversions <ul><li>No warning, or compiler warning was ignored </li></ul><ul><li>What happens w...
Malloc(0) Attack Scenario <ul><li>Overflow in the size calculations can be engineered to allocate no memory  </li></ul><ul...
Questions or Comments?
Upcoming SlideShare
Loading in …5
×

8.Integer Overflows

805 views

Published on

1 Comment
0 Likes
Statistics
Notes
  • Very well put together presentation, congratulations!
    http://www.homeimprovementfirm.com
    http://www.homeimprovementfirm.com/category/furniture
    http://www.homeimprovementfirm.com/category/kitchen-furniture
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
805
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

8.Integer Overflows

  1. 1. Course 2: Programming Issues, 8: Integer Overflows <ul><li>Pascal Meunier, Ph.D., M.Sc., CISSP </li></ul><ul><li>April 4, 2006 </li></ul><ul><li>Developed thanks to the support of Symantec Corporation, </li></ul><ul><li>NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center </li></ul><ul><li>Copyright (2004) Purdue Research Foundation. All rights reserved. </li></ul>
  2. 2. Learning objectives <ul><li>Know the internal representation of integers </li></ul><ul><li>Be able to determine when an integer overflow can occur </li></ul><ul><li>Understand the consequences of integer overflows </li></ul>
  3. 3. Integers <ul><li>Fixed number of bytes </li></ul><ul><li>Signed and unsigned </li></ul><ul><li>Types: </li></ul><ul><ul><li>Char </li></ul></ul><ul><ul><ul><li>&quot;char&quot; is different from &quot;unsigned char&quot; and &quot;signed char&quot; </li></ul></ul></ul><ul><ul><li>Short </li></ul></ul><ul><ul><li>Int </li></ul></ul><ul><ul><li>Long </li></ul></ul><ul><li>Extended types </li></ul><ul><ul><li>uint_least16_t (integer of at least 16 bits) </li></ul></ul><ul><ul><li>etc... </li></ul></ul>
  4. 4. Internal Representation <ul><li>Signed Short: </li></ul><ul><ul><li>-1 is FFFF </li></ul></ul><ul><ul><li>32767 is 7FFF </li></ul></ul><ul><ul><li>-32768 is 8000 </li></ul></ul><ul><li>If a = -32768, what is -a? </li></ul><ul><li>if a = 32767, what is a+1? </li></ul>
  5. 5. Signed Short Overflows <ul><li>-(-32768) is -32768! </li></ul><ul><li>32767 + 1 is 0 </li></ul>
  6. 6. Internal Representation, Unsigned <ul><li>Unsigned Short: </li></ul><ul><ul><li>65535 is FFFF </li></ul></ul><ul><ul><li>0 is 0000 </li></ul></ul><ul><li>If a = 0, what is a-1? </li></ul><ul><li>if a = 65535, what is a+1? </li></ul>
  7. 7. Unsigned Short Overflows <ul><li>65535 +1 = 0! </li></ul><ul><li>0-1 is 65535 </li></ul>
  8. 8. Example Integer Overflow <ul><li>size_t free_length; // unsigned </li></ul><ul><li>free_length = (sizeof(buffer1) -1) - strnlen(buffer1, sizeof(buffer1)); </li></ul><ul><li>copy_length = MIN(free_length, strlen(first_string)); </li></ul><ul><li>strncat(buffer1, first_string, copy_length); </li></ul><ul><li>printf(&quot;Concatenated string: '%s' &quot;, buffer1); </li></ul><ul><li>Hint: What values can strnlen return? </li></ul>
  9. 9. Silent Signed to Unsigned Conversions <ul><li>No warning, or compiler warning was ignored </li></ul><ul><li>What happens when you pass a negative number to a function expecting an unsigned integer? </li></ul><ul><li>void *malloc(size_t size); </li></ul>
  10. 10. Malloc(0) Attack Scenario <ul><li>Overflow in the size calculations can be engineered to allocate no memory </li></ul><ul><li>Malloc(0) is legal, but returned value OS-dependent </li></ul><ul><ul><li>Sun: returns pointer to the &quot;arena&quot; </li></ul></ul><ul><ul><li>Pointer to buffer of size 0, or a minimum size </li></ul></ul><ul><li>Program happily trashes the arena, or heap </li></ul><ul><ul><li>&quot;Fandango on core&quot; </li></ul></ul>
  11. 11. Questions or Comments?

×