Difference between revisions of "Integer Overflows/Underflows"

From OWASP
Jump to: navigation, search
m (Related Controls)
(Reverting to last version not containing links to s1.shard.jp)
 
(29 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Template:Attack}}
+
{{template:CandidateForDeletion}}
 +
 
 +
#REDIRECT [[Integer_overflow]]
 +
 
 +
 
 +
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 
 +
<br>
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
  
 
==Description==
 
==Description==
  
Integer overflow belongs to a logic errors family. It occurs when given range of int (integer)
+
Integer overflow belongs to a logic errors family. It occurs when a given range of int (integer)
type numbers is overflowed due to arithmetic operations. Generally there are only two operations,
+
type numbers is overflowed due to arithmetic operations. Generally there are only two operations
which causes these kind of errors - addition and multiplication.
+
which cause these kind of errors - addition and multiplication.
 +
 
  
  
 +
==Risk Factors==
 +
TBD
  
 
==Examples==
 
==Examples==
  
Example 1 (add)
+
Example 1 (addition)
 
<pre>
 
<pre>
 
rezos@bezel ~/labs/integer $ cat add.c
 
rezos@bezel ~/labs/integer $ cat add.c
Line 72: Line 81:
 
Segmentation fault
 
Segmentation fault
 
</pre>
 
</pre>
The program should write "z" value into the array of pointers and then print it out.
+
The program should write a "z" value into the array of pointers and then print it out.
With specially selected array size (number of its elements) it's possible to use
+
With a specially selected array size (number of its elements) it's possible to use an
 
integer overflow error to overflow the array "tab".
 
integer overflow error to overflow the array "tab".
  
Below example should explain why it does happen.
+
The example below explains why it happens.
 
<pre>
 
<pre>
 
rezos@bezel ~/labs/integer $ cat multi.c
 
rezos@bezel ~/labs/integer $ cat multi.c
Line 87: Line 96:
 
}
 
}
 
</pre>
 
</pre>
In this program we multiplicate 1073741824 * 4 because of sizeof(char *) will return 4.
+
In this program we multiply 1073741824 * 4 because sizeof(char *) will return 4.
 
<pre>
 
<pre>
 
rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
 
rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
Line 93: Line 102:
 
multi.c:6: warning: integer overflow in expression
 
multi.c:6: warning: integer overflow in expression
 
</pre>
 
</pre>
The compiler at this stage warn us, that in the program occurs expression, which cause an
+
The compiler warns us that the program contains an expression which causes an
integer overflow. To make sure what the result of the multiplacation will be:
+
integer overflow. To make sure what the result of the multiplication will be:
 
<pre>
 
<pre>
 
rezos@bezel ~/labs/integer $ ./multi
 
rezos@bezel ~/labs/integer $ ./multi
Line 102: Line 111:
 
and that will allow for overwriting memory segments on the heap.
 
and that will allow for overwriting memory segments on the heap.
  
Memory allocation with negative value may cause in fact allocation of very small or very big
+
Memory allocation with a negative value may cause allocation of very small or very big
 
memory segments depending on the implementation of the *alloc() functions. Integer overflow
 
memory segments depending on the implementation of the *alloc() functions. Integer overflow
 
errors may also lead to the situation where condition statements, which are supposed to check buffers
 
errors may also lead to the situation where condition statements, which are supposed to check buffers
 
boundaries, are omitted.
 
boundaries, are omitted.
  
Integer overflow errors are not always a threat themselves. However they provide very often
+
Integer overflow errors are not always a threat themselves. However they provide the
possibility to overwrite or to read memory content beyond boudries of the buffers. For instance
+
possibility to overwrite or to read memory content beyond boudries of the buffers, for example
 
during buffer indexing.
 
during buffer indexing.
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
 
+
* [[internal software developer]]
*[[:Category:Command Execution]]
+
* [[contractors]]
 
+
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==
 
+
* [[Buffer overflow]]
*[[buffer overflow]]
+
*[[stack overflow attack]]
+
*[[heap overflow attack]]
+
 
+
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==
 
+
* [[Integer overflow]]
*[[Integer_Overflow]]
+
* [[Stack overflow]]
 
+
* [[Heap overflow]]
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
 
 
* Use programming language and/or compiler, which will check the buffers boundries and their indexes.
 
* Use programming language and/or compiler, which will check the buffers boundries and their indexes.
 
* Use libraries, which provides API for arithmetic operations (e.g. safe_iop[http://code.google.com/p/safe-iop], IntegerLib[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=14811284])
 
* Use libraries, which provides API for arithmetic operations (e.g. safe_iop[http://code.google.com/p/safe-iop], IntegerLib[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=14811284])
Line 135: Line 138:
  
 
==References==
 
==References==
 +
* http://shalb.com/kb/entry/12/
  
  
 
[[Category:Data Structure Attacks]]
 
[[Category:Attack]]
 
  
 
__NOTOC__
 
__NOTOC__

Latest revision as of 07:50, 3 June 2009


This page was marked to be reviewed for deletion.


#REDIRECT Integer_overflow


Last revision: 06/3/2009



Description

Integer overflow belongs to a logic errors family. It occurs when a given range of int (integer) type numbers is overflowed due to arithmetic operations. Generally there are only two operations which cause these kind of errors - addition and multiplication.


Risk Factors

TBD

Examples

Example 1 (addition)

rezos@bezel ~/labs/integer $ cat add.c
#include <stdio.h>
#include <limits.h>

int main(void)
{
 int a;

//  a=2147483647;
 a=INT_MAX;

 printf("int a (INT_MAX) = %d (0x%x), int a (INT_MAX) + 1 = %d (0x%x)\n", a,a,a+1,a+1);

 return 0;
}

rezos@bezel ~/labs/integer $ ./add
int a (INT_MAX) = 2147483647 (0x7fffffff), int a (INT_MAX) + 1 = -2147483648 (0x80000000)

By adding 1 to the biggest possible signed (+ or -) integer value we overwrite the sign bit. In short, by adding two positive numbers we get one big negative number.


Example 2 (multiplication)

rezos@bezel ~/labs/integer $ cat multiplication.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

int main(int argc, char **argv)
{
 int i, j, z=0x00000001;
 char *tab;

 if(argc<2) _exit(1);

 i=atoi(argv[1]);

 if(i>0) {
   tab = malloc(i * sizeof(char *));
   if(tab == NULL) _exit(2);
 }

 for(j=0; j<i; j++)
   tab[j]=z++;

 for(j=0; j<i; j++)
   printf("tab[j]=0x%x\n", tab[j]);

 return 0;
}

rezos@bezel ~/labs/integer $ ./multiplication 1073741824
Segmentation fault

The program should write a "z" value into the array of pointers and then print it out. With a specially selected array size (number of its elements) it's possible to use an integer overflow error to overflow the array "tab".

The example below explains why it happens.

rezos@bezel ~/labs/integer $ cat multi.c
#include <stdio.h>

int main(void)
{
 printf ("1073741824 *4 = %d\n", 1073741824 * 4);
 return 0;
}

In this program we multiply 1073741824 * 4 because sizeof(char *) will return 4.

rezos@bezel ~/labs/integer $ gcc -ggdb multi.c -o multi
multi.c: In function 'main':
multi.c:6: warning: integer overflow in expression

The compiler warns us that the program contains an expression which causes an integer overflow. To make sure what the result of the multiplication will be:

rezos@bezel ~/labs/integer $ ./multi
1073741824 *4 = 0

malloc(0) (in the main example) will allocate memory with size 0 correctly(poprawnie)/successfully(z powodzeniem), and that will allow for overwriting memory segments on the heap.

Memory allocation with a negative value may cause allocation of very small or very big memory segments depending on the implementation of the *alloc() functions. Integer overflow errors may also lead to the situation where condition statements, which are supposed to check buffers boundaries, are omitted.

Integer overflow errors are not always a threat themselves. However they provide the possibility to overwrite or to read memory content beyond boudries of the buffers, for example during buffer indexing.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

  • Use programming language and/or compiler, which will check the buffers boundries and their indexes.
  • Use libraries, which provides API for arithmetic operations (e.g. safe_iop[1], IntegerLib[2])
  • Check results of the arithmetic operations, which used integer numbers and compare them with the expected values.

References