Download Lecture notes

CSCE 548
Integer Overflows
Format String Problem
Arithmetic Operations
 Number system: base, radix
 724.5 == 7102 + 2 101 +4 100 +5 10-1
 Binary, Octal, Hexadecimal representation
 Fixed point representation
 Sign, magnitude, decimal point
 Complements: represent negative numbers
 r’s complement -- 2’s complement
 (r-1)’s complement – 1’s complement


1’s complement of 1010 is 0101
2’s complement of 1010 is 0101 + 1 = 0110
Binary Fixed Point
 Positive number: 0 and the magnitude by a positive binary
number
 Negative number: 1 (sign) and
 Signed magniture
 Signed 1’s complement
 Signed 2’s complement
 +9: 0 001001
 -9:
 Signed magnitude: 1 001001
 Signed 1’s complement: 1 110110
 Signed 2’s complement: 1 110111
Arithmetic Addition
 Adding two signed numbers: need to compare signs and
relative magnitudes
 Sign + magnitude: as above
 Sign + signed 2’s complement:
 Add the two numbers and sign bits, discard any carry out on
the left
Example:
+6
+9
+15
0 000110
0 001001
0 001111
+6
-9
-3
0 000110
1 110111
1 111101
Overflow
 Two numbers of n digit each are added and the sum
occupies n+1 digits
 True for binary or decimal numbers, signed or
unsigned
 Cannot occur after an addition if one number is
positive and the other is negative
 Using sign-magnitude representation, the overflow
can be detected by the carry out of the number bit
 Adding 2’s complement, the sign is treated as part of
the number, therefore the carry out does not indicate
overflow
Problems with overflow:
 Fixed size registers
 Most computers check for register overflow 
overflow flip-flop
C/C++ Data Types
Source: http://hubpages.com/hub/Data-Types-in-C-Language
Type Casting
Converting an expression of a given type into another type
is known as type-casting.
●
●
●
Implicit
●
Explicit
Example: Unsigned int to Larger unsigned int
Best case (no worries)
1011 0001 (177)
#### ####
#### ####
0000 0000
1011 0001 (177)
Casting Operations
Signed int to Larger unsigned int
Value is first sign-extended, then cast
Positive numbers behave normally
Negative numbers may cause unexpected results
1011 1101 (-67)
#### ####
#### ####
1111 1111
1011 0001 (65,457)
Casting Operations
Unsigned int to Same-Size signed int
Bit pattern is preserved
New value depends on original sign bit
1011 0011 (179)
#### ####
1011 0011 (-77)
Casting Operations
Downcast
Truncates original value
Data loss may occur
Value may become negative
0000 1011 0110 1100 (2,924)
#### ####
0110 1100 (108)
Implicit Casting
Operators may cause implicit casting
Operators (+,-,*,/,%,&,|,^,&&,||,!) follow these rules:
If either operand is an unsigned long, both are upcast to an
unsigned long.
Otherwise, both operands are upcast to an int and the result is
an int.
Source: 19 Deadly Sins. Howard, Leblanc, Viega [2005]
Security Concerns
Integer overflows may lead to buffer overruns
Memory allocation
Array indexing
Unexpected control flow
Crash
Mitigation
Understand casting (explicit / implicit, sign-extension)
Understand data types (signed / unsigned, range)
Understand operators (upcasting, return types)
Verify user input
Don't depend on your compiler
Format string attacks
 C/C++ most strongly affected
 Not validating user input is the main reason for
format string problems
 Reading strings from a compromised file another
vulnerability
How it affects security
 Access Control: Redirect execution to malicious
code
 Confidentiality: Can expose information about a
program that can lead to further exploitation
 Integrity: Values can be overwritten in memory
Summary
 Lexical source code scanners can detect the errors
 Do use fixed format strings
 Do NOT pass user intput directly as the format string
functions.
 Do avoid using printf(), scanf() family of functions if
you can.