CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

Similar documents
2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Introduction to Security

Memory Corruption Vulnerabilities, Part II

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Lecture 12 Integers. Computer and Network Security 19th of December Computer Science and Engineering Department

CIS 4360 Secure Computer Systems. Integers

SECURE PROGRAMMING A.A. 2018/2019

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

CSE 565 Computer Security Fall 2018

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

MEMORY SAFETY ATTACKS & DEFENSES

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Programming refresher and intro to C programming

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Secure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge

Integers. Today. Next time. ! Numeric Encodings! Programming Implications! Basic operations. ! Floats

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) {

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSE 127 Computer Security

1.3b Type Conversion

Lecture 5-6: Bits, Bytes, and Integers

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Representing and Manipulating Integers. Jo, Heeseung

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Exploits and gdb. Tutorial 5

Systems Programming and Computer Architecture ( )

Basic Buffer Overflows

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty.

CS140 Lecture 08: Data Representation: Bits and Ints. John Magee 13 February 2017

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Bits, Bytes, and Integers

Detecting and exploiting integer overflows

Bits, Bytes and Integers

ICS Instructor: Aleksandar Kuzmanovic TA: Ionut Trestian Recitation 2

EL2310 Scientific Programming

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CSE 230 Intermediate Programming in C and C++ Arrays, Pointers and Strings

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Midterm Exam Review Slides

211: Computer Architecture Summer 2016

Computer Systems CEN591(502) Fall 2011

Representing and Manipulating Integers Part I

D as Better C Compiler. by Walter Bright dlang.org

CS107, Lecture 3 Bits and Bytes; Bitwise Operators

A brief introduction to C programming for Java programmers

5.Coding for 64-Bit Programs

Practical Malware Analysis

Representing Integers. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

C Language Part 1 Digital Computer Concept and Practice Copyright 2012 by Jaejin Lee

PRINCIPLES OF OPERATING SYSTEMS

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Bits, Bytes, and Integers Part 2

Lecture 08 Control-flow Hijacking Defenses

Systems Programming and Computer Architecture ( )

CS 270: Computer Organization. Integer Arithmetic Operations

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C

Lecture 8: Pointer Arithmetic (review) Endianness Functions and pointers

Memory Corruption 101 From Primitives to Exploit

Topics in Software Security Vulnerability

Midterm Sample Questions. a) What evaluates to FALSE in C? What evaluates to TRUE?

C programming basics T3-1 -

Lecture 4 September Required reading materials for this class

FUNCTIONS POINTERS. Pointers. Functions

Integers II. CSE 351 Autumn Instructor: Justin Hsia

Program Security and Vulnerabilities Class 2

Integers II. CSE 351 Autumn Instructor: Justin Hsia

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

Work relative to other classes

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Lecture 3: C Programm

Lecture 9 Assertions and Error Handling CS240

CS61, Fall 2012 Midterm Review Section

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

Static Vulnerability Analysis

Writing Program in C Expressions and Control Structures (Selection Statements and Loops)

Lecture 03 Bits, Bytes and Data Types

Part I Part 1 Expressions

int main() { return 0; }

But first, encode deck of cards. Integer Representation. Two possible representations. Two better representations WELLESLEY CS 240 9/8/15

CSC 8400: Computer Systems. Machine-Level Representation of Programs

CS 261 Fall Mike Lam, Professor. Structs and I/O

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer overflow background

CS 61C: Great Ideas in Computer Architecture. Lecture 3: Pointers. Bernhard Boser & Randy Katz

Computer Security. Robust and secure programming in C. Marius Minea. 12 October 2017

Computer Programming: Skills & Concepts (CP) Strings

C: Pointers, Arrays, and strings. Department of Computer Science College of Engineering Boise State University. August 25, /36

CSE 333 Lecture 2 Memory

Agenda. Components of a Computer. Computer Memory Type Name Addr Value. Pointer Type. Pointers. CS 61C: Great Ideas in Computer Architecture

Arrays and Pointers. CSE 2031 Fall November 11, 2013

CS 61C: Great Ideas in Computer Architecture. Lecture 3: Pointers. Krste Asanović & Randy Katz

Pointers (part 1) What are pointers? EECS We have seen pointers before. scanf( %f, &inches );! 25 September 2017

Arithmetic and Bitwise Operations on Binary Data

Computer Systems Lecture 9

C++ Undefined Behavior What is it, and why should I care?

Transcription:

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1

This lecture: [Seacord]: Chapter 5 Readings 2

Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output Race conditions Web security 3

Introductory Example 1. int main(int argc, char *argv[]) { 2. unsigned short int total; 3. total = strlen(argv[1])+ 4. strlen(argv[2])+1; 5. char *buff = (char *)malloc(total); 6. strcpy(buff, argv[1]); 7. strcat(buff, argv[2]); 8. } Can you find the error? 4

Introductory Example Accepts two string arguments and calculates their combined length (plus an extra byte for the terminating null character) int main(int argc, char *const *argv) { } unsigned short int total; total = strlen(argv[1]) + strlen(argv[2]) + 1; char *buff = (char *) malloc(total); strcpy(buff, argv[1]); strcat(buff, argv[2]); Memory is allocated to store both strings. The 1 st argument is copied into the buffer and the 2 nd argument is concatenated to the end of the 1 st argument 5

Vulnerability An attacker can supply arguments such that the sum of the lengths of the strings cannot be represented by the unsigned short int total. The strlen() function returns a result of type size_t, an unsigned long int on IA-32 As a result, the sum of the lengths + 1 is an unsigned long int. This value must be truncated to assign to the unsigned short int total. If the value is truncated malloc() allocates insufficient memory and the strcpy() and strcat() will overflow the dynamically allocated memory 6

Integers Integer range checking has not been systematically applied in the development of most C and C++ software. security flaws involving integers exist a portion of these are likely to be vulnerabilities A software vulnerability may result when a program evaluates an integer to an unexpected value. 7

Signed and Unsigned Types Integers in C and C++ are either signed or unsigned. For each signed type there is an equivalent unsigned type. Signed integers are used to represent positive and negative values. On a computer using two s complement arithmetic, a signed integer ranges from -2 n-1 through 2 n-1-1. 8

One s Complement Negative numbers are represented in one s complement form by complementing each bit even the sign bit is reversed 0 0 1 0 1 0 0 1 1 1 0 1 0 1 1 0 each 1 is replaced with a 0 each 0 is replaced with a 1 9

Two s Complement The two s complement form of a negative integer is created by adding one to the one s complement representation. 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 1 0 1 1 0 + 1 = 1 1 0 1 0 1 1 1 Two s complement representation has a single (positive) value for zero. The sign is represented by the most significant bit. 10

Signed Integer Representation 11

Unsigned Integers Unsigned integer values range from zero to a maximum that depends on the size of the type. Maximum value can be calculated as 2 n -1, where n is the number of bits used to represent the unsigned type. For each signed integer type, there is a corresponding unsigned integer type. 12

Unsigned Integer Representation two s complement 13

Standard Integer Types Standard integers include the following types, in non-decreasing length order signed char short int int long int long long int 14

Integer Ranges Minimum and maximum values for an integer type depend on the type s representation signedness number of allocated bits 15

Example Integer Ranges signed char unsigned char -128 0 127 short 0 255-32768 unsigned short 0 32767 0 65535 16

Integer Conversions Type conversions occur explicitly in C and C++ as the result of a cast or implicitly as required by an operation. Conversions can lead to lost or misinterpreted data. Implicit conversions are a consequence of the C language ability to perform operations on mixed types. 17

Rule 1: Integer Promotions Integer types smaller than int are promoted when an operation is performed on them. If all values of the original type can be represented as an int the value of the smaller type is converted to int otherwise, it is converted to unsigned int. Integer promotions are applied as part of the usual arithmetic conversions to certain argument expressions operands of the unary +, -, and ~ operators operands of the shift operators 18

Integer Promotion Example Integer promotions require the promotion of each variable (c1 and c2) to int size char c1, c2; c1 = c1 + c2; The two ints are added and the sum truncated to fit into the char type. Integer promotions avoid arithmetic errors from overflow of intermediate values. 19

Integer Promotion Example 1. int _tmain(int argc, _TCHAR* argv[]) 2. { 3. 004017E0 push ebp 4. 004017E1 mov ebp,esp 5. 004017E3 push ecx 6. char c1 = 'a'; 7. 004017E4 mov byte ptr [c1],61h 8. char c2 = 'b'; 9. 004017E8 mov byte ptr [c2],62h 10. char c3 = c1+c2; 11. 004017EC movsx eax,byte ptr [c1] ;Move with sign extension 12. 004017F0 movsx ecx,byte ptr [c2] ;Move with sign extension 13. 004017F4 add eax,ecx 14. 004017F6 mov byte ptr [c3],al ;Move with truncation 15. } 16. 004017F9 xor eax,eax 17. 004017FB mov esp,ebp 18. 004017FD pop ebp 19. 004017FE ret 20

Implicit Conversions 1. char cresult, c1, c2, c3; 2. c1 = 100; 3. c2 = 90; 4. c3 = -120; 5. cresult = c1 + c2 + c3; The sum of c1 and c2 exceeds the maximum size of signed char However, c1, c1, and c3 are each converted to integers and the overall expression is successfully evaluated. The sum is truncated and stored in cresult without a loss of data The value of c1 is added to the value of c2. 21

Rule 2: Integer Conversion Rank Every integer type has an integer conversion rank that determines how conversions are performed. 22

Integer Conversion Rank Rules No two signed integer types have the same rank, even if they have the same representation. The rank of a signed integer type is > the rank of any signed integer type with less precision. The rank of long long int is > the rank of long int, which is > the rank of int, which is > the rank of short int, which is > the rank of signed char. The rank of any unsigned integer type is equal to the rank of the corresponding signed integer type. 23

Signed Integer Conversion Example 1. unsigned int k = ULONG_MAX; 2. char c = -1; 3. if (c == k) { 4. printf("-1 = 4,294,967,295?\n"); 5. } Because of integer promotions, c is converted to an unsigned integer with a value of 0xFFFFFFFF or 4,294,967,295 The value of c is compared to the value of k. 24

Usual Arithmetic Conversions 1. If both operands have the same type no conversion is needed. 2. If both operands are of the same integer type (signed or unsigned), the operand with the type of lesser integer conversion rank is converted to the type of the operand with greater rank. 3. If the operand that has unsigned integer type has rank >= to the rank of the type of the other operand, the operand with signed integer type is converted to the type of the operand with unsigned integer type. 4. If the type of the operand with signed integer type can represent all of the values of the type of the operand with unsigned integer type, the operand with unsigned integer type is converted to the type of the operand with signed integer type. 5. Otherwise, both operands are converted to the unsigned integer type corresponding to the type of the operand with signed integer type. 25

Integer Error Conditions Integer operations can resolve to unexpected values as a result of an overflow sign error truncation 26

Overflow An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value. Overflows can be signed or unsigned A signed overflow occurs when a value is carried over to the sign bit An unsigned overflow occurs when the underlying representation can no longer represent a value 27

Overflow Examples 1. int i; 2. unsigned int j; 3. i = INT_MAX; // 2,147,483,647 4. i++; 5. printf("i = %d\n", i); 6. j = UINT_MAX; // 4,294,967,295; 7. j++; 8. printf("j = %u\n", j); i=-2,147,483,648 j = 0 28

Overflow Examples 9. i = INT_MIN; // -2,147,483,648; 10. i--; 11. printf("i = %d\n", i); i=2,147,483,647 12. j = 0; 13. j--; 14. printf("j = %u\n", j); j = 4,294,967,295 29

Integer Overflow Example 1. void getcomment(unsigned int len, char *src) { 2. unsigned int size; 3. size = len - 2; 4. char *comment = (char *)malloc(size + 1); 5. memcpy(comment, src, size); 6. return; } 0 byte malloc() succeeds Size is interpreted as a large positive value of 0xffffffff int _tmain(int argc, _TCHAR* argv[]) { } getcomment(1, "Comment "); return 0; Possible to cause an overflow by creating an image with a comment length field of 1 30

Truncation Errors Truncation errors occur when an integer is converted to a smaller integer type and the value of the original integer is outside the range of the smaller type Low-order bits of the original value are preserved and the high-order bits are lost. 31

Truncation Error Example 1. char cresult, c1, c2; 2. c1 = 100; 3. c2 = 90; 4. cresult = c1 + c2; Adding c1 and c2 exceeds the max size of signed char (+127) Truncation occurs when the value is assigned to a type that is too small to represent the resulting value Integers smaller than int are promoted to int or unsigned int before being operated on 32

Truncation Error Example bool func(char *name, long cbbuf) { } unsigned short bufsize = cbbuf; char *buf = (char *)malloc(bufsize); if (buf) { memcpy(buf, name, cbbuf); } if (buf) free(buf); return true; return false; cbbuf is used to initialize bufsize which is used to allocate memory for buf cbbuf is declared as a long and used as the size in the memcpy() operation 33

Truncation Vulnerability cbbuf is temporarily stored in the unsigned short bufsize. The maximum size of an unsigned short for both GCC and the Visual C++ compiler on IA- 32 is 65,535. The maximum value for a signed long on the same platform is 2,147,483,647. A truncation error will occur on line 2 for any values of cbbuf between 65,535 and 2,147,483,647. 34

Sign Errors Converting an unsigned integer to a signed integer of Equal size - preserve bit pattern; high-order bit becomes sign bit Greater size - the value is zero-extended then converted Lesser size - preserve low-order bits If the high-order bit of the unsigned integer is Not set - the value is unchanged Set - results in a negative value 35

Sign Errors Converting a signed integer to an unsigned integer of Equal size - bit pattern of the original integer is preserved Greater size - the value is sign-extended then converted Lesser size - preserve low-order bits If the value of the signed integer is Not negative - the value is unchanged Negative - the result is typically a large positive value 36

Sign Error Example 1. int i = -3; 2. unsigned short u; 3. u = i; 4. printf("u = %hu\n", u); Implicit conversion to smaller unsigned integer There are sufficient bits to represent the value so no truncation occurs. The two s complement representation is interpreted as a large signed value, however, so u = 65533 37

Sign Error Example #define BUFF_SIZE 10 int main(int argc, char* argv[]){ int len; char buf[buff_size]; } len = atoi(argv[1]); if (len < BUFF_SIZE){ memcpy(buf, argv[2], len); } Program accepts two arguments (the length of data to copy and the actual data) len declared as a signed integer argv[1] can be a negative value A negative value bypasses the check Value is interpreted as an unsigned value of type size_t 38

Upcast Example void* AllocBlocks(size_t cblocks) { // allocating no blocks is an error if (cblocks == 0) return NULL; // Allocate enough memory // Upcast the result to a 64-bit integer // and check against 32-bit UINT_MAX // to makes sure there's no overflow ULONGLONG alloc = cblocks * 16; } return (alloc < UINT_MAX)? malloc(cblocks * 16): NULL; Can you find the error? 39

Result Always > UINT_MAX void* AllocBlocks(size_t cblocks) { // allocating The no result blocks is assigned is to an a ULONGLONG error but the calculation may have already overflowed. if (cblocks == 0) return NULL; // Allocate enough memory // Upcast the result to a 64-bit integer // and check against 32-bit UINT_MAX // to makes sure there's no overflow ULONGLONG alloc = cblocks * 16; return (alloc < UINT_MAX)? malloc(cblocks * 16): NULL; } This is a 32-bit operation that results in a 32-bit value. 40

Corrected Upcast Example void* AllocBlocks(size_t cblocks) { // allocating no blocks is an error if (cblocks == 0) return NULL; // Allocate enough memory // Upcast the result to a 64-bit integer // and check against 32-bit UINT_MAX // to makes sure there's no overflow ULONGLONG alloc = (ULONGLONG)cBlocks*16; return (alloc < UINT_MAX)? malloc(cblocks * 16) : NULL; } 41

Source Code Audit Source code should be audited or inspected for possible integer range errors When auditing, check for the following: Integer type ranges are properly checked. Input values are restricted to a valid range based on their intended use. Integers that do not require negative values are declared as unsigned and properly range-checked for upper and lower bounds. Operations on integers originating from untrusted sources are performed using a safe integer library. 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback