logging in or signing up integer overflow srinu520 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: November 16, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript INTEGER OVERFLOW : INTEGER OVERFLOW SRINU BEVARATezpur University What is an integer overflow? : What is an integer overflow? Since an integer is a fixed size, there is a fixed maximum value it can store. When an attempt is made to store a value greater than this maximum value it is known as an integer overflow. The ISO C99 standard says that an integer overflow causes "undefined behavior“. Most compilers seem to ignore the overflow, resulting in an unexpected or erroneous result being stored. Integer overflow : Integer overflow An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value. Overflows can be signed or unsigned A signed overflow occurs when a value is carried over to the sign bit An signed overflow occurs when the underlying representation can no longer represent a value Why can they be dangerous? : Why can they be dangerous? Integer overflows cannot be detected after they have happened. This can get dangerous if the calculation has to do with the size of a buffer or how far into an array to index. Most integer overflows are not exploitable because memory is not being directly overwritten, but sometimes they can lead to other classes of bugs, frequently buffer overflows. Integer overflows can be difficult to spot, so even well audited code can spring surprises. Security Impact of Integer Operations : Security Impact of Integer Operations An integer overflow during a buffer length calculation can result in allocating a buffer that is too small to hold the data to be copied into it. A buffer overflow can result when the data is copied. Withdrawing Rs 1 from an account with a balance of 0 could cause an integer underflow and yield a new balance of 4,294,967,295. A very large positive number in a bank transfer could be cast as a signed integer by a back-end system. In such case, the interpreted value could become a negative number and reverse the flow of money - from a victim's account into the attacker's. Widthness overflows : Widthness overflows int l; short s; char c; l = 0xdeadbeef; s = l; c = l; printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8); printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8); printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8); Arithmetic overflows : Arithmetic overflows int b=0x7fffffff; unsigned int c=0,d=0xffffffff; printf("\nb=%d b+1=%d\n",b,b+1); printf("\nc=%u c-1=%u\n",c,c-1); printf("\nd=%u d+1=%u\n",d,d+1); Integer overflow to heap overflow : Integer overflow to heap overflow Unsigned int a,b,c; a=strlen(argv[1]); printf("\n Enter any integer:"); scanf("%u",&b); c=a+b; char *input=malloc(c); char *output=malloc(10); strcpy(output,"normal output"); strcpy(input,argv[1]); an untrusted source an integer overflow a sensitive operation a heap overflow followed Integer overflow to heap overflow : Integer overflow to heap overflow Unsigned int a,b,c; a=strlen(argv[1]); printf("\n Enter any integer:"); scanf("%u",&b); c=a+b; char *input=malloc(c); char *output=malloc(10); strcpy(output,"normal output"); strcpy(input,argv[1]); Slide 10: Integer overflows are not like most common bug classes. They do not allow direct overwriting of memory or direct execution flow control, but are much more subtle. The root of the problem lies in the fact that there is no way for a process to check the result of a computation after it has happened, so there may be a discrepancy between the stored result and the correct result. Because of this, most integer overflows are not actually exploitable. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
integer overflow srinu520 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 121 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: November 16, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript INTEGER OVERFLOW : INTEGER OVERFLOW SRINU BEVARATezpur University What is an integer overflow? : What is an integer overflow? Since an integer is a fixed size, there is a fixed maximum value it can store. When an attempt is made to store a value greater than this maximum value it is known as an integer overflow. The ISO C99 standard says that an integer overflow causes "undefined behavior“. Most compilers seem to ignore the overflow, resulting in an unexpected or erroneous result being stored. Integer overflow : Integer overflow An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value. Overflows can be signed or unsigned A signed overflow occurs when a value is carried over to the sign bit An signed overflow occurs when the underlying representation can no longer represent a value Why can they be dangerous? : Why can they be dangerous? Integer overflows cannot be detected after they have happened. This can get dangerous if the calculation has to do with the size of a buffer or how far into an array to index. Most integer overflows are not exploitable because memory is not being directly overwritten, but sometimes they can lead to other classes of bugs, frequently buffer overflows. Integer overflows can be difficult to spot, so even well audited code can spring surprises. Security Impact of Integer Operations : Security Impact of Integer Operations An integer overflow during a buffer length calculation can result in allocating a buffer that is too small to hold the data to be copied into it. A buffer overflow can result when the data is copied. Withdrawing Rs 1 from an account with a balance of 0 could cause an integer underflow and yield a new balance of 4,294,967,295. A very large positive number in a bank transfer could be cast as a signed integer by a back-end system. In such case, the interpreted value could become a negative number and reverse the flow of money - from a victim's account into the attacker's. Widthness overflows : Widthness overflows int l; short s; char c; l = 0xdeadbeef; s = l; c = l; printf("l = 0x%x (%d bits)\n", l, sizeof(l) * 8); printf("s = 0x%x (%d bits)\n", s, sizeof(s) * 8); printf("c = 0x%x (%d bits)\n", c, sizeof(c) * 8); Arithmetic overflows : Arithmetic overflows int b=0x7fffffff; unsigned int c=0,d=0xffffffff; printf("\nb=%d b+1=%d\n",b,b+1); printf("\nc=%u c-1=%u\n",c,c-1); printf("\nd=%u d+1=%u\n",d,d+1); Integer overflow to heap overflow : Integer overflow to heap overflow Unsigned int a,b,c; a=strlen(argv[1]); printf("\n Enter any integer:"); scanf("%u",&b); c=a+b; char *input=malloc(c); char *output=malloc(10); strcpy(output,"normal output"); strcpy(input,argv[1]); an untrusted source an integer overflow a sensitive operation a heap overflow followed Integer overflow to heap overflow : Integer overflow to heap overflow Unsigned int a,b,c; a=strlen(argv[1]); printf("\n Enter any integer:"); scanf("%u",&b); c=a+b; char *input=malloc(c); char *output=malloc(10); strcpy(output,"normal output"); strcpy(input,argv[1]); Slide 10: Integer overflows are not like most common bug classes. They do not allow direct overwriting of memory or direct execution flow control, but are much more subtle. The root of the problem lies in the fact that there is no way for a process to check the result of a computation after it has happened, so there may be a discrepancy between the stored result and the correct result. Because of this, most integer overflows are not actually exploitable.