SLIDE 1
System, Social and Mobile Security
SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social - - PowerPoint PPT Presentation
SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social - - PowerPoint PPT Presentation
SECURE PROGRAMMING A.A. 2018/2019 INTEGER SECURITY System, Social and Mobile Security SECURITY FLAWS The integers are formed by the natural numbers including 0 (0, 1, 2, 3, . . .) together with the negatives of the nonzero natural numbers
SLIDE 2
SLIDE 3
System, Social and Mobile Security
SECURITY FLAWS
The integers are formed by the natural numbers including 0 (0, 1, 2, 3, . . .) together with the negatives of the nonzero natural numbers (–1, –2, –3, . . .). Integers represent a growing and underestimated source
- f vulnerabilities in C programs, primarily because
boundary. When developing secure systems, we cannot assume that a program will operate normally, given a range of expected inputs, because attackers are looking for input values that produce an abnormal effect.
SLIDE 4
System, Social and Mobile Security
REPRESENTATION
So, how are integer represented in C? Sign magnitude or two’s complement?
SLIDE 5
System, Social and Mobile Security
TWO’S COMPLEMENT
Binary value Two's complement Unsigned 00000000 00000001 1 1 ⋮ ⋮ ⋮ 01111110 126 126 01111111 127 127 10000000 −128 128 10000001 −127 129 10000010 −126 130 ⋮ ⋮ ⋮ 11111110 −2 254 11111111 −1 255
In two's-complement, there is only one zero, represented as 00000000. Negating a number (whether negative or positive) is done by inverting all the bits and then adding one to that result
SLIDE 6
System, Social and Mobile Security
HOW TO GET THE COMPLEMENTARY
From a number to its complement: from 5 to -5 Flip all the bits and then + 1 0000 0101 (value 5)
ü1111 1010 (flip) ü1111 1011 (+1)
You can do the inverse algorithm: when an integer number starts with 1 it means that it is negative
ü1111 1011 value (-5) ü1111 1010 (-1) ü0000 0101 (flip)
SLIDE 7
System, Social and Mobile Security
HOW MANY NUMBERS CAN I REPRESENT?
With n bits
üFrom (-2N−1) to (2N−1 − 1) ü There is no “-0”, so it is possible to represent one more negative number
For instance, with 8 bits,
üfrom -128 to + 127
The rule in the previous slide to get the complimentary does not work because 128 is not representable with 8 bits in two’s complement
1000 0000 0111 1111
SLIDE 8
System, Social and Mobile Security
OPERATION EXAMPLES
0000 1111 (15) + 1111 1011 (−5) 11111 111 (carry) 0000 1111 (15) + 1111 1011 (−5) ================== 0000 1010 (10) 0000 1111 (15) − 1111 1011 (−5) 11110 000 (borrow) 0000 1111 (15) − 1111 1011 (−5) =========== 0001 0100 (20) 0111 (7) + 0011 (3) 0111 (carry) 0111 (7) + 0011 (3) ============= 1010 (−6) invalid! Ok! Arithmetic overflow! Ok!
SLIDE 9
System, Social and Mobile Security
UNSIGNED TYPES
SLIDE 10
System, Social and Mobile Security
WRAPAROUND
A computation involving unsigned operands can never
- verflow, because a result that cannot be represented by
the resulting unsigned integer type is reduced modulo the number that is 1 greater than the largest value that can be represented by the resulting type.
SLIDE 11
System, Social and Mobile Security
EXAMPLE
SLIDE 12
System, Social and Mobile Security
EXAMPLE
for (unsigned i = n; --i >= 0; ) // will never terminate This type of software failure occurred on Saturday, December 25, 2004, when Comair halted all operations and grounded 1,100 flights after a crash of its flight-crew- scheduling software. The software failure was the result of a 16-bit counter that limits the number of changes to 32,768 in any given
- month. Storms earlier in the month caused many crew
reassignments, and the 16-bit value was exceeded.
SLIDE 13
System, Social and Mobile Security
CHECKS
SLIDE 14
System, Social and Mobile Security
CHECKS
SLIDE 15
System, Social and Mobile Security
OPERATORS AND WRAPS
SLIDE 16
System, Social and Mobile Security
SIGNED TYPES
SLIDE 17
System, Social and Mobile Security
SIGNED TYPES
In C, each unsigned integer type, excluding the type _Bool, has a corresponding signed integer type that
- ccupies the same amount of storage.
üsigned char üshort int üint ülong int ülong long int
SLIDE 18
System, Social and Mobile Security
WHY SO MANY SIGNED TYPES?
Most integer variables are used as sizes, counters, or indices that require only nonnegative values. So why not declare them as unsigned integers that have a greater range of positive values? One possible explanation is the lack of an exception- handling mechanism in C. As a result, C programmers have developed various mechanisms for returning status from functions.
SLIDE 19
System, Social and Mobile Security
WRAP WHEEL
Two’s complement
SLIDE 20
System, Social and Mobile Security
FROM GREATEST TO LOWEST
SLIDE 21
System, Social and Mobile Security
EXAMPLES
SLIDE 22
System, Social and Mobile Security
TABLE OF OPERATORS
SLIDE 23
System, Social and Mobile Security
SIGNED AND UNSIGNED CHAR
The CERT C Secure Coding Standard, “INT07-C. Use
- nly explicitly signed or unsigned char type for numeric
values”
üIt is the only portable way to guarantee the signedness of the character types.
SLIDE 24
System, Social and Mobile Security
TYPE CONVERSIONS
SLIDE 25
System, Social and Mobile Security
HIERARCHY OF TYPES
When arithmetic operands have different types, the implicit type conversion is governed by the types’ conversion rank.
üAny two unsigned integer types have different conversion
- ranks. If one is wider than the other, then it has a higher rank.
üEach signed integer type has the same rank as the corresponding unsigned type. üThe standard integer types are ranked in the order:
- _Bool < char < short < int < long < long long
üThe floating-point types are ranked in the following order:
- float < double < long double
üThe lowest-ranked floating-point type, float, has a higher rank than any integer type. üEnum have the same rank as int.
SLIDE 26
System, Social and Mobile Security
INTEGER PROMOTION
In any expression, you can always use a value whose type ranks lower than int in place of an operand of type int or unsigned int. In these cases, the compiler applies integer promotion: any operand whose type ranks lower than int is automatically converted to the type int, provided int is capable of representing all values of the operand’s
- riginal type. If int is not sufficient, the operand is
converted to unsigned int. Operations in the CPU are executed on 4 bytes at least
SLIDE 27
System, Social and Mobile Security
EXAMPLE
#include <stdio.h> int main() { char a = 30, b = 40, c = 10; char d = (a * b) / c; printf ("%d ", d); return 0; } 120 At first look, the expression (a*b)/c seems to cause arithmetic overflow because signed characters can have values only from -128 to 127 (in most of the C compilers), and the value of subexpression ‘(a*b)’ is 1200 which is greater than 128. But integer promotion happens here in arithmetic done on char types and we get the appropriate result without any overflow.
SLIDE 28
System, Social and Mobile Security
WHAT DOES IT HAPPEN?
The usual arithmetic conversions are applied as follows:
üIf either operand has a floating-point type, then the operand with the lower conversion rank is converted to a type with the same rank as the other operand. Real types are converted
- nly to real types.
üIf both operands are integers, integer promotion is first performed on both operands. If after integer promotion the
- perands still have different types, conversion continues as
follows:
- If one operand has an unsigned type T whose conversion rank is
at least as high as that of the other operand’s type, then the other
- perand is converted to type T.
- Otherwise, one operand has a signed type T whose conversion
rank is higher than that of the other operand’s type. The other
- perand is converted to type T only if type T is capable of
representing all values of its previous type. If not, then both
- perands are converted to the unsigned type that corresponds to
the signed type T.
SLIDE 29
System, Social and Mobile Security
EXAMPLES
In this example, to evaluate the comparison in the if condition, the value of i, –1, must first be converted to the type unsigned int. The result is a large positive number (next slide). Hence, the if condition is false. In the if, the value of limit is converted to n’s type, long, if the value range of long contains the whole value range
- f unsigned int. If not— for example, if both int and
long are 32 bits wide—then both multiplicands are converted to unsigned long.
int x = 0; int i = -1; unsigned int limit = 200U; long n = 30L; if ( i < limit ) x = limit * n; printf(“%d\n”, x);
SLIDE 30
System, Social and Mobile Security
CONVERSIONS TO UNSIGNED INTEGER TYPES
Integer values are always preserved if they are within the range of the new unsigned type
üBetween 0 and Utype_MAX
For values outside the new unsigned type’s range, the value after conversion is the value obtained by adding (Utype_MAX + 1) as many times as necessary until the result is within the range of the new type. –1 + (USHRT_MAX + 1) = USHRT_MAX, the final statement in the previous example is equivalent to n = USHRT_MAX;
unsigned short n = 1000; // The value 1000 is within the range of // unsigned short n = -1; // the value –1 must be converted.
SLIDE 31
System, Social and Mobile Security
INTEGER VULNERABILITIES
SLIDE 32
System, Social and Mobile Security
EXAMPLE
JPEG COM Marker Processing Vulnerability in Netscape Browsers What if 1 is passed as length? size_t is always an alias for an unsigned type
SLIDE 33
System, Social and Mobile Security
CONVERSION ERRORS
What if 1 negative? malloc() takes size_t as argument
SLIDE 34
System, Social and Mobile Security
TRUNCATION
65,500 chars for argv[1] 536 chars for argv[2] +1 = 65,537 An UINT_MAX is 65535 A string of 1 char is allocated: buffer overflow!
SLIDE 35
System, Social and Mobile Security
MITIGATION STRATEGIES
SLIDE 36
System, Social and Mobile Security
ERRORS
As we have seen, integer vulnerabilities result from integer type range errors. For example, integer overflows occur when integer
- perations generate a value that is out of range for a
particular integer type. Truncation errors occur when a value is stored in a type that is too small to represent the result. Conversions, particularly those resulting from assignment or casts, can result in values that are out of the range of the resulting type.
SLIDE 37
System, Social and Mobile Security
EXAMPLE OF TRUNCATION
11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 - b: 1 a: 9223372032559808513 11111111 11111111 11111111 11111111 00000000 00000000 00000000 00000000 = #include<stdio.h> #include<limits.h> int main() { long long int a= (LLONG_MAX-UINT_MAX)+1; int b= a; printf("b: %d\n", b); printf("a: %lld\n", a); } 00000000 00000000 00000000 00000000 11111111 11111111 11111111 11111110 + 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 = 10000000 00000000 00000000 00000000 11111111 11111111 11111111 11111110
SLIDE 38
System, Social and Mobile Security
INTEGER TYPE SELECTION
The first step in developing secure code is to select the appropriate data types. An integer type provides a model of a finite subset of the mathematical set of integers. Select integer types that can represent the range of possible runtime values, and then ensure that these ranges are not exceeded.
SLIDE 39
System, Social and Mobile Security
SIZES
Say, for example, that you need to represent the size of an object as an integer. You could represent the size of the object as a short int, as in the following declaration:
üshort total = strlen(argv[1])+ 1;
Variables of type size_t are guaranteed to be precise enough to represent the size of an object, as in the following example:
üsize_t total = strlen(argv[1])+ 1;
“INT01-C. Use size_t for all integer values representing the size of an object.”
SLIDE 40
System, Social and Mobile Security
EXAMPLE
Solved? NO… Now yes
SLIDE 41
System, Social and Mobile Security
TYPE RANGE CHECKING
Because all integer vulnerabilities are type range errors, type range checking—if properly applied—can eliminate all integer vulnerabilities The CERT C Secure Coding Standard has several rules to prevent range errors:
üINT30-C. Ensure that unsigned integer operations do not wrap. üINT31-C. Ensure that integer conversions do not result in lost or misinterpreted data. üINT32-C. Ensure that operations on signed integers do not result in overflow.
SLIDE 42
System, Social and Mobile Security
PRE-CONDITION
One approach to eliminating integer exceptional conditions is to test the values of the operands before an
- peration to prevent overflow and wrapping from
- ccurring.
SLIDE 43
System, Social and Mobile Security
PRE-CONDITION WITH SIGNED
SLIDE 44
System, Social and Mobile Security
POST-CONDITION
Postcondition tests can be used to detect unsigned integer wrapping, for example, because these operations are well defined as having modulo behavior.
SLIDE 45
System, Social and Mobile Security
SECURE INTEGER LIBRARIES
Michael Howard has written parts of a safe integer library that detects integer overflow conditions using architecture-specific mechanisms.
SLIDE 46
System, Social and Mobile Security
COMPILER CHECKS
GCC provides an -ftrapv compiler option that offers limited support for detecting integer overflows at runtime.
üThe GCC runtime system generates traps for signed
- verflow on addition, subtraction, and multiplication
- perations for programs compiled with the -ftrapv flag.
SLIDE 47
System, Social and Mobile Security
TESTING AND STATIC ANALYSIS
Static analysis, by either the compiler or a static analyzer, can be used to detect potential integer range errors in source code.
SLIDE 48
System, Social and Mobile Security
ARIANE 5, JUNE 6 1996
- Start. 37 seconds of flight. KABOOM! 10 years and 7
billion dollars are turning into dust.
The programmers were to blame for everything
SLIDE 49
System, Social and Mobile Security
REASON
The investigation revealed that this software module contained seven variables involved in type conversion
- perations. It turned out that the developers performed the
analysis for the vulnerability of all operations, capable of throwing an exception. It was their conscious action – to add adequate protection to four variables, and leave three of them – including BH –
- unprotected. The ground for this decision was the certainty
that overflow is not possible in these variables in general. This confidence was supported by the evaluations, showing that the expected range of physical parameters that was taken as the basis for the determination of the values of the mentioned variables can never lead to an undesirable
- situation. And it was true — but for the trajectory evaluated for
Ariane 4.
SLIDE 50
System, Social and Mobile Security
ADA CODE
SLIDE 51
System, Social and Mobile Security
REASON
Specifically a 64 bit floating point number relating to the horizontal velocity of the rocket with respect to the platform was converted to a 16 bit signed integer. The number was larger than 32,767, the largest integer storeable in a 16 bit signed integer, and thus the conversion failed.
SLIDE 52
System, Social and Mobile Security