Integer Errors
There are three common integer errors that lead to software vulnerabilities: overflow, sign errors, and truncation.
- An integer overflow occurs when an integer is increased beyond its maximum value or decreased beyond its minimum value.
- Truncation errors occur when an integer is converted to a smaller integer type and the value of the original integer is outside the range of the smaller type. In these cases, the low-order bits of the original value are preserved and the high-order bits are lost.
- Sign errors occur when data is misinterpreted but there is no loss of data. Sign errors can occur when converting between signed and unsigned integers.
With few exceptions, compilers do not generally issue diagnostics for potential integer errors or report these errors at runtime. The Visual C++ .NET 2003 compiler, for example, does generates a compiler warning (C4244) when an integer value is assigned to a smaller integer type. At warning level 1, a warning will be issued if a value of type __int64 is assigned to a variable of type unsigned int. At warning level 3 and 4, a "possible loss of data" warning is issued if an integer type is converted to a smaller integer type.
As a result, preventing integer errors is primarily left to programmers and is impossible without a deep understanding of integer behavior in C and C++. It is apparent in the example below that the developer made some effort to prevent an integer overflow from occurring when multiplying cBlocks by 16:
void* AllocBlocks(size_t cBlocks) {
// allocating no blocks is an error
if (cBlocks == 0) return NULL;
// Allocate enough memory
// Upcast the result to a 64-bit integer
// and check against 32-bit UINT_MAX
// to make sure there's no overflow
unsigned long long alloc = cBlocks * 16;
return (alloc < UINT_MAX)
? malloc(cBlocks * 16)
: NULL;
}
Unfortunately, this example contains an incorrect assumption about integer behavior. The developer has assumed that because the result of multiplication is being stored in a 64-bit unsigned long long integer that the multiplication will result in a 64-bit value. This is not the case, however. To be compliant with the language standard, multiplying two 32-bit numbers in this context must yield a 32-bit result. The resulting value is zero-extended to create a 64-bit value. As a result, any overflow resulting from this multiplication will remain undetected, and the value of alloc is always less than UINT_MAX.
A good source of information on integral security is the CERT Secure Coding Standards for C and C++. The rationale for these standards is described in NIST Special Publication 500-262.
Mitigation Strategies
Mitigation strategies for integer errors include range checking, compiling with high warning levels and eliminating all warnings, testing, reviews, and safe integer operations.
Safe integer operations typically involve using a library or class that provides safe integer operations for integer values that originate from untrusted sources and are used as an array index, in any pointer arithmetic, as a length or size of an object, as the bound of an array (for example, a loop counter), as an argument to a memory allocation function, or in security critical code.
