Bride of Buffer Overflow

1
Chapter 7

• Bride of Buffer Overflow

2
Chapter Synopsis

• Integers
• Wrap around errors
• Truncation and sign extension
• Conversions between unsigned and signed
• Methods to detect and prevent problems
• Runtime Protection
• Safe Programming Lanuages
• Safer C Dialects
• Dynamic Buffer Overflow protections

3
The Problem

• Numbers in computers are not integers but only an
  approximation. They are bounded, have a sign,
  representation, etc.
• Many arithmetic operations, many conversions have
  a risk of returning non-sense values due to
  machine limitations.
• When this non-sense value is used for memory
  allocation, bound a string operation or index
  into a buffer, we have a buffer overflow.

4
The 4 bit number wheels
5
An example

• An Integer Overflow causing a Buffer overflow
  u_int nresp
  nresp packet_get_int()
  if ( nresp gt 0 )
  
  response xmalloc(nrespsizeof(char ))
  for (i 0 i lt nresp i)
  responsei
  packet_get_string(NULL)
• Value of nresp 1073741824 causes problems.

6
Other Problems

• Subtracting from 0 can also cause problems.
• (example, page 238)? (next slide)

7
Bad subtract from 0

• unsigned int readamt
• readamt getstringsize(...)
• if ( readamt gt 1024 ) return -1
• readamt-- // don't allocate space for '\n'
• buf malloc(readamt)

8
Truncation and sign extension

• When integers get truncated, the most significant
  part is lost when they get expanded, the most
  significant bit is extended, sometimes with
  unexpected results.
• Examples
• -1 truncated to 4 bits is 15
• 4 bit 7 expanded is still 7, but
• 4 bit 15 (unsigned) can become -1!

9
Conversion between signed and unsigned

• The problem is the high-order bit the semantics
  are different, the meaning is different. Bad
  example
• char a
• short len ????
• if (len lt 1024 ) a malloc((int)len)
• .
• .

10
What to do?

• Use Unsigned types (watch out, though)?
• Expect bad assumptions
• Restrict numeric User input use santy checks
• Sanity check values used to allocate and access
  memory
• Respect compiler warnings.
• Use best practices for your compiler
• Understand Integer Conversion rules
• Verify overflow of operators

11
Use Best Practices for CL from MSDN

• Compile with highest possible warning level /W4
• Watch out for integer related compiler warnings
• Investigate all pragma disabling overflows
• Enable runtime integer error checks for
  conversion overflows with /RTCc (for debugging
  only)?

12
Use Best Practices for gcc

• Compile with -wconversion -wsign-compare
• Check all pragma disabling diagnostics.
• Enable runtime error checks with -ftrapv (not for
  production runs)?

13
Understand Integer Conversion rules

• Plethora of rules but most important ones
• Less precision is usually upcast to higher
  precision but
• An unsigned type can be implicitly cast to a
  signed type even if not all values can be
  represented.

14
Verify conditions for operators that can overflow
15
Use Special Libraries

• SafeInt
• IntSafe

16
Safer Programming Languages/Dialects

• Safe Programming Languages like
• Java
• C
• Python
• Ruby
• Safe dialects of C/C like
• Ccured
• Cyclone

17
Dynamic Buffer Overflow Protections

• Not a fix
• Non-executable memory segments
• Compile-Time Instrumentation (canaries)?
• Virtual Execution Environments
• Hardened System Libraries