BYU logo Computer Science
CS 465 Introduction to Security and Privacy

Integer Vulnerabilities

Introductions

  • introductions of two students

Questions on the readings

The readings today are from Computer Security and the Internet, Chapter 6, sections 6.2.

Key Concepts

Integer-based vulnerabilities

  • understand C data types, unsigned and signed versions

    • see table 6.1
    • modern C uses uint16_t and int16_t
    • what happens if you convert types, e.g. through casting?

  • understand two’s complement — see Table 6.3, page 164

  • integer underflow and overflow

    • see Example on Integer overflow on multiplication

  • see Table 6.2, page 163 for examples of integer vulnerabilities

  • see the software consequences list, 1 through 4, page 163

  • mitigations — compiler flags to catch integer errors, developer toolsets, safe integer library functions

  • it would be great to switch to a better language (Rust!) but we have to live with what we have for now

Class Exercises

See the software security repo for code we will use:

  • In integer we will run rectangular, which has an integer overflow problem, and waiting-list, which has an integer underflow problem.

Additional Materials

Reviewing Code for Integer Manipulation Vulnerabilities