In a perfect world, C and C++ compilers would identify the potential for exceptional conditions to occur at runtime and provide a mechanism (such as an exception, trap, or signal handler) for applications to handle these events. Unfortunately, the world we live in is far from perfect. This article provides a brief description of some of the compiler capabilities that exist today.
C, C++, IA-32, Win32, UNIX
Attacker executes arbitrary code on machine with permissions of compromised process or changes the behavior of the program.
Integers in C and C++ are susceptible to overflow, sign, and truncation errors that can lead to exploitable vulnerabilities.
Existing C and C++ compilers have limited capabilities for identifying and reporting potential exceptional conditions at compile and runtime.
The Visual C++ .NET 2003 compiler generates a compiler warning (C4244) when an integer is assigned to a smaller integer type. At warning level 1, a warning will be issued if a value of type __int64 is assigned to a variable of type unsigned int. At warning level 3 and 4, a “possible loss of data” warning is issued if an integer type is converted to a smaller integer type. For example, the assignment in the following example is flagged at warning level 4:
int b = 0, c = 0; short a = b + c; // C4244
Visual C++ .NET 2003 also provides runtime error checks that are enabled by the /RTC flag. The /RTCc compiler flag provides a similar function to compiler warning C4244 by reporting when a value assigned to a smaller data type results in a loss of data. Visual C++ also includes a runtime_checks pragma that disables or restores the /RTC settings, but does not include flags for catching other runtime errors such as overflows. Visual C++ 2005 adds the ability to catch overflows in operator::new (and is on by default).
Runtime error checks are not valid in a release (optimized) build for performance reasons [Microsoft 03].
The GCC and g++ compilers include an -ftrapv compiler option that provides limited support for detecting signed integer exceptions at runtime. According to the GCC man page, this option “generates traps for signed overflow on addition, subtraction, and multiplication operations.” In practice, this means that the GCC compiler generates calls to existing library functions rather than generating assembler instructions to perform these arithmetic operations on signed integers. If you use this feature, make sure you are using GCC version 3.4 or later because the checks implemented by the runtime system before this version do not adequately detect all overflows and should not be trusted [Seacord 04].
Visual C++ Compiler Options, /RTC (Run-Time Error Checks), Visual Studio .NET help system.
Seacord, Robert C. “libgcc contains multiple flaws that allow integer type range vulnerabilities to occur at runtime” (US-CERT Vulnerability Note VU#540517). April, 2004.
This material is excerpted from Secure Coding in C and C++, by Robert C. Seacord, copyright © 2006 by Pearson Education, Inc., published as a CERT® book in the SEI Series in Software Engineering. All rights reserved. It is reprinted with permission and may not be further reproduced or distributed without the prior written consent of Pearson Education, Inc.