U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Do Not Perform Arithmetic with Unvalidated Input

Published: June 26, 2013

Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

Careless modulo arithmetic can introduce vulnerability.

Description

According to [Seacord 05]:

Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This is primarily because boundary conditions for integers, unlike other boundary conditions in software engineering, have been intentionally ignored. Most programmers emerging from colleges and universities understand that integers have fixed limits, but because these limits were either deemed sufficient, or because testing the results of each arithmetic operation was considered prohibitively expensive, violating integer boundary conditions has gone almost entirely unchecked in commercial software.

For an indepth coverage of this issue in C and C++, see Safe Integer Operations.

References

CitationBibliographic Entry

[Blexim 02]

blexim. Basic Integer Overflows. http://www.phrack.org/phrack/60/p60-0x0a.txt (2002).

[Hoglund 04]

Hoglund, Greg & McGraw, Gary. Exploiting Software: How to Break Code. Boston, MA: Addison-Wesley, 2004.

[Horovitz 02]

Horovitz, Oded. Big Loop Integer Protection. http://www.phrack.org/phrack/60/p60-0x09.txt (2002).

[Howard 03a]

Howard, Michael. Reviewing Code for Integer Manipulation Vulnerabilities. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure04102003.asp (2003).

[Seacord 05]

Seacord, Robert C. Secure Coding in C and C++. Boston, MA: Addison-Wesley, 2005.

[Thompson 05]

Thompson, Herbert & Chase, Scott. The Software Vulnerability Guide. Charles River Media, 211-222. 2005.

 


Back to Top