C/C++ integer vulnerabilities

Question 1

what is a carry overflow in integers

Answer 1

it is when the computed result derived from an arithmetic operation is exceeds the capacity of the binary representation used to store the results

Question 2

i = 1;
while(i>0){
i=i*2;
}

what would happen if “i” is a signed int vs unsigned int

Answer 2

1. signed int: datatype represents both + and - integers
   > it will keep getting multiplied by 2 until it reaches the maximum (2^31-1 –> 0111…111) and overflows
   > which causes it to wrap around a negative because the bit that was carried at the next iteration changed the sign to negative (100…000), so it will start at -2^31 which is the minimum value and loop will terminate (<0)
2. unsigned int: datatype represents only + integers
   > it will keep getting multiplied by 2 until it reaches the maximum representation 2^32-1 (111…..111)
   > but because unsigned int uses all 32 bits, after the maximum it wraps around 0 (000…000) and the loop terminates

Question 3

how to perform unsigned 8-bit integers

Answer 3

using modulo 256

Question 4

converting to Two’s Complement representation

Answer 4

1. figure out bit width
2. perform successive division by 2 and record remainders
3. remainder mod 2 = binary figure
4. add leading zeros to fill the bit width (represent + int)

for - int:
5. flip the bits (1’s become 0’s and vice versa)
6. add 1 to the binary representation

Question 5

Two’s Complement to Decimal

Answer 5

1. flip the bits (1’s become 0’s and vice versa)
2. add 1 to the result
3. start with rightmost bit and assign decimal value 2^0, continue for the rest of bits 2^1, 2^2….2^n
4. add all the decimal values where bit = 1
5. if the original representation had 1 on the leftmost bit, it is negative, otherwise it is positive

Question 6

void main(int argc, char **argv){
char buf1[1024];
char buf2[256];
strncpy(buf1, argv[1], 1024);
strncpy(buf2, argv[2], 256);
..
..
..
func(buf2);
}
void func(char *p){
char buf3[263];
sprintf(buf3, “%s”,p)
}

explain this code and safety issues

Answer 6

1. 2 buffers are created in the main function. strncpy is used to copy the contents of argv from a certain index, with a specified number of elements
   >strncpy stops copying when it reaches the specified number of elements or when it encounters a ‘/0’
2. buf2 is passed though func() as a pointer
3. sprintf will construct a string - buf3 - using contents of buf2
   >sprintf does not stop constructing until it reaches a null terminator

problems:
1. lack of null terminator in buf2
> could happen because source did not have one
> could happen because of the specified capacity, it stopped copying right before copying the ‘/0’
2. use of sprintf is risky when first problem is not handled

safety:
- if there is no null terminator in buf2, a buffer overflow will occur because sprintf will continue writing and eventually overwriting a total size of buf+buf2

Question 7

integer overflow from computation of array indices: how does it happen

Answer 7

if the result of an index calculation exceeds the length of the array, then a memory location above the array will be accessed

Question 8

integer overflows: lessons learned

Answer 8

1. declare all integers as unsigned (unless you need to work with negatives)
2. If you are measuring the size of objects in memory, you do not need negative numbers
3. when computing array indices, you must check upper and lower bounds
4. computer integers do not implement the mathematical abstraction ‘integers’
   * but integers modulo 2w
   * where w is the number of bits chosen for their representation
5. If your compiler flags a signed–unsigned mismatch: check if you need both representations