Vulnerabilities Due to Type Conversion of Integers
When programs contain statements that make use of different data types, compilers automatically change that code to obtain expressions that work on common data types.
Author: DAVIDE POZZA
Source: Hakin9 3/2008 http://hakin9.org
WHAT YOU WILL LEARN…
- How C’s type conversions work
- How vulnerabilities can be caused by unsafe type conversions
WHAT YOU SHOULD KNOW…
- The basics of the C programming language
- What are buffer overflows
- What are integer overflows
While the resulting programs often behave as programmers expect, these type conversions sometimes lead to unintended behaviours, and they can be the trigger cause of vulnerabilities. This article explains how and when type conversions happen as well as how to recognize and avoid the vulnerabilities that can be caused by them. Programs use integer variables to perform many essential operations, such as maintaining numeric data information, storing the result of arithmetic computation, counting loop iterations, indexing arrays, maintaining program state information, and storing addresses. Therefore, errors involving integers can heavily affect the operation of a program. Usually these errors lead programs to do nothing more than misbehave. However, when the integers are involved in security sensitive operations, such as pointer arithmetic, buffer size calculations, memory allocations, memory copies, memory manipulations, and checks, their mistaken usage can lead to serious security consequences. There are two main sources of integer problems: Type Conversions and Arithmetic Underflow/Overflow. This article focuses on type conversions and the security vulnerabilities caused by them – a topic that seems to be relatively unknown to many C programmers. A type conversion happens when the data type of a variable is changed from one type to another. not type safe. Therefore, programmers are allowed to write code that uses different data types in a mixed way. For example, it is possible to write code that: assigns a signed integer to an unsigned char, multiplies an unsigned short int by a signed long int, compares a char to an unsigned int, etc. When this happens, compilers perform type conversions transparently to obtain code which makes sense by working on homogeneous types. Therefore, programmers do not pay too much attention to what is really happening when they write similar code (although they write it accidentally sometimes), since most of the time programs behave as they expect. However, there are some corner cases, where type conversions can lead to behaviours that may be unforeseen by programmers and that have an high impact on the reliability and security of the software. This is a first part of a series that will examine the problems that can arise because of type conversions of integer variables, explains their causes, and provides examples of vulnerabilities. In the next issue of hakin9, you will read the suggestion on how to look at the code to spot such errors and I will examine coding practices that can be helpful to prevent dangerous consequences due to type conversions. While the article will limit its scope to the C language aspects of type conversions, it is worth noting that the problems deriving from type conversions are not only limited to C and C++, but can easily arise and lead to unexpected consequences in other languages too. It is important to note that such problems could be also present on managed languages (such as Java and C#), since they could occur in the native implementation of certain methods.
<div id=”headersubscriptionform”>Option for individual subscribers</div>