Scribd
Upload
7 views72 pages

C Language Part1

The document discusses the significance of software security, highlighting the growing complexity and connectivity issues that contribute to software vulnerabilities. It covers various aspects of C programming language issues, including data storage, integer types, and arithmetic boundary conditions that can lead to numeric overflow or underflow. Additionally, it emphasizes the importance of understanding these vulnerabilities to enhance software security and prevent potential exploits.

Uploaded by

skewfield1377
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views72 pages

C Language Part1

The document discusses the significance of software security, highlighting the growing complexity and connectivity issues that contribute to software vulnerabilities. It covers various aspects of C programming language issues, including data storage, integer types, and arithmetic boundary conditions that can lead to numeric overflow or underflow. Additionally, it emphasizes the importance of understanding these vulnerabilities to enhance software security and prevent potential exploits.

Uploaded by

skewfield1377
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Canadian

Institute for
Cybersecurity
Recap

Topic 1: Why Is Security a Software Issue?

ü What is Software Security ?


ü Importance of Software
ü Software Security Problem is growing
- Complexity
- Connectivity
- Extensibility
ü What Security detects are in Software
- Implementation issues
- Design issues
ü Relationship between Software Assurance and Software Security
ü Properties of Secure Software
ü Benefits of Detecting Software Security Defects Early
ü Threats to Software Security
Canadian
Institute for
Cybersecurity

ü Sensitive data exposure


ü Injection attacks?
- SQLi
- XSS
ü Memory Corruption
- Buffer overflow
- Off by One
Canadian
Institute for
Cybersecurity

CS4417 / CS6417 – C Language Issues


Winter 2023

Feb 14 - 2023

Instructor: Saqib Hakak


Canadian
Institute for
Cybersecurity
References

• Mark Dowd, John McDonald, Justin Schuh. The Art of Software Security
Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley
Professional, (2006).
• https://www.open-std.org/jtc1/sc22/wg14/www/standards
Canadian
Institute for
Cybersecurity
Outline

1. Why this topic


2. Data storage overview in C
3. C language vulnerabilities
4. Type conversion
Canadian
Institute for
Cybersecurity
Programming Language Issues
Canadian
Institute for
Cybersecurity
Programming Language Issues

v When you are reviewing software to uncover potential security holes, it is


important to understand the underlying details of how the programming
language implements data types and operations, and how those details
can affect execution flow.
vthe sequence of instructions, individual statements or function calls is put to order
to accomplish the task of a program.
Canadian
Institute for
Programming Language Issues Cybersecurity

v A code reviewer examining an application binary at the assembly level can see
explicitly how data is stored and manipulated as well as the exact implications of an
operation on a piece of data. However, when you’re reviewing an application at the
source code level, some details are abstracted and less obvious.
Canadian
Institute for
Programming Language Issues Cybersecurity

This abstraction can lead to the introduction of subtle


vulnerabilities in software that remain unnoticed and
uncorrected for long periods of time.

A thorough auditor should be familiar with the source


language’s underlying implementation and how these
details can lead to security-relevant conditions in border
cases or exceptional situations.
Canadian
Institute for
Data Storage Overview Cybersecurity

- Review the basics of C types—specifically, their storage sizes, value ranges, and
representations.
- binary encoding, twos complement arithmetic, and byte order conventions,

An object defined as:


- A region of data storage in the execution environment;
• its contents can represent values.
- Each object has an associated type
• a way to interpret and give meaning to the value stored in that object
Canadian
Institute for
Data Storage Overview Cybersecurity

• Integer types—There are four standard signed integer types :


v short int
v int,
v long int
v long long int.

• Each standard type has a corresponding unsigned type that takes the same amount of
storage.
Canadian
Institute for
Data Storage Overview Cybersecurity

• Character types—There are three character types:


v char,
v signed char
v unsigned char.

• All three types are guaranteed to take up 1 byte of storage.


Canadian
Institute for
Data Storage Overview Cybersecurity

• Floating types—There are three real floating types and three complex types. The real
floating types are float, double, and long double. The three complex types are float
_Complex, double_Complex, and long double _Complex.

• Bit fields—A bit field is a specific number of bits in an object. Bit fields can be signed
or unsigned, depending on their declaration. If no sign type specifier is given, the sign
of the bit field is implementation dependent.
Canadian
Institute for
Data Storage Overview Cybersecurity

Bit fields might be unfamiliar to some programmers, as they usually aren’t present outside
network code or low-level code. Here’s a brief example of a bit field:

- From an abstract perspective, each integer type represents a different


integer size that the compiler can map to an appropriate underlying
architecture-dependent data type.
- A character is guaranteed to consume 1 byte of storage (although a byte
might not necessarily be 8 bits). sizeof(char) is always one, and you can
always use an unsigned character pointer, sizeof, and memcpy() to
examine and manipulate the actual contents of other types.

- The other integer types have certain ranges of values they are required to
be able to represent, and they must maintain certain relationships with
each other (long can’t be smaller than short, for example), but otherwise,
their implementation largely depends on their architecture and compiler.

id refers to a 4-bit unsigned variable, and tflag and rflag refer to single bits. ack
is a 2-bit variable, seqnum is an 8-bit variable, and code is a 16-bit variable
Canadian
Institute for
Data Storage Overview Cybersecurity

Most programming languages have the concept of signed and unsigned integers.
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Data Storage Overview Cybersecurity

Most programming languages have the concept of signed and unsigned integers.

v An unsigned variable can only store positive numbers.

v Unsigned integer types have two possible types of bits:


- value bits, which contain the actual base-two representation of the object’s value
- padding bits, which are optional and otherwise unspecified by the standard
Canadian
Binary Encoding Institute for
Cybersecurity

uses the binary digit, or bit, as the fundamental unit of information,

• Unsigned integer values are encoded in pure binary form, which is a base-two numbering
system.
• Each bit is a 1 or 0, indicating whether the power of two that the bit’s position represents is
contributing to the number’s total value..

binary notation to decimal


Canadian
Institute for
Cybersecurity

Q. How is number 55 represented in binary ?


Q. For a 8-bit binary number, how many different bit combinations are
possible ?
Canadian
Binary Encoding Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Binary Encoding Institute for
Cybersecurity

The C standard give three possible arithmetic schemes for integers and, therefore, three
possible interpretations for the sign bit:

v Sign and magnitude:


The sign of the number is stored in the sign bit. It’s 1 if the number is negative and 0
if the number is positive.

https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2218.htm#biblio-c11
Canadian
Institute for
Cybersecurity

Q. Do you think this approach is great and has no


limitations ?
Canadian
Binary Encoding Institute for
Cybersecurity

v Ones complement:
- Again, the sign bit is 1 if the number is negative and 0 if the number is positive.
- Positive values can be read directly from the value bits. However, negative values can’t be read
directly;
- the whole number must be negated first. In ones complement, a number is negated by inverting
all its bits. To find the value of a negative number, you have to invert its bits.

v Twos complement: The sign bit is 1 if the number is negative and 0 if the number is positive.
- You can read positive values directly from the value bits, but you can’t read negative values
directly;
- you have to negate the whole number first.
- In twos complement, a number is negated by inverting all the bits and then adding one.

https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2218.htm#biblio-c11
Canadian
Binary Encoding Institute for
Cybersecurity

6 0 1 1 0 -6 1 0 0 1

1
Compliment
me to get 1 0 0 1
the negative 2’s Complement
1
number by
handshaking
1 0 1 0

https://www.exploringbinary.com/twos-complement-converter/
Canadian
Institute for
Cybersecurity

Q. Find Two’s-complement of 15 ?

Q. 1101 0110 is unknown negative number ? How can you find the value of it.
Canadian
Binary Encoding Institute for
Cybersecurity
Canadian
Binary Encoding Institute for
Cybersecurity

-2(n-1) to +2(n-1) -1

-2(4-1) – 1 to +2(4-1) – 1
-2(3) – 1 to +2(3) – 1
-7 to +7

+0 or 00002
-0 or 10002.

Both are valid but which one is correct.

source: https://www.electronics-tutorials.ws/binary/signed-binary-numbers.html 4-bit Signed Binary Number Comparison


Canadian
Binary Encoding Institute for
Cybersecurity

• Integers are usually represented internally by using twos complement, especially in modern
computers.
- As mentioned, twos complement encodes positive values in standard binary encoding.
- The range of positive values that can be represented is based on the number of value bits.
- A two’s complement 8-bit signed integer has 7 value bits and 1 sign bit.
- It can represent the positive values 0 to 127 in the 7 value bits.
- All negative values represented with twos complement encoding require the sign bit to be set.
- The values from -128 to -1 can be represented in the value bits when the sign bit is set, thus
allowing the 8-bit signed integer to represent -128 to 127.

0 to 1111111
Canadian
Binary Encoding Institute for
Cybersecurity
Canadian
Institute for
Data Storage Overview Cybersecurity

• Modern 32-bit machines mostly use twos complement representations


• Bytes are going to be 8 bits long
• Byte order varies; it’s little endian on Intel machines but more likely to be big endian
on RISC machines.

Ø The char type is likely to be signed by default and take up 1 byte.


Ø The short type takes 2 bytes,
Ø int takes 4 bytes.
Ø long type is also 4 bytes,
Ø long long is 8 bytes
Canadian
Institute for
Data Storage Overview Cybersecurity
Canadian
Institute for
Cybersecurity

• We’ve learned that C’s basic integer types have minimum and maximum
possible

• We can explore what can happen when you attempt to traverse these
boundaries

• Simple arithmetic on a variable, such as addition, subtraction, or


multiplication, can result in a value that can’t be held in that variable.
Canadian
Institute for
Cybersecurity
Arithmetic Boundary Conditions

We have two unsigned integer types each with the value of:

. 3758096416 4,294,967,295 max value


536870944

= 4,294,967,360

https://www.calculatorsoup.com/calculators/math/modulo-calculator.php
https://www.binaryhexconverter.com/hex-to-decimal-converter

When an arithmetic operation results in a value higher than the maximum


possible representable value, it’s called a numeric overflow condition.
Canadian
Institute for
Cybersecurity
Arithmetic Boundary Conditions

A computation involving unsigned operands can never overflow, because a


result that cannot be represented by the resulting unsigned integer type is
reduced modulo the number that is one greater than the largest value that
can be represented by the resulting type. (C99 standard)
• Modular arithmetic is a system of arithmetic used heavily in computer
science. The expression “X modulo Y” means “the remainder of X
divided by Y.”

For example, 100 modulo 11 is 1 because when 100 is divided by 11,


the answer is 9 and the remainder is 1.

The modulus operator in C is written as %. So in C, the expression (100


% 11) evaluates to 1, and the expression (100 / 11) evaluates to 9.
source: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
Canadian
Institute for
Cybersecurity
Arithmetic Boundary Conditions

(0xE0000020 + 0x20000020) modulo 0x100000000 (232)

- the size of the result is truncated to a size that fits into the available process
register width.

- when an integer overflow occurs, the value may wrap to result in a small or
negative number.
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Arithmetic Boundary Conditions

Q. Do you think this sample code is exploitable ?

Unsigned int x, y ;
x=0
y = x-1
Canadian
Institute for
Arithmetic Boundary Conditions Cybersecurity

(unsigned integers)

Numeric overflow conditions are also referred to


Unsigned int x, y ; in secure-programming literature as numeric
x=0 overflows, arithmetic overflows, integer
overflows, or integer wrapping.
y = x-1
Numeric underflow conditions can be referred to
as numeric underflows, arithmetic underflows,
The value of y is -1 integer underflows, or integer wrapping.
- It is below than the minimum possible value Specifically, the terms “wrapping around a
that can be stored. value” or “wrapping below zero” might be used

This result is known as a numeric underflow


condition.
Canadian
Institute for
Cybersecurity

• You have seen examples of how arithmetic overflows could occur


because of addition.

• Other operators that can cause overflows are


• multiplication and
• left shift, which, for this discussion, can be thought of as multiplication
with 2.
Canadian
Institute for
Arithmetic Boundary Cybersecurity

Conditions(unsigned integers)

#include <stdio.h>

int main()
{
int x,y,z;
printf("Please enter x:"); 100000 * 200000 = 20000000000
scanf("%d",&x);
printf("Please enter y: ");
scanf("%d",&y); 100 1010 1000 0001 0111 1100 1000 0000 0000 = 35 bits
z = x*y;
printf("%d",z);

}
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Unsigned Integer Boundaries

• Challenge-Response Integer Overflow Example in OpenSSH 3.1(CVE-2002-


0639)

Real-world vulnerability
nresp unsigned integer is user controlled, and its purpose
is to tell the server how many responses to expect.
Canadian
Institute for
Cybersecurity
Unsigned Integer Boundaries

It is used to allocate the response[]


array and fill it with network data.

Ø If users specify nresp value that is large enough, a numeric overflow could
occur, and the result of the multiplication could end up being a small
number.
Canadian
Institute for
Cybersecurity
Unsigned Integer Boundaries

• 0x40000020 à 1073741856
= 100000080 % 100000000
• 0x80 à 128 bytes are allocated

• For loop attempts to retrieve 0x40000020 strings from the packet! This turned out to be
a critical remotely exploitable vulnerability.
• A clever attacker might be able to leverage this overflow to take control of the
application, depending on the low-level details of the process’s runtime environment.
Canadian
Institute for
Cybersecurity
Unsigned Integer Boundaries

• With unsigned integers, subtractions can cause a value to wrap under


the minimum representable value of 0.

• The result of an underflow is typically a large positive number because


of the modulus nature of unsigned integers.
Canadian
Institute for
Arithmetic Boundary Conditions Cybersecurity

(unsigned integers)

• A numeric overflow or underflow that occurs early in a block of code can lead to a
subtle series of cascading faults; not only is the result of a single arithmetic operation
tainted, but every subsequent operation using that tainted result introduces a point
where an attacker might have unexpected influence.

• In general, auditors should be mindful of arithmetic boundary conditions when


reviewing code and be sure to consider the possible implications of the subtle,
cascading nature of these flaws.
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity

On June 4, 1996 an unmanned Ariane 5 rocket


launched by the European Space Agency
exploded just forty seconds after its lift-off from
Kourou, French Guiana ($7 billion).

Explosion of the Ariane 5

Reason : execution of a data conversion from 64-bit floating point to 16-bit signed
integer value. The floating point number which was converted had a value greater than
what could be represented by a 16-bit signed integer. - internal SRI* software
exception (altitude information )

source: http://www-users.math.umn.edu/~arnold/disasters/ariane.html
Canadian
Institute for
Cybersecurity
Signed Integer Boundaries

When an overflow or underflow condition occurs on signed integers:


- the result will wrap around the sign and causes a change in sign.

For example a 32 bit number 2147483647 = 0x7FFFFFFF in hex.

If we add 1 to this number it will be 0x80000000 which is equivalent to -2147483648


decimal.
Canadian
Institute for
Cybersecurity
Signed Integer Boundaries

• 2147483632
• 256

• In this case, a large positive number plus a small positive number


resulted in a large negative number.
Canadian
Institute for
Cybersecurity
Signed Integer Boundaries
Canadian
Institute for
Cybersecurity
Signed Integer Boundaries

This example reads an integer from the network and


performs some sanity checks on it.

First, the length is checked to ensure that it is positive.


Then the length is checked to ensure that it is less than
MAXCHARS.

In the second check, 1 is added to the length.


This opens an attack vector: A value of 0x7FFFFFFF passes
the first check (because it is greater than 0) and passes
the second length check (as 0x7FFFFFFF + 1 is
0x80000000, which is a negative value).

read() would then be called with an effectively


unbounded length argument, leading to a potential
buffer overflow.
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Type Conversion

Ø Often it is surprising when you first learn how many implicit


conversions occur behind the scenes in a typical C program.

Ø These automatic type conversions, known collectively as the


default type conversions, occur almost magically when a
programmer performs seemingly straightforward tasks, such
as making a function call or comparing two numbers
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity

Conversion of unsigned char to int (zero extension, big endian)


Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Integer Types: Widening

00 1010 = decimal positive 10


Sign extension
0000 0000 0000 1010

11 1111 0001 = decimal negative 15 (2’s complement)

1111 1111 1111 0001

adding the left side with ones, the negative sign and the
value of the original number are maintained.
Canadian
Institute for
Cybersecurity

Q. How will Conversion of signed char (-5) to integer (sign extension,


big endian) happen ?
Canadian
Institute for
Cybersecurity
Integer Types: Widening

• Conversion of signed char to integer

Value-preserving??

• The bit representation of -5 in a signed char is 1111 1011.


• The bit representation of -5 in an int is 1111 1111 1111 1111 1111 1111 1111 1011.
Canadian
Institute for
Cybersecurity

Integer Types: Value-changing

• In a Value-changing conversion, the old type can contain values


that can't be represented in the new type.
• Convert Int into an unsigned Int (on a 32-bit machine)
• int range [-2147483648 to 2147483647].
• unsigned int [0 to 4294967295]

• The unsigned int can't hold any of the negative values a signed int can
represent.
Canadian
Institute for
Cybersecurity

Q. How will Conversion of signed char (-5) to unsigned integer happen ?


Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Cybersecurity

https://www.rapidtables.com/convert/number/decimal-to-binary.html
Canadian
Institute for
Cybersecurity

• The bit pattern is left alone, and the value is interpreted in the context of the
new type

You might also like