Article

Understanding integer overflow in C/C++

Authors:

Vikram AdveAuthors Info & Claims

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

Pages 760 - 770

Published: 02 June 2012 Publication History

Abstract

Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are bugs. Better tools need to be constructed---but a thorough understanding of the issues behind these errors does not yet exist. We developed IOC, a dynamic checking tool for integer overflows, and used it to conduct the first detailed empirical study of the prevalence and patterns of occurrence of integer overflows in C and C++ code. Our results show that intentional uses of wraparound behaviors are more common than is widely believed; for example, there are over 200 distinct locations in the SPEC CINT2000 benchmarks where overflow occurs. Although many overflows are intentional, a large number of accidental overflows also occur. Orthogonal to programmers' intent, overflows are found in both well-defined and undefined flavors. Applications executing undefined operations can be, and have been, broken by improvements in compiler optimizations. Looking beyond SPEC, we found and reported undefined integer overflows in SQLite, PostgreSQL, SafeInt, GNU MPC and GMP, Firefox, GCC, LLVM, Python, BIND, and OpenSSL; many of these have since been fixed. Our results show that integer overflow issues in C and C++ are subtle and complex, that they are common even in mature, widely used programs, and that they are widely misunderstood by developers.

References

[1]

MITRE Corporation, "CVE-2002-0639: Integer overflow in sshd in OpenSSH," 2002, http://cve.mitre.org/cgibin/ cvename.cgi?name=CVE-2002-0639.

[2]

MITRE Corporation, "CVE-2010-2753: Integer overflow in Mozilla Firefox, Thunderbird and SeaMonkey," 2010, http://cve.mitre.org/cgibin/ cvename.cgi?name=CVE-2010-2753.

[3]

S. Christey, R. A. Martin, M. Brown, A. Paller, and D. Kirby, "2011 CWE/SANS Top 25 Most Dangerous Software Errors," MITRE Corporation, Tech. Report, September 2011, http://cwe.mitre.org/top25.

[4]

D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song, "RICH: Automatically protecting against integer-based vulnerabilities," in Proc. of the Symp. on Network and Distributed Systems Security (NDSS), San Diego, CA, USA, Feb. 2007.

[5]

"clang: a C language family frontend for LLVM," http://clang.llvm.org/; accessed 21-Sept-2011.

[6]

ISO, ISO/IEC 14882:2011: Programming languages -- C++. International Organization for Standardization, 2011. {Online}. Available: http://www.iso.org/iso/iso_catalogue/ catalogue_tc/catalogue_detail.htm?csnumber=50372

[7]

D. LeBlanc, "Integer handling with the C++ SafeInt class," 2004, http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dncode/html/secure01142004.asp.

[8]

D. LeBlanc, "Author's blog: Integer handling with the C++ SafeInt class," http://safeint.codeplex.com/.

[9]

C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Proc. of the 2004 Intl. Symp. on Code Generation and Optimization (CGO'04), Palo Alto, CA, USA, Mar. 2004.

Digital Library

[10]

CERT, "IntegerLib, a secure integer library," 2006, http://www.cert.org/secure-coding/IntegerLib.zip.

[11]

D. Hodges, "Why do Pinky and Inky have different behaviors when Pac-Man is facing up?" Dec. 2008, http://donhodges.com/pacman_pinky_explanation.htm; accessed 21-Sept-2011.

[12]

Wikipedia, "Pac-Man," 2011, http://en.wikipedia.org/w/ index.php?title=Pac-Man&oldid=450692749#Split-screen; accessed 21-Sept-2011.

[13]

S. Christey and R. A. Martin, "Vulnerability type distributions in CVE," MITRE Corporation, Tech. Report, May 2007, http://cwe.mitre.org/documents/vuln-trends.html.

[14]

Wikipedia, "Arbitrary-precision arithmetic," 2011, http://en.wikipedia.org/wiki/Arbitrary-precision_arithmetic; accessed 21-Sept-2011.

[15]

MITRE Corporation, "Common Vulnerability and Exposures," http://cve.mitre.org/.

[16]

P. Chen, Y. Wang, Z. Xin, B. Mao, and L. Xie, "Brick: A binary tool for run-time detecting and locating integer-based vulnerability," in Proc. of the 4th Intl. Conf. on Availability, Reliability and Security, Fukuoka, Japan, Mar. 2009, pp. 208- 215.

[17]

N. Nethercote and J. Seward, "Valgrind: A program supervision framework," in Proc. of the 3rd Workshop on Runtime Verification, Boulder, CO, Jul. 2003.

[18]

D. Molnar, X. C. Li, and D. A. Wagner, "Dynamic test generation to find integer bugs in x86 binary Linux programs," in Proc. of the 18th USENIX Security Symposium, 2009, pp. 67-82.

Digital Library

[19]

T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution," in Proc. of the 16th Network and Distributed System Security Symp., San Diego, CA, USA, Feb. 2009.

[20]

R. B. Dannenberg, W. Dormann, D. Keaton, R. C. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson, and T. Plum, "Asif infinitely ranged integer model," in Proc. of the 21st Intl. Symp. on Software Reliability Engineering (ISSRE 2010), San Jose, CA, USA, Nov. 2010, pp. 91-100.

Digital Library

Cited By

Chen XRoychoudhury APaiva AAbreu RStorey M(2024)IntTracer: Sanitization-aware IO2BO Vulnerability Detection across CodebasesProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3641223(447-449)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3641223
Shen Z(2021)The Impact of Undefined Behavior on Compiler OptimizationProceedings of the 2021 European Symposium on Software Engineering10.1145/3501774.3501781(45-50)Online publication date: 19-Nov-2021
https://dl.acm.org/doi/10.1145/3501774.3501781
Huang ZYu X(2021)Integer Overflow Detection with Delayed Runtime TestProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3465771(1-6)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3465771
Show More Cited By

Recommendations

Understanding Integer Overflow in C/C++

Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are ...
Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat
ESORICS 2010

One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. ...
Integer Overflow Detection with Delayed Runtime Test
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Detecting integer overflow vulnerabilities is critical for software security. Many techniques have been proposed to dynamically detect integer overflow vulnerabilities by instrumenting integer overflow tests into target programs. Their major drawback is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '12: Proceedings of the 34th International Conference on Software Engineering

June 2012

1657 pages

ISBN:9781467310673

General Chair:
Martin Glinz,
Program Chairs:
Gail Murphy,
Mauro Pezzè

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

IEEE Press

Publication History

Published: 02 June 2012

Check for updates

Qualifiers

Article

Conference

ICSE '12

Sponsor:

SIGSOFT

ICSE '12: 34th International Conference on Software Engineering

June 2 - 9, 2012

Zurich, Switzerland

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
870
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen XRoychoudhury APaiva AAbreu RStorey M(2024)IntTracer: Sanitization-aware IO2BO Vulnerability Detection across CodebasesProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3641223(447-449)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3641223
Shen Z(2021)The Impact of Undefined Behavior on Compiler OptimizationProceedings of the 2021 European Symposium on Software Engineering10.1145/3501774.3501781(45-50)Online publication date: 19-Nov-2021
https://dl.acm.org/doi/10.1145/3501774.3501781
Huang ZYu X(2021)Integer Overflow Detection with Delayed Runtime TestProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3465771(1-6)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3465771
Rigger MSu Z(2020)Finding bugs in database systems via query partitioningProceedings of the ACM on Programming Languages10.1145/34282794:OOPSLA(1-30)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428279
Li ZWang JSun MLui J(2019)Securing the Device Drivers of Your Embedded SystemsProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340506(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340506
Rigger MMarr SAdams BMössenböck HDumas MPfahl DApel SRusso A(2019)Understanding GCC builtins to develop better toolsProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338907(74-85)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338907
Gao JLiu HLiu CLi QGuan ZChen ZMussbacher GAtlee JBultan T(2019)EasyFlowProceedings of the 41st International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion.2019.00029(23-26)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE-Companion.2019.00029
Rigger MMarr SKell SLeopoldseder DMössenböck H(2018)An Analysis of x86-64 Inline Assembly in C ProgramsACM SIGPLAN Notices10.1145/3296975.318641853:3(84-99)Online publication date: 25-Mar-2018
https://dl.acm.org/doi/10.1145/3296975.3186418
Khalsan MAgyeman M(2018)An Overview of Prevention/Mitigation against Memory Corruption AttackProceedings of the 2nd International Symposium on Computer Science and Intelligent Control10.1145/3284557.3284564(1-6)Online publication date: 21-Sep-2018
https://dl.acm.org/doi/10.1145/3284557.3284564
Wang WLu KYew PLie DMannan MBackes MWang X(2018)Check It AgainProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243844(1899-1913)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243844
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents