Project topic: Static Analysis for Detecting Integer Overflow in C Programs
Team Member
Introduction
The representation of an integer in computer systems is limited to the memory storage, for example, a typical integer is stored in a memory cell that contains 32 bits. Thus, the number that can be saved in a 32-bit integer is 0 to 2^32-1 (unsigned) or -2^31 to 2^31-1 (signed). An extreme *large* number, e.g., 2^32+1 (unsigned) or *small* number, e.g., -2^31-1 (signed), cannot be represented directly by a 32-bit integer, and usually is reduced to the modulo of 2^32 (unsigned) or 2^31 (signed), which we call an "integer overflow". Unfortunately, there is no easy way (like hardware exception) to tell whether an integer will "overflow" at runtime when the program does some integer arithmatic operations. When the integer is used as the offset of pointers to access memory, an "overflowed" integer may let the program to access unexpected memory location, which obviously is a potential vulnerability of the program.
Research Issues
Integer overflow, though well known for years, has not been thoroughly studied. Oded Horovitz [Phrack60-0x09] and blexim [Phrack60-0x0a] has studied several types of integer overflow vulnerabilities and exploits. Unfortunately, there is no well-known approach/tool to automatically detect and prevent integer overflow vulnerabilities. There are several questions we want to answer: (1) is there a complete classification of all types of integer overflow vulnerabilities, (2) can we build some formal models for integer overflow vulnerabilities, and (3) is there a way to detect potential integer overflow vulnerabilities in C programs using static analysis techniques, (4) what is the effectiveness and performance of the static analysis approach?
We plan to explore our approach using Cqual...
Project Schedule
Selected Known Vulnerabilities
References
As always, Phrack is the ultimate place for vulnerability and exploits techniques.
Static Analysis in releated area