INTRODUCTION TO INTEGER OVERFLOWS

  • An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside the range that can be represented with a given number of digits - either larger than the maximum or lower than the minimum

LEARNING OBJECTIVES

  • understand basic concepts of exploiting a binary file(executable) by bypassing ASLR

references

1

2

3

Variable Type Specifiers and Modifiers

  • in most programming languages, values are stored in variables which have a certain type eg char, int , float, double
  • in addition to thes, above type types there are 4 type modifiers eg signed, unsigned , short, long
  • types and modifiers decides the values that the variable can store.

Ariane 5 Rocket Crash

  • if we have a signed int variable , say x and we try to put in a value that is mroe than the maximum or minimuma allowed value for a signed int, it will overflow.
 _int main(void) {  
 int x = 0x180000000;  
 printf (“%d\n”, x);  
 return 0;  
 }_
  • In the code above , when we run gcc we get an overflow warning
  • C looked at 32 bits and discarded the value at the 33rd bit and above. This is a case of truncation which was caused due to truncation
  • This is the case of the Ariane 5 rocket which crashed because of a small computer program that tried to stuff a 64-bit number into a 16-bit space

Integer Overflow

  • overflow vulns are especially dangerous because they may lead to program instability even under normal operations
 _int main(void) {  
 int num1 = 0x7fffffff;  
 int num2 = 0x1;  
 int addition_result = num1 + num2;  
 printf (“%d\n”, addition_result);_

 _unsigned int num3 = 0xffffffff;  
 unsigned int num4 = 0x1;  
 unsigned int uaddition_result = num3 + num4;  
 printf (“%u\n”, uaddition_result);_

 _return 0;  
 }_
  • In the above example, addition_result is expected to be 0x80000000 or 2,147,483,648 and uaddition_result is expected to be 0x100000000 or 4,294,967,296.
  • The actual values are
-2147483648
0

What happened ?

  • When 0x1 was added to 0x7fffffff, the result became 0x80000000. So, why did this cause an overflow? The answer could still be represented in 32 bits. Actually, no. For signed int type, the number of bits available for the value is 31 bits because the 32nd bit is the sign bit. In this case, the 32nd bit was also required to represent the sum and that caused an overflow.
  • In unsigned int addition, the 33rd bit was required to represent the sum and thus caused an overflow.

Multiplication

a challenge from picoctf 2018

int main(){
if(number_flags > 0){
int total_cost = 0;
total_cost = 1000*number_flags;
printf(“\nYour total cost is: %d\n”, total_cost);
if(total_cost <= account_balance){
account_balance = account_balance — total_cost;
printf(“\nYour new balance: %d\n\n”, account_balance);
}
else{
printf(“Not enough funds\n”);
}

  • The integer overflow due to multiplication is in the total_cost = 1000 * number_flags
  • If the product value exceeded the range of positive values possible for signed int variable, the result would become negative