[2019] INFR11098 SECURE PROGRAMMING - Final Exam - Q1 Integer Conversion
1. This question is about integer conversions and their impact on software security. Recall that when casting from a small datatype to a larger one, conversion may be a zero extension, where higher bits are zeroed, or a sign extension, where the top bit (the sign bit in two’s complement) is copied into higher bits. The picture below shows sign extension of 32-bit integers to 64-bit integers:
(a) Give two reasons why sign extension is a concern for secure programming. [2 marks]
(b) For the byte 0xF0, show two 32-bit conversions: zero extended to unsigned int, and sign-extended to int. State the corresponding decimal values. [2 marks]
(c) Consider the following C language functions. For each function, explain whether or not you consider it has a sign-related vulnerability, and if there is one, how to fix it
i. int readnet(int socketfd){
int length;
char buffer[1024];
length = get_user_length(socketfd);
if (length > 1024) {
error(“Input size too large\n”); return -1;
} else {
error(“Format error\n”); return -1;
}
return 0;
}
ii. char *readnet(int socketfd) {
char* buffer;
if (!(buffer = (char*) malloc(MAXCHARS))) {
dia(“Couldn’t malloc\n”);
}
int length = get_user_length(socketfd);
if (length < 0 || length + 1 >= MAXCHARS) {
free(buf); die(“Bad input size\n”);
}
if (read(socketfd, buffer, length) <= 0) {
free(buf); die(“Format error\n”);
}
return buf;
}
iii. static const char table[UCHAR_MAX] = {‘a’, ‘b’ /* more … */};
ptrdiff_t first_not_in_table(const char *c_str) {
for (const char *s = c_str; *s; ++s) {
if (table[(unsigned int) * s] != *s){
return s - c_str;
}
}
return -1;
}
(d) A static analysis tool to help avoid sign extension vulnerabilities is being designed. It works on an intermediate representation (IR) with registers of different sizes. Arithmetic and logic operations require operands of equal bitsize and explicit operations for sign extension, SXTB, and zero extension, ZXTB, extend an argument register from b < B to B bits.
The analysis uses types to track the upper and sign bits, shown below:
A arbitrary contents in upper B - b bits
Z zero in upper B - b bits
S upper B - b bits are equal to the b-value sign bit
ZS both upper B - b bits and b-value sign bit are zero
Type checking rules for the IR track the signed status of registers, approximately but as closely as possible. Memory locations are not tracked so are assumed to have type A. To simplify, we may consider the fixed case when b = 16, B = 32. Here is a partial table of typing rules:
ZXT A = Z
ZXT Z = ?
ZXT S = Z
ZXT ZS = ZS
SXT A = S
SXT Z = ?
SXT S = S
SXT ZS = ZS
Z + Z = A
Z + S = ?
ZS + ZS = Z
ZS - ZS = ?
S / S = S
Z AND A = ?
ZS OR ZS = ZS
ZS OR ZS = ZS
S LRS A = ?
S SRS A = S
(LRS denotes logical right shift, SRS denotes arithmetic right shift).
Answer the following questions concerning this security analysis.
i. Give an example value that has type Z but not S. [1 mark]
ii. Register R16 is an 16-bit register containing 0x40FF loaded from memory. What types are given to SXT32R16 and ZXT32R16? [2 marks]
iii. The typing rules can be used to spot “odd” operations in code. Explain two examples of typing rules which might arise from faulty code. [2 marks]
iv. What other type of programming vulnerability do you think an analysis like this might be able to warn about or rule out? [1 mark]
v. Complete the table given above by filling in the ? cases (in your answers, please write the complete rule). [6 marks]
Get the Solution to This Question
WeChat
WhatsApp
