
	Home > Ask the Software Quality Experts > Application Security Questions & Answers > Understanding and preventing integer overflows

Ask The Software Quality Expert: Questions & Answers

EMAIL THIS

Understanding and preventing integer overflows

EXPERT RESPONSE FROM: Jeff Williams

		Pose a Question

		Other Software Quality Categories

		Meet all Software Quality Experts
		Become an Expert for this site

Software quality news and advice

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 02 June 2006
What are integer overflows? How do they differ from buffer overflows? What kind of damage do they cause and how can I prevent them?

EXPERT RESPONSE
An integer overflow occurs whenever a computer program tries to store an integer into a register or variable that isn't large enough to hold that value. Generally, the size of these locations is determined by the size of the register on the processor being used, usually 32 bits. Buffer overflows are a different sort of exploit. (For an introduction to buffer overflows, see the chapter on buffer overflows from the OWASP Guide to Building Secure Web Applications and Web Services.)

Math operations such as addition, multiplication and shifts can produce a result that is too large to store -- an integer overflow. Depending on the compiler, this integer overflow can result in a sign error, truncating the largest or smallest portion of the result, or another type of error. An integer overflow could lead to a security problem if the overflow affects the value of a pointer that references other code or data in memory. An attack could exploit the integer overflow in a way that allows execution of arbitrary code, resulting in a complete takeover of the vulnerable program's process.

These flaws can be extremely tricky to find and eliminate. The best approach is to use a safe integer class that has been built to avoid these problems. David LeBlanc's column "Integer Handling with the C++ SafeInt Class" provides a detailed mathematical analysis of integer overflows.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Threat modeling
	Web application security and the PCI DSS
	The essentials of Web application threat modeling
	How to implement security in Java EE and Java ME
	Application security shouldn't involve duct tape, Band-Aids or bubble gum
	Stop SQL injection attacks on applications
	How to counter XSS attacks
	Breaking the same origin barrier of JavaScript
	Protection against "zero-minute" exploits
	Denial of service and Ajax
	CSRF attack vector with Ajax serialization

Software security testing and techniques

Recipe for successful Web application security testing

Software quality needs to be a continuous process

Cloud computing's effect on application security

Web Security Testing Cookbook sample recipe

Ajax website security: Don't trust the client

PCI compliance falls short of assuring website security

Be aware of SOA application security issues

Browser security a concern for website development

Static analysis at the end of the SDLC doesn't work

Website security improved, but more can be done

Application Security

Top tools for testing Web application security

How to prevent HTTP response splitting

PCI DSS compliance: WAF, code review or both?

Application security careers have bright future

How to prevent anti-DNS pinning attacks

Open source application security testing tools

Java application security features and measures

Web application security testing basics

Password recovery with .NET 2.O using C#

Free load and performance testing tools

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Software Quality - Software Maintenance, Software Requirements, Software Standards

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2006 - 2008, TechTarget \| Read our Privacy Policy