界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
Integer Overflow
Abstract
如果沒有對 Integer Overflow 進行說明的話,可能會導致邏輯錯誤或 Buffer overflow。
Explanation
Integer Overflow 錯誤通常發生在程式未能明確說明這一事實的情況下:一個算術運算可能導致一個數值大於資料類型的最大值或者小於資料類型的最小值。當使用者輸入的資料需要在有符號數與無符號數之間隱含的進行轉換時,就可能會產生一些錯誤,而這些錯誤經常會導致記憶體分配函數產生問題。如果攻擊者能夠使程式分配記憶體不足或是在進行記憶體操作時,將一個有符號數作為無符號數來處理,這些都將使程式容易出現緩衝區溢位的情況。
範例 1:以下程式碼摘自 OpenSSH 3.3,顯示典型的 Integer Overflow 案例:
若
範例 2:此範例處理的是由一系列長度可變的結構構成的使用者輸入。輸入的前 2 個位元組指示要處理的結構的大小。
程式設計人員已設定結構大小的上限:若其大於
範例 1:以下程式碼摘自 OpenSSH 3.3,顯示典型的 Integer Overflow 案例:
nresp = packet_get_int();
if (nresp > 0) {
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}
若
nresp 的值為 1073741824,且 sizeof(char*) 的典型值為 4,則 nresp*sizeof(char*) 運算的結果將發生溢位,xmalloc() 的引數將是 0。多數 malloc() 實作會允許配置 0 個位元組的緩衝區,導致隨後的迭代循環發生堆積緩衝區 response 溢位。範例 2:此範例處理的是由一系列長度可變的結構構成的使用者輸入。輸入的前 2 個位元組指示要處理的結構的大小。
char* processNext(char* strm) {
char buf[512];
short len = *(short*) strm;
strm += sizeof(len);
if (len <= 512) {
memcpy(buf, strm, len);
process(buf);
return strm + len;
} else {
return -1;
}
}
程式設計人員已設定結構大小的上限:若其大於
512,則不會處理輸入。問題在於,len 是有符號的整數,因此針對結構長度上限的檢查會使用有符號的整數來執行,但是 len 將轉換為無符號的整數以呼叫 memcpy()。若 len 是負數,似乎結構大小適當 (將使用 if 分支語句),但是 memcpy() 所複製的記憶體量會很大,攻擊者可以針對 strm 中的資料產生堆疊溢位。References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cpp.integer_overflow
Abstract
如果沒有對 Integer Overflow 進行說明的話,可能會導致邏輯錯誤或緩衝區溢位。
Explanation
Integer Overflow 錯誤通常發生在程式未能明確說明這一事實的情況下:一個算術運算可能導致一個數值大於資料類型的最大值或者小於資料類型的最小值。當使用者輸入的資料需要在有符號數與無符號數之間隱含的進行轉換時,就可能會產生一些錯誤,而這些錯誤經常會導致記憶體分配函數產生問題。如果攻擊者能夠使程式分配記憶體不足或是在進行記憶體操作時,將一個有符號數作為無符號數來處理,這些都將使程式容易出現緩衝區溢位的情況。
範例 1:以下程式碼摘錄顯示典型的 Integer Overflow 案例:
若
範例 1:以下程式碼摘錄顯示典型的 Integer Overflow 案例:
77 accept-in PIC 9(10).
77 num PIC X(4) COMP-5. *> native 32-bit unsigned integer
77 mem-size PIC X(4) COMP-5.
...
ACCEPT accept-in
MOVE accept-in TO num
MULTIPLY 4 BY num GIVING mem-size
CALL "CBL_ALLOC_MEM" USING
mem-pointer
BY VALUE mem-size
BY VALUE 0
RETURNING status-code
END-CALL
若
num 的值為 1073741824,則 MULTIPLY 4 BY num 運算的結果將發生溢位,malloc() 的 mem-size 引數將是 0。多數 malloc() 實作會允許配置 0 個位元組的緩衝區,導致後續陳述式中的堆積緩衝區 mem-pointer 出現溢位。References
[1] blexim Basic Integer Overflows Phrack
[2] D. Plakosh Coding Flaws That Lead to Security Failures 2nd Annual Hampton University Information Assurance Symposium
[3] Les Hatton Safer C: Developing Software for High-integrity and Safety-critical Systems McGraw-Hill Companies
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190, CWE ID 191
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 7.5, Rule 7.6, Rule 21.18
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 5-19-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 682
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Smart Contract Weakness Classification SWC-101
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dataflow.cobol.integer_overflow