Abstract The subtleties of correctly processing integers confronts developers with a multitude of pitfalls that frequently result in severe software vulnerabilities. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, such that also the migration of code itself is a notable security challenge. In this paper, we provide a high-level overview of integer-based vulnerabilities that originate in code which works as expected on 32-bit platforms but not on 64-bit platforms. The changed width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in existing software. To emphasize the lasting acuteness of this issue, we empirically evaluate the prevalence of these flaws in the scope of Debian stable (“Jessie”) and 200 popular open-source projects hosted on GitHub.
[1]
Konrad Rieck,et al.
Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms
,
2016,
CCS.
[2]
Dave Aitel,et al.
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
,
2004
.
[3]
John R. Mashey,et al.
Evolution of the
,
1998
.
[4]
Daniel C. DuVarney,et al.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits
,
2003,
USENIX Security Symposium.
[5]
Peng Li,et al.
Understanding integer overflow in C/C++
,
2012,
2012 34th International Conference on Software Engineering (ICSE).