Volume 6
Volume 6, Number 30 |
March 7, 2008 |
Abstract: The integer data type is ostensibly very simple, but integers can easily overflow in a simple program. A malicious user can manipulate an unchecked integer input to overflow which can produce a security breach. An integer overflow can cause a program to crash. In recent years, integer overflows resulted in more than two hundred recorded vulnerabilities. Integer overflow is a challenging topic to address when teaching C/C++ or Java in an introductory software development course. Most novice students are unaware that simple integer input or calculations can generate errors, or worse yet, silently deliver vulnerability in a system. This paper describes laboratory exercises that inform students about the nuances of integer behavior and how these can lead to security vulnerabilities. We illustrate techniques that educators can use to teach students to discover integer overflows and replace them with robust code. Even at the introductory level, we can reinforce a secure coding frame of mind such that our students will never blindly trust user input or perform calculations that generate integer overflows.
Keywords: integer overflow, security education, introductory programming, secure programming, Java, C, C++
Download this issue: ISEDJ.6(30).Werner.pdf (Adobe PDF, 9 pages, 581 K bytes)
Preview the contents: Werner.j1.txt (ASCII txt, 22 K bytes)
Recommended Citation: Werner and Frank (2008). What Dick and Jane Don’t Know About Integers. Information Systems Education Journal, 6 (30). http://isedj.org/6/30/. ISSN: 1545-679X. (A preliminary version appears in The Proceedings of ISECON 2006: §2325. ISSN: 1542-7382.)