Integer Overflow: New algorithm neutralises this source of critical security vulnerability

By May 13, 2015

Faster and more powerful, a new algorithm developed by a team at MIT promises to detect and deal with this common computer bug, which is an old enemy of systems programmers.

In 1996 it indirectly caused the Ariane 5 rocket to explode – what computer experts refer to as integer overflow is one of the most common software bugs. Basically, an integer overflow occurs when an arithmetical operation attempts to create a numeric value that is too large to be represented within the available storage space. For example, if you are working on an image as part of a software programme, part of the memory is allocated to this file. If the number of pixels of the image exceeds the number allowed for the space, the programme is likely to crash, causing real problems. What happens is that the memory counter will revert to zero, similar to the way in which a car odometer resets to zero when you go over a certain number of miles.

An integer overflow resets the memory counter to zero. Photo: Jose-Luis Olivares/MIT

In order to deal with this scourge, Eric Lahtinen and his team at MIT have succeeded in developing a solution that is much more efficient that those that have been available to date. They have tested their new algorithm on open-source programmes. Currently available tools are able to detect three integer overflow bugs, whereas the new MIT algorithm found the three known bugs plus another eleven, making fourteen in all.

In addition to detection however, the DIODE (an abbreviation for Directed Integer Overflow Detection) programme developed by the MIT team offers a means of spotting and reporting a value that is likely to trigger an integer overflow, thus providing developers with a valuable debugging tool. “DIODE provides an effective mechanism for finding dangerous integer overflows that affect memory allocation sites, the source of many critical security vulnerabilities,” explains Cristian Cadar, a senior lecturer in computing at Imperial College London, on the MIT News website. The DIODE programme could therefore help to add a vital extra level to software, website and digital tool security.

Legal mentions © L’Atelier BNP Paribas