The designer will ensure the application is not vulnerable to integer arithmetic issues.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16808	APP3550	SV-17808r1_rule	DCSQ-1	High

Description
Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows, and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code.

Description

Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows, and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-17806r1_chk )
Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool or use static analysis tools that are known to find this class of vulnerability with few false positives. See section 5.4 of the Application Security and Development STIG for additional details. If the results are provided from a manual code review, the application representative will need to demonstrate how integer overflow vulnerabilities are identified during code reviews. 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify integer overflow vulnerabilities, it is a finding. Examples of integer overflow vulnerabilities can be obtained from the OWASP website.

Check Text ( C-17806r1_chk )

Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool or use static analysis tools that are known to find this class of vulnerability with few false positives. See section 5.4 of the Application Security and Development STIG for additional details.

If the results are provided from a manual code review, the application representative will need to demonstrate how integer overflow vulnerabilities are identified during code reviews.

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify integer overflow vulnerabilities, it is a finding.

Examples of integer overflow vulnerabilities can be obtained from the OWASP website.

Fix Text (F-17101r1_fix)
Modify the application and protect against integer overflow attacks.