|
The Proceedings of the Information Systems Education Conference 2006: §2325
Home
Papers/Indices
prev (§2324)
Next (§2332)
| | Fri, Nov 3, 12:00 - 12:25, Bordeaux Paper (refereed)
| | Recommended Citation: Werner, L A and C E Frank. What Dick and Jane Don’t Know About Integers. In The Proceedings of the Information Systems Education Conference 2006, v 23 (Dallas): §2325. ISSN: 1542-7382. (A later version appears in Information Systems Education Journal 6(30). ISSN: 1545-679X.)
|
| ![CDpic]("../../art/2009cdS.jpg") |
What Dick and Jane Don’t Know About Integers
| | Laurie A. Werner [a1] [a2]
Department of Computer and Information Technology
Miami University Hamilton [u1] [u2]
Hamilton, Ohio, USA [c1] [c2]
Charles E. Frank [a1] [a2]
Department of Computer Science
Northern Kentucky University [u1] [u2]
Highland Heights, Kentucky, USA [c1] [c2]
|
The integer data type is ostensibly very simple, but integers can easily overflow in a simple program. A malicious user can manipulate an unchecked integer input to overflow which can produce a security breach. An integer overflow can cause a program to crash. In recent years, integer overflows resulted in more than two hundred recorded vulnerabilities. Integer overflow is a challenging topic to address when teaching C/C++ or Java in an introductory software development course. Most novice students are unaware that simple integer input or calculations can generate errors, or worse yet, silently deliver vulnerability in a system. This paper describes laboratory exercises that inform students about the nuances of integer behavior and how these can lead to security vulnerabilities. We illustrate techniques that educators can use to teach students to discover integer overflows and replace them with robust code. Even at the introductory level, we can reinforce a secure coding frame of mind such that our students will never blindly trust user input or perform calculations that generate integer overflows.
Keywords: integer overflow, security education, introductory programming, secure programming, Java, C, C++
Read this refereed paper in Adobe Portable Document (PDF) format. (7 pages, 433 K bytes)
Preview this refereed paper in Plain Text (TXT) format. (22 K bytes)
Comments and corrections to
webmaster@isedj.org