Is divide-by-zero a security vulnerability?I've found security vulnerability in current linux distribution....

Why do members of Congress in committee hearings ask witnesses the same question multiple times?

What am I? I am in theaters and computer programs

I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?

Exponential growth/decay formula: what happened to the other constant of integration?

You'll find me clean when something is full

How to acknowledge an embarrassing job interview, now that I work directly with the interviewer?

Which aircraft had such a luxurious-looking navigator's station?

What is the wife of a henpecked husband called?

How to speed up a process

When does inspiration across artforms become plagiarism

Are small insurances worth it

How to mitigate "bandwagon attacking" from players?

What prevents the construction of a CPU with all necessary memory represented in registers?

Understanding Kramnik's play in game 1 of Candidates 2018

What to do when being responsible for data protection in your lab, yet advice is ignored?

How to count words in a line

Compare four integers, return word based on maximum

If a druid in Wild Shape swallows a creature whole, then turns back to her normal form, what happens?

Replacement ford fiesta radiator has extra hose

Does music exist in Panem? And if so, what kinds of music?

Significance and timing of "mux scans"

Creature spells vs. ability to convert a permanent into a creature

How to deny access to SQL Server to certain login over SSMS, but allow over .Net SqlClient Data Provider

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?



Is divide-by-zero a security vulnerability?


I've found security vulnerability in current linux distribution. What next?Vulnerability exploitation in Javawhere can I find list of zero day vulnerability?web security testing - vulnerability issueTrusted vulnerability database sourcevulnerability scanning softwareHow to detect Rowhammer vulnerability?Educational Security VulnerabilityIs there an estimation of the amount of zero-days out there?is SSRF attack or vulnerability?













25















Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question


















  • 2





    I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    16 hours ago






  • 3





    I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

    – Konrad Rudolph
    9 hours ago











  • Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

    – EvilSnack
    8 hours ago
















25















Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question


















  • 2





    I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    16 hours ago






  • 3





    I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

    – Konrad Rudolph
    9 hours ago











  • Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

    – EvilSnack
    8 hours ago














25












25








25


1






Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?










share|improve this question














Even though sometimes software bugs and vulnerabilities are deemed as the same concept, there must be at least one distinct aspect between them, and I think the most prominent one is exploitability (the latter one having the property).



What I'm curious about is, even after seeing many cases that divide-by-zero bugs are reported as software problems, I can hardly come up with any attack (other than DoS) using divide-by-zero bugs. I know not all kinds of bugs have the same impact upon a system in terms of security, but is there any attack method that uses divide-by-zero bugs to achieve something different than DoS, like privilege escalation for example?







exploit attacks vulnerability






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 21 hours ago









Gwangmu LeeGwangmu Lee

22826




22826








  • 2





    I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    16 hours ago






  • 3





    I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

    – Konrad Rudolph
    9 hours ago











  • Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

    – EvilSnack
    8 hours ago














  • 2





    I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

    – Ed Grimm
    16 hours ago






  • 3





    I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

    – Konrad Rudolph
    9 hours ago











  • Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

    – EvilSnack
    8 hours ago








2




2





I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

– Ed Grimm
16 hours ago





I have a vague memory of a CVE from many years ago that was at its core a divide by zero, but was a remote root arbitrary code bug. It was probably something like what John Deters described, but I don't remember enough to risk giving an answer.

– Ed Grimm
16 hours ago




3




3





I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

– Konrad Rudolph
9 hours ago





I’m assuming you’re talking about integer division by zero? Because IEEE 754 floating point division by zero is well-defined, and should therefore be unproblematic (but parts of what applies in the scenario of John Deters’ answer would also apply here).

– Konrad Rudolph
9 hours ago













Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

– EvilSnack
8 hours ago





Another takeaway I get from this question is that code review should ensure that the denominator is vetted prior to every divide operation. A zero denominator indicates some kind of error that needs to be investigated.

– EvilSnack
8 hours ago










9 Answers
9






active

oldest

votes


















43














At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



int myFunction(int a, int b, SomeState state) {

state(UNINITIALIZED);
try {
state.something(a/b);
state(NORMAL);
}
catch () {
state.something(b/a);
state(INVERTED);
}
return retval;
}


This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






share|improve this answer



















  • 30





    Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

    – Matthieu M.
    14 hours ago






  • 5





    I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

    – Zaibis
    12 hours ago






  • 2





    Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

    – vikingsteve
    10 hours ago








  • 17





    @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

    – Konrad Rudolph
    9 hours ago






  • 11





    AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

    – Ilmari Karonen
    9 hours ago



















8














Division by zero is not inherently a security vulnerability.



However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






share|improve this answer



















  • 6





    This was already mentioned in the question though.

    – JAD
    13 hours ago






  • 2





    @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

    – MSalters
    10 hours ago



















6














As the other answers are suggesting, it entirely depends on the whole system. That is not just the code, but the platform, language and compiler too.



For example in c++, division by zero on integers is undefined behaviour. One of the rules about that particular language is the compiler may assume that undefined behaviour will never occur, and is allowed to do anything if it does.



Anything includes crash with an error message and clean up, crash without an error message and leave everything in a weird state, or most terrifying try to keep going as if nothing has happened.



Now in practice most good modern compilers try to crash cleanly if they hit something like that, but this should make it clear why the assumption is that it is a vulnerability. If you just build your code with a different compiler or different settings, and don't even change the code, what the program does could go from a clean crash to wiping out your database.






share|improve this answer
























  • The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

    – supercat
    5 hours ago











  • ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

    – supercat
    5 hours ago



















5














While I sometimes say in my workshops and lectures that all security issues in software are essentially bugs, the reverse is not automatically true.



I would not, however, go to exploitability as an argument. Just because you and me can't figure out a way to exploit doesn't mean someone more crafty won't one day. We would have to provide a formal proof that it is not exploitable. Good luck with formal proofs in current programming languages.



So to answer your question: A division by zero could be a vulnerability or a part of it. Typically it will lead to an exception and thus termination of the software. This by itself could be important information for an attacker (he now knows that some variable was zero).



It is unlikely that the division by zero alone is a security vulnerability, but in a larger context it can be a part of the problem.



So, to close the loop, you should always treat all bugs seriously. If you cannot be sure (e.g. your division uses a variable you don't control) then you need to catch and handle it, security or not. "yeah, it's a bug but I don't see how it could be exploited" is not a security-conscious mindset.






share|improve this answer































    4














    I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



    Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






    share|improve this answer
























    • I'm definitely not satisfied with how intel Pentium II CPUs handled them.

      – Overmind
      8 hours ago











    • Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

      – securityOrange
      8 hours ago



















    3














    To add another contrived but based on real example:



    Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which was annoying if you e.g. needed to format a floppy disk). However, it was discovered that if you entered in a password more than X characters (i.e. just held down a key for a while), this would crash netware and drop the system back to ... a dos prompt. Most likely this was a buffer overrun, but the principle is the same: if you're dealing with a system (especially an embedded one) which handles at least some unexpected crashes by dropping you into a maintenance mode, then there is a security concern.






    share|improve this answer








    New contributor




    Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




























      1














      I see where you are coming from on this. In it own right its difficult to see how just an arithmetic error could be used to cause anything that required data input (like code execution).



      However, depending on the language it could cause flow control issues or selectively crash threads etc. This is the sort of thing that allows you to compound other issues or if you're really (un)lucky, directly lead to triggering a pathway that causes double something exploitable. Remember the data entry and the bug don't necessarily have to be the same.



      This is a bit of a contrived, but say for example you moved an object already in a linked list by adding a copy to the head, and then iterating till you find it and remove the copy.
      If you do this is in a thread and for some reason (say someone puts a stats print statement in the iteration loop that's wrong), it's possible that will leave the list in a bad state with 2 copies of the same element.
      When this gets cleaned up: double free...



      If you can control the contents of this new element, and can make the stat result in a divide by zero and still control enough of the contents, this could well be exploitable.



      Not likely, but possible.






      share|improve this answer































        0














        If a program will only receive trustworthy data, and if it would not have to meet any behavioral requirements when given maliciously-crafted data, then it may be possible to generate slightly more efficient code than would be required if there were some behavioral requirements that it had to meet for all data.



        Because some tasks only involve processing trustworthy data, while others involve processing data from untrustworthy sources, the C Standard allows implementations that are intended only for the former tasks to make optimizations that would be inappropriate in those intended for the latter, and for those intended to be suitable for the latter tasks to offer guarantees that would unnecessarily impede optimizations that could be useful when processing the former.



        Unfortunately, the Standard provides no means by which implementations can indicate what kinds of behavioral guarantees they will offer beyond those mandated by the Standard. When C89 was written, the authors expected that "the marketplace" could do a better job than the authors of the Standard of determining what kinds of implementations should support what "popular extensions" by behaving at least somewhat predictably in cases where the Standard imposed no requirements, and such attitude has not changed even though it no longer fits today's compiler marketplace.



        Given something like:



        if (x != 0) launch_nuclear_missiles();
        ... and then, possibly in another function
        z=y/x;


        some people would view a compiler that replaces the "if" with an unconditional call to launch_nuclear_missiles() as superior to one that only calls launch_nuclear_missiles if x is non-zero, but such behavior would only be appropriate when processing tasks that will never involve untrustworthy input.



        If one knows that the compilers one is using will uphold the kinds of weak behavioral guarantees that general-purpose compilers used to offer as a matter of course, and which facilitate writing programs that could meet weak behavioral constraints even when given maliciously-crafted inputs, then division-by-zero might not pose security weaknesses. With aggressively-optimizing compilers that are not designed to be suitable for tasks involving untrustworthy input, however, it will be necessary to add enough safety-checking logic to negate any advantages such "optimizations" could have offered.






        share|improve this answer































          0














          Here is an example of where it might make a difference.



          It is 100% contrived - but many classes of exploits are identified by theoretical "contrived" examples, until specific examples are found.



          It is pseudo-code.



          try:
          get the average cpu usage per logged in user
          if this average is too high, tell the person logging on that we're busy.
          get login credentials
          verify login credentials
          if credentials are invalid, tell them to go away
          restrict access for this session to the correct access for this user
          if there is an exception:
          do nothing

          let the user in


          In this case the average cpu per logged in user, might be calculated as "total cpu / number of logged in users" - if there are no logged in users, you get "divide by 0", and it skips directly to the "if there is an exception" clause. This includes restricting access - the new session might have access matching the last user to log in, or unlimited access.



          While this example shows all the code together, often your main code will call something, which calls something else, and the two aspects that interact (in this case, division by 0, and the fact that the exception is ignored) may run in parts of the code which are a long way apart.



          As many people have mentioned, division by zero (on it's own) is not a security bug, or indeed a bug at all. As far as I'm aware, most (maybe all!) programming languages have clearly documented information as to what happens when division by zero occurs. I think pretty much every language that has exceptions, has an exception for division by zero (I have seen a mechanical calculator get stuck in an endless loop).






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204669%2fis-divide-by-zero-a-security-vulnerability%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            9 Answers
            9






            active

            oldest

            votes








            9 Answers
            9






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            43














            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






            share|improve this answer



















            • 30





              Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

              – Matthieu M.
              14 hours ago






            • 5





              I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

              – Zaibis
              12 hours ago






            • 2





              Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

              – vikingsteve
              10 hours ago








            • 17





              @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

              – Konrad Rudolph
              9 hours ago






            • 11





              AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

              – Ilmari Karonen
              9 hours ago
















            43














            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






            share|improve this answer



















            • 30





              Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

              – Matthieu M.
              14 hours ago






            • 5





              I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

              – Zaibis
              12 hours ago






            • 2





              Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

              – vikingsteve
              10 hours ago








            • 17





              @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

              – Konrad Rudolph
              9 hours ago






            • 11





              AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

              – Ilmari Karonen
              9 hours ago














            43












            43








            43







            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.






            share|improve this answer













            At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic flow might be sound and thoroughly tested, but an exception handler can be triggered by interrupts occurring anywhere in the code within its scope.



            int myFunction(int a, int b, SomeState state) {

            state(UNINITIALIZED);
            try {
            state.something(a/b);
            state(NORMAL);
            }
            catch () {
            state.something(b/a);
            state(INVERTED);
            }
            return retval;
            }


            This horrible pseudocode sort of illustrates one way the flaw could be exploited. Let's say that an uninitialized state is somehow vulnerable. If this routine is called, the state is first uninitialized. If b is zero, it catches the exception and tries to do some other logic. But if both a and b are zero, it throws again, leaving state uninitialized.



            The division by zero itself wasn't the vulnerability, it's the bad code around it that's possible to exploit.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 18 hours ago









            John DetersJohn Deters

            28k24392




            28k24392








            • 30





              Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

              – Matthieu M.
              14 hours ago






            • 5





              I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

              – Zaibis
              12 hours ago






            • 2





              Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

              – vikingsteve
              10 hours ago








            • 17





              @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

              – Konrad Rudolph
              9 hours ago






            • 11





              AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

              – Ilmari Karonen
              9 hours ago














            • 30





              Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

              – Matthieu M.
              14 hours ago






            • 5





              I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

              – Zaibis
              12 hours ago






            • 2





              Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

              – vikingsteve
              10 hours ago








            • 17





              @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

              – Konrad Rudolph
              9 hours ago






            • 11





              AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

              – Ilmari Karonen
              9 hours ago








            30




            30





            Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

            – Matthieu M.
            14 hours ago





            Note: in C and C++, division by 0 is straight up Undefined Behavior. The optimizer assumes it will not happen, and will thus assume that the divider is not 0 in the branch of execution containing the division. As usual, Undefined Behavior is very bad news from a reliability/security stand point :(

            – Matthieu M.
            14 hours ago




            5




            5





            I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

            – Zaibis
            12 hours ago





            I am working for 5 years as professional software developer and have already seen a lot of bad styles and even worse coding habits. But this is the first time I see code that uses exception handling as a functional feature. I hope I won't ever see that again o.O

            – Zaibis
            12 hours ago




            2




            2





            Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

            – vikingsteve
            10 hours ago







            Another important point is that a division by zero might trigger a stack trace that is visible to the attacker and then give them information about the system ("some fantastic" web server version a.b.c for example)

            – vikingsteve
            10 hours ago






            17




            17





            @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

            – Konrad Rudolph
            9 hours ago





            @Zaibis Similar code (i.e. exception handling as a regular control flow statement) is common and deemed idiomatic in some programming languages, e.g. to some extent in Python.

            – Konrad Rudolph
            9 hours ago




            11




            11





            AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

            – Ilmari Karonen
            9 hours ago





            AFAIK, it's even worse than @MatthieuM says: since division by zero is undefined behavior, the compiler is allowed to assume that b is never zero and eliminate the entire catch block as dead code. (It may also be able to initialize the state directly to NORMAL, since it can "prove" that state(NORMAL) is always executed, and state(INVERTED) never is.)

            – Ilmari Karonen
            9 hours ago













            8














            Division by zero is not inherently a security vulnerability.



            However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






            share|improve this answer



















            • 6





              This was already mentioned in the question though.

              – JAD
              13 hours ago






            • 2





              @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

              – MSalters
              10 hours ago
















            8














            Division by zero is not inherently a security vulnerability.



            However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






            share|improve this answer



















            • 6





              This was already mentioned in the question though.

              – JAD
              13 hours ago






            • 2





              @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

              – MSalters
              10 hours ago














            8












            8








            8







            Division by zero is not inherently a security vulnerability.



            However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.






            share|improve this answer













            Division by zero is not inherently a security vulnerability.



            However, if you can make an application server crash and stay offline by making it divide by zero, this may constitute a denial of service vulnerability.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 20 hours ago









            duskwuffduskwuff

            1,286410




            1,286410








            • 6





              This was already mentioned in the question though.

              – JAD
              13 hours ago






            • 2





              @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

              – MSalters
              10 hours ago














            • 6





              This was already mentioned in the question though.

              – JAD
              13 hours ago






            • 2





              @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

              – MSalters
              10 hours ago








            6




            6





            This was already mentioned in the question though.

            – JAD
            13 hours ago





            This was already mentioned in the question though.

            – JAD
            13 hours ago




            2




            2





            @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

            – MSalters
            10 hours ago





            @JAD: There seem to be two related classes pf denial-attacks. One, provide a single input such that the server state gets persistently corrupted. Two, provide repeated inputs that repeatedly crash the server. This answer seems to cover the first scenario (stay offline) while the question appears to cover the second. But they're definitely related.

            – MSalters
            10 hours ago











            6














            As the other answers are suggesting, it entirely depends on the whole system. That is not just the code, but the platform, language and compiler too.



            For example in c++, division by zero on integers is undefined behaviour. One of the rules about that particular language is the compiler may assume that undefined behaviour will never occur, and is allowed to do anything if it does.



            Anything includes crash with an error message and clean up, crash without an error message and leave everything in a weird state, or most terrifying try to keep going as if nothing has happened.



            Now in practice most good modern compilers try to crash cleanly if they hit something like that, but this should make it clear why the assumption is that it is a vulnerability. If you just build your code with a different compiler or different settings, and don't even change the code, what the program does could go from a clean crash to wiping out your database.






            share|improve this answer
























            • The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

              – supercat
              5 hours ago











            • ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

              – supercat
              5 hours ago
















            6














            As the other answers are suggesting, it entirely depends on the whole system. That is not just the code, but the platform, language and compiler too.



            For example in c++, division by zero on integers is undefined behaviour. One of the rules about that particular language is the compiler may assume that undefined behaviour will never occur, and is allowed to do anything if it does.



            Anything includes crash with an error message and clean up, crash without an error message and leave everything in a weird state, or most terrifying try to keep going as if nothing has happened.



            Now in practice most good modern compilers try to crash cleanly if they hit something like that, but this should make it clear why the assumption is that it is a vulnerability. If you just build your code with a different compiler or different settings, and don't even change the code, what the program does could go from a clean crash to wiping out your database.






            share|improve this answer
























            • The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

              – supercat
              5 hours ago











            • ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

              – supercat
              5 hours ago














            6












            6








            6







            As the other answers are suggesting, it entirely depends on the whole system. That is not just the code, but the platform, language and compiler too.



            For example in c++, division by zero on integers is undefined behaviour. One of the rules about that particular language is the compiler may assume that undefined behaviour will never occur, and is allowed to do anything if it does.



            Anything includes crash with an error message and clean up, crash without an error message and leave everything in a weird state, or most terrifying try to keep going as if nothing has happened.



            Now in practice most good modern compilers try to crash cleanly if they hit something like that, but this should make it clear why the assumption is that it is a vulnerability. If you just build your code with a different compiler or different settings, and don't even change the code, what the program does could go from a clean crash to wiping out your database.






            share|improve this answer













            As the other answers are suggesting, it entirely depends on the whole system. That is not just the code, but the platform, language and compiler too.



            For example in c++, division by zero on integers is undefined behaviour. One of the rules about that particular language is the compiler may assume that undefined behaviour will never occur, and is allowed to do anything if it does.



            Anything includes crash with an error message and clean up, crash without an error message and leave everything in a weird state, or most terrifying try to keep going as if nothing has happened.



            Now in practice most good modern compilers try to crash cleanly if they hit something like that, but this should make it clear why the assumption is that it is a vulnerability. If you just build your code with a different compiler or different settings, and don't even change the code, what the program does could go from a clean crash to wiping out your database.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 14 hours ago









            JosiahJosiah

            48114




            48114













            • The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

              – supercat
              5 hours ago











            • ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

              – supercat
              5 hours ago



















            • The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

              – supercat
              5 hours ago











            • ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

              – supercat
              5 hours ago

















            The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

            – supercat
            5 hours ago





            The last paragraph is dependent on one's definition of "good". Some people would regard a compiler that optimizes if (x != 0) launch_nuclear_missiles(); return 1/x; by making the function call unconditional as superior to one that doesn't. I would say that quality compilers which are designed to be suitable for tasks involving untrustworthy input should either crash or do nothing in response to a division by zero (if code computes z=y/x; but never uses z, a compiler that ignores x entirely should not generally be viewed as inferior to one that traps if it's zero), but...

            – supercat
            5 hours ago













            ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

            – supercat
            5 hours ago





            ...for tasks which will never involve untrustworthy input, looser semantics may be reasonable.

            – supercat
            5 hours ago











            5














            While I sometimes say in my workshops and lectures that all security issues in software are essentially bugs, the reverse is not automatically true.



            I would not, however, go to exploitability as an argument. Just because you and me can't figure out a way to exploit doesn't mean someone more crafty won't one day. We would have to provide a formal proof that it is not exploitable. Good luck with formal proofs in current programming languages.



            So to answer your question: A division by zero could be a vulnerability or a part of it. Typically it will lead to an exception and thus termination of the software. This by itself could be important information for an attacker (he now knows that some variable was zero).



            It is unlikely that the division by zero alone is a security vulnerability, but in a larger context it can be a part of the problem.



            So, to close the loop, you should always treat all bugs seriously. If you cannot be sure (e.g. your division uses a variable you don't control) then you need to catch and handle it, security or not. "yeah, it's a bug but I don't see how it could be exploited" is not a security-conscious mindset.






            share|improve this answer




























              5














              While I sometimes say in my workshops and lectures that all security issues in software are essentially bugs, the reverse is not automatically true.



              I would not, however, go to exploitability as an argument. Just because you and me can't figure out a way to exploit doesn't mean someone more crafty won't one day. We would have to provide a formal proof that it is not exploitable. Good luck with formal proofs in current programming languages.



              So to answer your question: A division by zero could be a vulnerability or a part of it. Typically it will lead to an exception and thus termination of the software. This by itself could be important information for an attacker (he now knows that some variable was zero).



              It is unlikely that the division by zero alone is a security vulnerability, but in a larger context it can be a part of the problem.



              So, to close the loop, you should always treat all bugs seriously. If you cannot be sure (e.g. your division uses a variable you don't control) then you need to catch and handle it, security or not. "yeah, it's a bug but I don't see how it could be exploited" is not a security-conscious mindset.






              share|improve this answer


























                5












                5








                5







                While I sometimes say in my workshops and lectures that all security issues in software are essentially bugs, the reverse is not automatically true.



                I would not, however, go to exploitability as an argument. Just because you and me can't figure out a way to exploit doesn't mean someone more crafty won't one day. We would have to provide a formal proof that it is not exploitable. Good luck with formal proofs in current programming languages.



                So to answer your question: A division by zero could be a vulnerability or a part of it. Typically it will lead to an exception and thus termination of the software. This by itself could be important information for an attacker (he now knows that some variable was zero).



                It is unlikely that the division by zero alone is a security vulnerability, but in a larger context it can be a part of the problem.



                So, to close the loop, you should always treat all bugs seriously. If you cannot be sure (e.g. your division uses a variable you don't control) then you need to catch and handle it, security or not. "yeah, it's a bug but I don't see how it could be exploited" is not a security-conscious mindset.






                share|improve this answer













                While I sometimes say in my workshops and lectures that all security issues in software are essentially bugs, the reverse is not automatically true.



                I would not, however, go to exploitability as an argument. Just because you and me can't figure out a way to exploit doesn't mean someone more crafty won't one day. We would have to provide a formal proof that it is not exploitable. Good luck with formal proofs in current programming languages.



                So to answer your question: A division by zero could be a vulnerability or a part of it. Typically it will lead to an exception and thus termination of the software. This by itself could be important information for an attacker (he now knows that some variable was zero).



                It is unlikely that the division by zero alone is a security vulnerability, but in a larger context it can be a part of the problem.



                So, to close the loop, you should always treat all bugs seriously. If you cannot be sure (e.g. your division uses a variable you don't control) then you need to catch and handle it, security or not. "yeah, it's a bug but I don't see how it could be exploited" is not a security-conscious mindset.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 13 hours ago









                TomTom

                5,471831




                5,471831























                    4














                    I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                    Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                    share|improve this answer
























                    • I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                      – Overmind
                      8 hours ago











                    • Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                      – securityOrange
                      8 hours ago
















                    4














                    I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                    Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                    share|improve this answer
























                    • I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                      – Overmind
                      8 hours ago











                    • Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                      – securityOrange
                      8 hours ago














                    4












                    4








                    4







                    I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                    Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.






                    share|improve this answer













                    I think ultimately your answer’s going to come down to the individual system in play. How does the system handle trying to divide by 0? If it’s elegant, then your attack options are limited or nonexistent. If it does something funky you can probably get in there with something.



                    Basically, no standard attacks can come out of this - that I’m aware of anyway - but computers can always handle bugs badly, and bad handling of bugs is the source of many vulnerabilities.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 21 hours ago









                    securityOrangesecurityOrange

                    64215




                    64215













                    • I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                      – Overmind
                      8 hours ago











                    • Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                      – securityOrange
                      8 hours ago



















                    • I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                      – Overmind
                      8 hours ago











                    • Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                      – securityOrange
                      8 hours ago

















                    I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                    – Overmind
                    8 hours ago





                    I'm definitely not satisfied with how intel Pentium II CPUs handled them.

                    – Overmind
                    8 hours ago













                    Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                    – securityOrange
                    8 hours ago





                    Divide-by-zero bugs are going to be in the application. If it makes it down to the CPU level, you’ve already got a problem.

                    – securityOrange
                    8 hours ago











                    3














                    To add another contrived but based on real example:



                    Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which was annoying if you e.g. needed to format a floppy disk). However, it was discovered that if you entered in a password more than X characters (i.e. just held down a key for a while), this would crash netware and drop the system back to ... a dos prompt. Most likely this was a buffer overrun, but the principle is the same: if you're dealing with a system (especially an embedded one) which handles at least some unexpected crashes by dropping you into a maintenance mode, then there is a security concern.






                    share|improve this answer








                    New contributor




                    Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.

























                      3














                      To add another contrived but based on real example:



                      Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which was annoying if you e.g. needed to format a floppy disk). However, it was discovered that if you entered in a password more than X characters (i.e. just held down a key for a while), this would crash netware and drop the system back to ... a dos prompt. Most likely this was a buffer overrun, but the principle is the same: if you're dealing with a system (especially an embedded one) which handles at least some unexpected crashes by dropping you into a maintenance mode, then there is a security concern.






                      share|improve this answer








                      New contributor




                      Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.























                        3












                        3








                        3







                        To add another contrived but based on real example:



                        Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which was annoying if you e.g. needed to format a floppy disk). However, it was discovered that if you entered in a password more than X characters (i.e. just held down a key for a while), this would crash netware and drop the system back to ... a dos prompt. Most likely this was a buffer overrun, but the principle is the same: if you're dealing with a system (especially an embedded one) which handles at least some unexpected crashes by dropping you into a maintenance mode, then there is a security concern.






                        share|improve this answer








                        New contributor




                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.










                        To add another contrived but based on real example:



                        Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which was annoying if you e.g. needed to format a floppy disk). However, it was discovered that if you entered in a password more than X characters (i.e. just held down a key for a while), this would crash netware and drop the system back to ... a dos prompt. Most likely this was a buffer overrun, but the principle is the same: if you're dealing with a system (especially an embedded one) which handles at least some unexpected crashes by dropping you into a maintenance mode, then there is a security concern.







                        share|improve this answer








                        New contributor




                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.









                        share|improve this answer



                        share|improve this answer






                        New contributor




                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.









                        answered 7 hours ago









                        FoonFoon

                        1312




                        1312




                        New contributor




                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.





                        New contributor





                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.






                        Foon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.























                            1














                            I see where you are coming from on this. In it own right its difficult to see how just an arithmetic error could be used to cause anything that required data input (like code execution).



                            However, depending on the language it could cause flow control issues or selectively crash threads etc. This is the sort of thing that allows you to compound other issues or if you're really (un)lucky, directly lead to triggering a pathway that causes double something exploitable. Remember the data entry and the bug don't necessarily have to be the same.



                            This is a bit of a contrived, but say for example you moved an object already in a linked list by adding a copy to the head, and then iterating till you find it and remove the copy.
                            If you do this is in a thread and for some reason (say someone puts a stats print statement in the iteration loop that's wrong), it's possible that will leave the list in a bad state with 2 copies of the same element.
                            When this gets cleaned up: double free...



                            If you can control the contents of this new element, and can make the stat result in a divide by zero and still control enough of the contents, this could well be exploitable.



                            Not likely, but possible.






                            share|improve this answer




























                              1














                              I see where you are coming from on this. In it own right its difficult to see how just an arithmetic error could be used to cause anything that required data input (like code execution).



                              However, depending on the language it could cause flow control issues or selectively crash threads etc. This is the sort of thing that allows you to compound other issues or if you're really (un)lucky, directly lead to triggering a pathway that causes double something exploitable. Remember the data entry and the bug don't necessarily have to be the same.



                              This is a bit of a contrived, but say for example you moved an object already in a linked list by adding a copy to the head, and then iterating till you find it and remove the copy.
                              If you do this is in a thread and for some reason (say someone puts a stats print statement in the iteration loop that's wrong), it's possible that will leave the list in a bad state with 2 copies of the same element.
                              When this gets cleaned up: double free...



                              If you can control the contents of this new element, and can make the stat result in a divide by zero and still control enough of the contents, this could well be exploitable.



                              Not likely, but possible.






                              share|improve this answer


























                                1












                                1








                                1







                                I see where you are coming from on this. In it own right its difficult to see how just an arithmetic error could be used to cause anything that required data input (like code execution).



                                However, depending on the language it could cause flow control issues or selectively crash threads etc. This is the sort of thing that allows you to compound other issues or if you're really (un)lucky, directly lead to triggering a pathway that causes double something exploitable. Remember the data entry and the bug don't necessarily have to be the same.



                                This is a bit of a contrived, but say for example you moved an object already in a linked list by adding a copy to the head, and then iterating till you find it and remove the copy.
                                If you do this is in a thread and for some reason (say someone puts a stats print statement in the iteration loop that's wrong), it's possible that will leave the list in a bad state with 2 copies of the same element.
                                When this gets cleaned up: double free...



                                If you can control the contents of this new element, and can make the stat result in a divide by zero and still control enough of the contents, this could well be exploitable.



                                Not likely, but possible.






                                share|improve this answer













                                I see where you are coming from on this. In it own right its difficult to see how just an arithmetic error could be used to cause anything that required data input (like code execution).



                                However, depending on the language it could cause flow control issues or selectively crash threads etc. This is the sort of thing that allows you to compound other issues or if you're really (un)lucky, directly lead to triggering a pathway that causes double something exploitable. Remember the data entry and the bug don't necessarily have to be the same.



                                This is a bit of a contrived, but say for example you moved an object already in a linked list by adding a copy to the head, and then iterating till you find it and remove the copy.
                                If you do this is in a thread and for some reason (say someone puts a stats print statement in the iteration loop that's wrong), it's possible that will leave the list in a bad state with 2 copies of the same element.
                                When this gets cleaned up: double free...



                                If you can control the contents of this new element, and can make the stat result in a divide by zero and still control enough of the contents, this could well be exploitable.



                                Not likely, but possible.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered 8 hours ago









                                ANoneANone

                                1311




                                1311























                                    0














                                    If a program will only receive trustworthy data, and if it would not have to meet any behavioral requirements when given maliciously-crafted data, then it may be possible to generate slightly more efficient code than would be required if there were some behavioral requirements that it had to meet for all data.



                                    Because some tasks only involve processing trustworthy data, while others involve processing data from untrustworthy sources, the C Standard allows implementations that are intended only for the former tasks to make optimizations that would be inappropriate in those intended for the latter, and for those intended to be suitable for the latter tasks to offer guarantees that would unnecessarily impede optimizations that could be useful when processing the former.



                                    Unfortunately, the Standard provides no means by which implementations can indicate what kinds of behavioral guarantees they will offer beyond those mandated by the Standard. When C89 was written, the authors expected that "the marketplace" could do a better job than the authors of the Standard of determining what kinds of implementations should support what "popular extensions" by behaving at least somewhat predictably in cases where the Standard imposed no requirements, and such attitude has not changed even though it no longer fits today's compiler marketplace.



                                    Given something like:



                                    if (x != 0) launch_nuclear_missiles();
                                    ... and then, possibly in another function
                                    z=y/x;


                                    some people would view a compiler that replaces the "if" with an unconditional call to launch_nuclear_missiles() as superior to one that only calls launch_nuclear_missiles if x is non-zero, but such behavior would only be appropriate when processing tasks that will never involve untrustworthy input.



                                    If one knows that the compilers one is using will uphold the kinds of weak behavioral guarantees that general-purpose compilers used to offer as a matter of course, and which facilitate writing programs that could meet weak behavioral constraints even when given maliciously-crafted inputs, then division-by-zero might not pose security weaknesses. With aggressively-optimizing compilers that are not designed to be suitable for tasks involving untrustworthy input, however, it will be necessary to add enough safety-checking logic to negate any advantages such "optimizations" could have offered.






                                    share|improve this answer




























                                      0














                                      If a program will only receive trustworthy data, and if it would not have to meet any behavioral requirements when given maliciously-crafted data, then it may be possible to generate slightly more efficient code than would be required if there were some behavioral requirements that it had to meet for all data.



                                      Because some tasks only involve processing trustworthy data, while others involve processing data from untrustworthy sources, the C Standard allows implementations that are intended only for the former tasks to make optimizations that would be inappropriate in those intended for the latter, and for those intended to be suitable for the latter tasks to offer guarantees that would unnecessarily impede optimizations that could be useful when processing the former.



                                      Unfortunately, the Standard provides no means by which implementations can indicate what kinds of behavioral guarantees they will offer beyond those mandated by the Standard. When C89 was written, the authors expected that "the marketplace" could do a better job than the authors of the Standard of determining what kinds of implementations should support what "popular extensions" by behaving at least somewhat predictably in cases where the Standard imposed no requirements, and such attitude has not changed even though it no longer fits today's compiler marketplace.



                                      Given something like:



                                      if (x != 0) launch_nuclear_missiles();
                                      ... and then, possibly in another function
                                      z=y/x;


                                      some people would view a compiler that replaces the "if" with an unconditional call to launch_nuclear_missiles() as superior to one that only calls launch_nuclear_missiles if x is non-zero, but such behavior would only be appropriate when processing tasks that will never involve untrustworthy input.



                                      If one knows that the compilers one is using will uphold the kinds of weak behavioral guarantees that general-purpose compilers used to offer as a matter of course, and which facilitate writing programs that could meet weak behavioral constraints even when given maliciously-crafted inputs, then division-by-zero might not pose security weaknesses. With aggressively-optimizing compilers that are not designed to be suitable for tasks involving untrustworthy input, however, it will be necessary to add enough safety-checking logic to negate any advantages such "optimizations" could have offered.






                                      share|improve this answer


























                                        0












                                        0








                                        0







                                        If a program will only receive trustworthy data, and if it would not have to meet any behavioral requirements when given maliciously-crafted data, then it may be possible to generate slightly more efficient code than would be required if there were some behavioral requirements that it had to meet for all data.



                                        Because some tasks only involve processing trustworthy data, while others involve processing data from untrustworthy sources, the C Standard allows implementations that are intended only for the former tasks to make optimizations that would be inappropriate in those intended for the latter, and for those intended to be suitable for the latter tasks to offer guarantees that would unnecessarily impede optimizations that could be useful when processing the former.



                                        Unfortunately, the Standard provides no means by which implementations can indicate what kinds of behavioral guarantees they will offer beyond those mandated by the Standard. When C89 was written, the authors expected that "the marketplace" could do a better job than the authors of the Standard of determining what kinds of implementations should support what "popular extensions" by behaving at least somewhat predictably in cases where the Standard imposed no requirements, and such attitude has not changed even though it no longer fits today's compiler marketplace.



                                        Given something like:



                                        if (x != 0) launch_nuclear_missiles();
                                        ... and then, possibly in another function
                                        z=y/x;


                                        some people would view a compiler that replaces the "if" with an unconditional call to launch_nuclear_missiles() as superior to one that only calls launch_nuclear_missiles if x is non-zero, but such behavior would only be appropriate when processing tasks that will never involve untrustworthy input.



                                        If one knows that the compilers one is using will uphold the kinds of weak behavioral guarantees that general-purpose compilers used to offer as a matter of course, and which facilitate writing programs that could meet weak behavioral constraints even when given maliciously-crafted inputs, then division-by-zero might not pose security weaknesses. With aggressively-optimizing compilers that are not designed to be suitable for tasks involving untrustworthy input, however, it will be necessary to add enough safety-checking logic to negate any advantages such "optimizations" could have offered.






                                        share|improve this answer













                                        If a program will only receive trustworthy data, and if it would not have to meet any behavioral requirements when given maliciously-crafted data, then it may be possible to generate slightly more efficient code than would be required if there were some behavioral requirements that it had to meet for all data.



                                        Because some tasks only involve processing trustworthy data, while others involve processing data from untrustworthy sources, the C Standard allows implementations that are intended only for the former tasks to make optimizations that would be inappropriate in those intended for the latter, and for those intended to be suitable for the latter tasks to offer guarantees that would unnecessarily impede optimizations that could be useful when processing the former.



                                        Unfortunately, the Standard provides no means by which implementations can indicate what kinds of behavioral guarantees they will offer beyond those mandated by the Standard. When C89 was written, the authors expected that "the marketplace" could do a better job than the authors of the Standard of determining what kinds of implementations should support what "popular extensions" by behaving at least somewhat predictably in cases where the Standard imposed no requirements, and such attitude has not changed even though it no longer fits today's compiler marketplace.



                                        Given something like:



                                        if (x != 0) launch_nuclear_missiles();
                                        ... and then, possibly in another function
                                        z=y/x;


                                        some people would view a compiler that replaces the "if" with an unconditional call to launch_nuclear_missiles() as superior to one that only calls launch_nuclear_missiles if x is non-zero, but such behavior would only be appropriate when processing tasks that will never involve untrustworthy input.



                                        If one knows that the compilers one is using will uphold the kinds of weak behavioral guarantees that general-purpose compilers used to offer as a matter of course, and which facilitate writing programs that could meet weak behavioral constraints even when given maliciously-crafted inputs, then division-by-zero might not pose security weaknesses. With aggressively-optimizing compilers that are not designed to be suitable for tasks involving untrustworthy input, however, it will be necessary to add enough safety-checking logic to negate any advantages such "optimizations" could have offered.







                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered 5 hours ago









                                        supercatsupercat

                                        1,69469




                                        1,69469























                                            0














                                            Here is an example of where it might make a difference.



                                            It is 100% contrived - but many classes of exploits are identified by theoretical "contrived" examples, until specific examples are found.



                                            It is pseudo-code.



                                            try:
                                            get the average cpu usage per logged in user
                                            if this average is too high, tell the person logging on that we're busy.
                                            get login credentials
                                            verify login credentials
                                            if credentials are invalid, tell them to go away
                                            restrict access for this session to the correct access for this user
                                            if there is an exception:
                                            do nothing

                                            let the user in


                                            In this case the average cpu per logged in user, might be calculated as "total cpu / number of logged in users" - if there are no logged in users, you get "divide by 0", and it skips directly to the "if there is an exception" clause. This includes restricting access - the new session might have access matching the last user to log in, or unlimited access.



                                            While this example shows all the code together, often your main code will call something, which calls something else, and the two aspects that interact (in this case, division by 0, and the fact that the exception is ignored) may run in parts of the code which are a long way apart.



                                            As many people have mentioned, division by zero (on it's own) is not a security bug, or indeed a bug at all. As far as I'm aware, most (maybe all!) programming languages have clearly documented information as to what happens when division by zero occurs. I think pretty much every language that has exceptions, has an exception for division by zero (I have seen a mechanical calculator get stuck in an endless loop).






                                            share|improve this answer




























                                              0














                                              Here is an example of where it might make a difference.



                                              It is 100% contrived - but many classes of exploits are identified by theoretical "contrived" examples, until specific examples are found.



                                              It is pseudo-code.



                                              try:
                                              get the average cpu usage per logged in user
                                              if this average is too high, tell the person logging on that we're busy.
                                              get login credentials
                                              verify login credentials
                                              if credentials are invalid, tell them to go away
                                              restrict access for this session to the correct access for this user
                                              if there is an exception:
                                              do nothing

                                              let the user in


                                              In this case the average cpu per logged in user, might be calculated as "total cpu / number of logged in users" - if there are no logged in users, you get "divide by 0", and it skips directly to the "if there is an exception" clause. This includes restricting access - the new session might have access matching the last user to log in, or unlimited access.



                                              While this example shows all the code together, often your main code will call something, which calls something else, and the two aspects that interact (in this case, division by 0, and the fact that the exception is ignored) may run in parts of the code which are a long way apart.



                                              As many people have mentioned, division by zero (on it's own) is not a security bug, or indeed a bug at all. As far as I'm aware, most (maybe all!) programming languages have clearly documented information as to what happens when division by zero occurs. I think pretty much every language that has exceptions, has an exception for division by zero (I have seen a mechanical calculator get stuck in an endless loop).






                                              share|improve this answer


























                                                0












                                                0








                                                0







                                                Here is an example of where it might make a difference.



                                                It is 100% contrived - but many classes of exploits are identified by theoretical "contrived" examples, until specific examples are found.



                                                It is pseudo-code.



                                                try:
                                                get the average cpu usage per logged in user
                                                if this average is too high, tell the person logging on that we're busy.
                                                get login credentials
                                                verify login credentials
                                                if credentials are invalid, tell them to go away
                                                restrict access for this session to the correct access for this user
                                                if there is an exception:
                                                do nothing

                                                let the user in


                                                In this case the average cpu per logged in user, might be calculated as "total cpu / number of logged in users" - if there are no logged in users, you get "divide by 0", and it skips directly to the "if there is an exception" clause. This includes restricting access - the new session might have access matching the last user to log in, or unlimited access.



                                                While this example shows all the code together, often your main code will call something, which calls something else, and the two aspects that interact (in this case, division by 0, and the fact that the exception is ignored) may run in parts of the code which are a long way apart.



                                                As many people have mentioned, division by zero (on it's own) is not a security bug, or indeed a bug at all. As far as I'm aware, most (maybe all!) programming languages have clearly documented information as to what happens when division by zero occurs. I think pretty much every language that has exceptions, has an exception for division by zero (I have seen a mechanical calculator get stuck in an endless loop).






                                                share|improve this answer













                                                Here is an example of where it might make a difference.



                                                It is 100% contrived - but many classes of exploits are identified by theoretical "contrived" examples, until specific examples are found.



                                                It is pseudo-code.



                                                try:
                                                get the average cpu usage per logged in user
                                                if this average is too high, tell the person logging on that we're busy.
                                                get login credentials
                                                verify login credentials
                                                if credentials are invalid, tell them to go away
                                                restrict access for this session to the correct access for this user
                                                if there is an exception:
                                                do nothing

                                                let the user in


                                                In this case the average cpu per logged in user, might be calculated as "total cpu / number of logged in users" - if there are no logged in users, you get "divide by 0", and it skips directly to the "if there is an exception" clause. This includes restricting access - the new session might have access matching the last user to log in, or unlimited access.



                                                While this example shows all the code together, often your main code will call something, which calls something else, and the two aspects that interact (in this case, division by 0, and the fact that the exception is ignored) may run in parts of the code which are a long way apart.



                                                As many people have mentioned, division by zero (on it's own) is not a security bug, or indeed a bug at all. As far as I'm aware, most (maybe all!) programming languages have clearly documented information as to what happens when division by zero occurs. I think pretty much every language that has exceptions, has an exception for division by zero (I have seen a mechanical calculator get stuck in an endless loop).







                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered 37 mins ago









                                                AMADANON Inc.AMADANON Inc.

                                                1,44379




                                                1,44379






























                                                    draft saved

                                                    draft discarded




















































                                                    Thanks for contributing an answer to Information Security Stack Exchange!


                                                    • Please be sure to answer the question. Provide details and share your research!

                                                    But avoid



                                                    • Asking for help, clarification, or responding to other answers.

                                                    • Making statements based on opinion; back them up with references or personal experience.


                                                    To learn more, see our tips on writing great answers.




                                                    draft saved


                                                    draft discarded














                                                    StackExchange.ready(
                                                    function () {
                                                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204669%2fis-divide-by-zero-a-security-vulnerability%23new-answer', 'question_page');
                                                    }
                                                    );

                                                    Post as a guest















                                                    Required, but never shown





















































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown

































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown







                                                    Popular posts from this blog

                                                    El tren de la libertad Índice Antecedentes "Porque yo decido" Desarrollo de la...

                                                    Castillo d'Acher Características Menú de navegación

                                                    Connecting two nodes from the same mother node horizontallyTikZ: What EXACTLY does the the |- notation for...