CWE-190 on guy@secdev.uk https://www.secdev.uk/blog/tags/cwe-190/ Recent content in CWE-190 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 11 Oct 2025 00:00:00 +0000 Rust Security: When unsafe Breaks the Promise https://www.secdev.uk/blog/technology/2025-10-11-rust-security-unsafe-breaks-promise/ Sat, 11 Oct 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-10-11-rust-security-unsafe-breaks-promise/ <p>I love Rust. I genuinely do. Its ownership system, borrow checker, and type system wipe out entire classes of vulnerabilities at compile time, use-after-free, double-free, data races, null pointer dereferences, buffer overflows. But here&rsquo;s the thing: Rust gives you an escape hatch called <code>unsafe</code>, and when it&rsquo;s used incorrectly, it reintroduces every single vulnerability that Rust was designed to prevent. The more I dug into real-world Rust codebases, the more I found this happening. Beyond <code>unsafe</code>, Rust has its own quirky set of security pitfalls: integer overflow behaviour that differs between debug and release builds, FFI boundaries that trust C code unconditionally, and logic errors that the type system simply cannot catch. In this post, I want to walk through the Rust-specific anti-patterns that break the safety promise.</p> Integer Overflow https://www.secdev.uk/blog/technology/2025-08-02-integer-overflow/ Sat, 02 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-02-integer-overflow/ <p>Integer overflow (CWE-190) is one of those bugs that I find endlessly fascinating because of how quietly destructive it is. It happens when an arithmetic operation produces a value that exceeds the maximum (or falls below the minimum) representable value for the integer type. In C and C++, signed integer overflow is undefined behaviour, the compiler is free to assume it never happens, and optimizations built on that assumption can eliminate bounds checks entirely. Unsigned overflow wraps around silently. Go and Java define overflow as wrapping (two&rsquo;s complement), which prevents undefined behaviour but still produces incorrect results that lead to security vulnerabilities: undersized allocations, bypassed length checks, and negative indices into arrays. Rust panics on overflow in debug mode but wraps in release mode by default, creating a gap between testing and production behaviour that caught me off guard when I first started digging into Rust&rsquo;s safety guarantees. I want to walk through integer overflow across C, C++, Rust, Go, and Java, from the textbook multiplication overflow to the subtle cast truncation that can survive expert review.</p>