Integer Overflow on Azure
How Integer Overflow Manifests in Azure
Integer overflow in Azure environments typically occurs when arithmetic operations exceed the maximum value representable by a data type, causing the value to wrap around to the minimum value. In Azure-specific contexts, this vulnerability often emerges in resource management systems, billing calculations, and API request processing.
A common Azure scenario involves virtual machine (VM) resource allocation. When calculating total allocated cores across multiple VMs, an overflow can occur:
int totalCores = 0;
foreach (var vm in vms) {
totalCores += vm.Cores; // Overflow if total exceeds 2,147,483,647
}
if (totalCores > maxAllowedCores) {
throw new Exception("Quota exceeded");
}If a subscription has 2,000 VMs with 1,000 cores each, the total (2,000,000) appears valid, but if the system processes thousands of subscriptions simultaneously, intermediate calculations can overflow before the final check.
Azure Functions runtime presents another vector. The consumption plan tracks execution counts and memory usage for billing. An overflow in these counters could allow unlimited function executions without proper billing:
long executionCount = 0;
executionCount += 1; // Wraps to negative after 9,223,372,036,854,775,807
if (executionCount < 0) {
// Billing logic bypassed
}Azure Storage operations also face overflow risks. When calculating blob sizes for pagination or quota enforcement, 32-bit integers overflow quickly:
int totalSize = 0;
foreach (var blob in blobs) {
totalSize += blob.Length; // Overflows at 2GB
}
if (totalSize > storageQuota) {
throw new QuotaExceededException();
}Azure API Management gateways process request sizes and rate limits using counters. An attacker could craft requests that cause counters to overflow, bypassing throttling mechanisms:
int requestCount = 0;
requestCount += requestSize; // Overflow possible with large sizes
if (requestCount > rateLimit) {
return StatusCode(429);
}Azure-Specific Detection
Detecting integer overflow in Azure requires both static analysis and runtime monitoring. Azure Security Center and Defender for Cloud can identify suspicious patterns, but manual verification is essential.
For Azure Functions, enable Application Insights with custom metrics to monitor counter values. Set up alerts when counters approach maximum values:
var client = new ApplicationInsightsTelemetryClient();
var executionCount = GetExecutionCount();
if (executionCount > (long.MaxValue - 1000000)) {
client.TrackMetric("ExecutionCountWarning", executionCount);
// Trigger alert
}Azure Policy can enforce safe coding practices. Create a custom policy that scans ARM templates and Bicep files for risky integer operations:
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Resources/deployments"
},
{
"field": "name",
"contains": "function"
}
]
},
"then": {
"effect": "audit",
"details": {
"metadata": {
"category": "IntegerOverflow",
"severity": "High"
}
}
}
}
}middleBrick's Azure-specific scanning identifies integer overflow vulnerabilities by analyzing API endpoints that handle Azure resource calculations. The scanner tests boundary conditions automatically:
# middlebrick scan https://api.azure.com/resource-manager --category integer-overflow
# Output includes:
# - Risk score with severity level
# - Specific endpoints vulnerable to overflow
# - Input values that trigger overflow conditions
# - Recommended type changes (int64, BigInteger)Azure Monitor Logs can detect overflow patterns in application telemetry. Create queries that flag counter anomalies:
| where counter_value > 2147483640
| where counter_value < 0
| summarize count() by operation_name, cloud_role_nameAzure-Specific Remediation
Remediation in Azure environments requires using appropriate data types and implementing safe arithmetic operations. For Azure Functions and APIs, always use 64-bit integers (long) for counters and sizes:
// Unsafe - 32-bit int
int totalSize = 0;
foreach (var blob in blobs) {
totalSize += blob.Length;
}
// Safe - 64-bit long
long totalSize = 0;
foreach (var blob in blobs) {
totalSize += blob.Length;
if (totalSize < 0) { // Overflow check
throw new OverflowException("Size calculation overflow");
}
}
Azure SDK provides BigInteger for arbitrary-precision arithmetic when dealing with extremely large numbers:
using System.Numerics;
BigInteger totalCost = 0;
foreach (var resource in resources) {
totalCost += resource.Cost;
}
if (totalCost > maxAllowedCost) {
throw new QuotaExceededException();
}
For Azure Storage operations, use the SDK's built-in safe methods. The Azure.Storage.Blobs package handles large sizes correctly:
BlobServiceClient client = new BlobServiceClient(connectionString);
long totalSize = 0;
foreach (var container in client.GetBlobContainers()) {
foreach (var blob in container.GetBlobs()) {
totalSize += blob.Properties.ContentLength;
if (totalSize < 0) {
throw new OverflowException("Storage size overflow");
}
}
}
Azure API Management policies can prevent overflow at the gateway level. Use validate-content policy to reject oversized requests before processing:
<policies>
<validate-content max-size="10485760" />
<inbound>
<choose>
<when condition="@((int)context.Request.Headers.GetValueOrDefault("Content-Length") > 10485760)">
<return-response>
<set-status code="413" />
<set-header name="Retry-After" exists-action="override" >
<value>120</value>
</set-header>
</return-response>
</when>
</choose>
</inbound>
</policies>
Implement safe arithmetic using checked contexts in C# for Azure applications:
try {
checked {
int result = int.MaxValue + 1; // Throws OverflowException
}
} catch (OverflowException) {
// Handle gracefully
return BadRequest("Calculation overflow detected");
}