Using Programmer-Written Compiler Extensions to Catch Security Holes
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Valgrind: a framework for heavyweight dynamic binary instrumentation
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Flow-insensitive static analysis for detecting integer anomalies in programs
SE'07 Proceedings of the 25th conference on IASTED International Multi-Conference: Software Engineering
The CERT C Secure Coding Standard
The CERT C Secure Coding Standard
Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Dynamic test generation to find integer bugs in x86 binary linux programs
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
As-If Infinitely Ranged Integer Model
ISSRE '10 Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering
Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Security on demand
Use, disuse, and misuse of automated refactorings
Proceedings of the 34th International Conference on Software Engineering
Understanding integer overflow in C/C++
Proceedings of the 34th International Conference on Software Engineering
OpenRefactory/C: an infrastructure for developing program transformations for C programs
Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
Systematic testing of refactoring engines on real software projects
ECOOP'13 Proceedings of the 27th European conference on Object-Oriented Programming
OpenRefactory/C: an infrastructure for building correct and complex C transformations
Proceedings of the 2013 ACM workshop on Workshop on refactoring tools
Hi-index | 0.00 |
C makes it easy to misuse integer types; even mature programs harbor many badly-written integer code. Traditional approaches at best detect these problems; they cannot guide developers to write correct code. We describe three program transformations that fix integer problems---one explicitly introduces casts to disambiguate type mismatch, another adds runtime checks to arithmetic operations, and the third one changes the type of a wrongly-declared integer. Together, these transformations fixed all variants of integer problems featured in 7,147 programs of NIST's SAMATE reference dataset, making the changes automatically on over 15 million lines of code. We also applied the transformations automatically on 5 open source software. The transformations made hundreds of changes on over 700,000 lines of code, but did not break the programs. Being integrated with source code and development process, these program transformations can fix integer problems, along with developers' misconceptions about integer usage.