IntRepair: Informed Fixing of Integer Overflows

  title={IntRepair: Informed Fixing of Integer Overflows},
  author={Paul Muntean and Monperrus Martin and Hao Sun and Jens Grossklags and C. Eckert},
Integer overflows have threatened software applications for decades. [...] Key Method This technique is implemented in a prototype named IntRepair. We applied IntRepair to 2,052 C programs (approx. 1 million lines of code) contained in the SAMATE Juliet test suite and 50 synthesized programs that range up to 20 KLOC. Our experimental results show that IntRepair is able to effectively detect integer overflows and successfully repair them, while only increasing the source code (LOC) and binary (Kb) size by around…Expand
An automated approach to fix buffer overflows
The results suggest that the proposed approach can automatically fix buffer overflows without inducing errors. Expand
Comprehensive Java Metadata Tracking for Attack Detection and Repair
We present ClearTrack, a system that tracks meta-data for each primitive value in Java programs to detect and nullify a range of vulnerabilities such as integer overflow/underflow and SQL/commandExpand


IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution
This paper presents a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries before an attacker does, with the goal of finally eliminating the vulnerabilities. Expand
RICH: Automatically Protecting Against Integer-Based Vulnerabilities
RICH (Run-time Integer CHecking), a tool for efficiently detecting integer-based attacks against C programs at run time, is presented and it is shown that safe and unsafe integer operations in C can be captured by well-known sub-typing theory. Expand
IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time
The design and implementation of IntPatch is presented, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time, and it provides an interface for programmers to facilitate checking integer overflows. Expand
A fast and low-overhead technique to secure programs against integer overflows
An algorithm that uses static range analysis to avoid some checks created by a dynamic instrumentation library that is implemented in LLVM and has been able to avoid 25% of all the overflow checks necessary to secure the C programs in the LLVM test suite. Expand
Automated Generation of Buffer Overflow Quick Fixes Using Symbolic Execution and SMT
This paper presents a novel approach used to generate bug fixes for buffer overflow automatically using static execution, code patch patterns, quick fix locations, user input saturation and Satisfiability Modulo Theories SMT. Expand
UQBTng : a tool capable of automatically finding integer overflows in Win 32 binaries
November 27, 2005 Abstract— This paper outlines the recent work by the author to develop UQBTng, a tool capable of automatic detection of exploitable integer overflow bugs in Win32 binaries. A briefExpand
IntPTI: Automatic integer error repair with proper-type inference
A tool IntPTI is presented that implements the desired functionalities for C programs and infers appropriate types for variables and expressions to eliminate representation issues, and then utilizes the derived types with fix patterns codified from the successful human-written patches. Expand
SMT-constrained symbolic execution engine for integer overflow detection in C code
An integer overflow checker which is based on precise modeling of C language semantics and symbolic function models is presented which is effective to be applied in future to C++ programs as well, in order to detect other kinds of vulnerabilities related to integers. Expand
Automatic Fix for C Integer Errors by Precision Improvement
The results show that CIntFix is capable to fix integer errors in real-world C programs and processes C source code at the rate of 0.157s/KLOC and the fixed programs have 18.0% slowdown on average. Expand
Enhancing symbolic execution with veritesting
Veritesting allows MergePoint to find twice as many bugs, explore orders of magnitude more paths, and achieve higher code coverage than previous dynamic symbolic execution systems. Expand