Download
1 / 1
10 likes | 84 Views
S oftware A nalysis T ransformation & S ecurity. Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs. Zack Coker, Munawar Hafiz zfc0001@tigermail.auburn.edu, munawar@auburn.edu. Problem.
E N D
Software Analysis Transformation & Security Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs Zack Coker, Munawar Hafiz zfc0001@tigermail.auburn.edu, munawar@auburn.edu Problem Is it possible to create automated program transformations that refactor a program to remove its integer-handling vulnerabilities in C? Add Integer Cast Replace Arithmetic Operator Integer Type Change This transformation adds typecasts to a program when the selected variable is used as a different integer type in a few cases. Example: In C, arithmetic operations are not checked for overflow. In vulnerable cases, these operations are replaced by functions that check for overflow. Example: In cases where the integer type is used incorrectly throughout the program, the code will change the integer to the correct type. Example: Why is this important? • Integer-handling vulnerabilities are common security flaws in a program • In many cases it is complicated to remove the vulnerability once it is found … unsigned inti; int s; … // instances where s is used correctly s = i; //Notice Type Mismatch!! … while(s > 90) //Notice Type Mismatch!! … … unsigned inti; int s; //Notice Incorrect Type Decleration!! … s = i; //Notice Type Mismatch!! … while(s > 90) //Notice Type Mismatch!! … … int a, b; … // a and b are assigned values If(a+b< 60) // Possible Error Due to Overflow!! … What are Integer-Handling Vulnerabilities? There are two main types: integer overflow and signed vulnerabilities. Integer overflow is due to limited space to store integer values. When values become too large, they wrap around and become the lowest value. Signed Vulnerabilities are due to the different values you can store in signed and unsigned values when changing between them. #include “IntegerLib.h” … int a, b; … // a and b are assigned values If(addsi(a,b)< 60) //Overflow is Prevented … … unsigned inti; int s; … // instances where s is used correctly s = (int)i; //Fixed Type Mismatch … while((unsigned int) s> 90) //Fixed Type Mismatch … … unsigned inti; unsigned int s; //Declared to Correct Type … s = i; //Fixed Type Mismatch … while(s > 90) //Fixed Type Mismatch … What are we doing to address the problem? We are developing a tool to perform source-to-source program transformations on a possible vulnerability to create a version where the vulnerability and any related vulnerabilities are removed throughout the file. This corrections are available in three refactorings: Add Integer Cast Replace Arithmetic Operator Integer Type change Implementation Current and Future Work At the moment, basic implementations of the add integer cast and replace arithmetic operator transformations have been completed and tested on small programs. A basic implementation of integer type change is currently being created. Once that is finished, the transformations will be tested on larger codes, and they will be refined to a more advanced state. These transformations are implemented as an Eclipse plugin in the CR-12, a program transformation for C, a larger security transformation effort which addresses multiple vulnerability types. When completed, CR-12 should be able to address all of the security vulnerabilities which can be fixed through program transformations. www.eng.auburn.edu/comp Computer Science and Software Engineering, Auburn University
