Improving Accuracy of Static Integer Overflow Detection in Binary

Zhang, Yang; Sun, Xiepeng; Deng, Yi; Cheng, Lijuan; Zeng, Shuke; Fu, Yu; Feng, Dan

doi:10.1007/978-3-319-26362-5_12

Cited by 10 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There is a large body of research work focusing on integer overflow detection: ARCHER [9], UQBTng [53], PREfast [28], Rich [3], SAGE [20], CBMC [10], IntScope [51], Brick [7], IntFinder [6], SmartFuzz [37], PREfix [39], IntPatch [55], IOC [14], IntFlow [44], SoupInt [50], SIFT [24], TAP [45], Diode [46], Indio [56], Zhang et al [54], and IntEQ [48]. In contrast, only few approaches focus explicitly on integer overflow repairs: CIntFix [8], SoupInt [24], CodePhage [47], TAP [45], and SIFT [24].…”

Section: Related Workmentioning

confidence: 99%

IntRepair: Informed Repairing of Integer Overflows

Muntean

Monperrus

Sun

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Integer overflows have threatened software applications for decades. Thus, in this paper, we propose a novel technique to provide automatic repair of integer overflows in C source code. Our technique, based on static symbolic execution, fuses detection, repair generation and validation. This technique is implemented in a prototype named INTREPAIR. We applied INTREPAIR to 2,052 C programs (approx. 1 million lines of code) contained in SAMATE's Juliet test suite and 50 synthesized programs that range up to 20 KLOC. Our experimental results show that INTREPAIR is able to effectively detect integer overflows and successfully repair them, while only increasing the source code (LOC) and binary (Kb) size by around 1%, respectively. Furthermore, we present the results of a user study with 30 participants showing that INTREPAIR repairs are more efficient than manual repairs.

show abstract

Section: Related Workmentioning

confidence: 99%

IntRepair: Informed Repairing of Integer Overflows

Muntean

Monperrus

Sun

et al. 2021

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…Detecting IO bugs: There have been a number of approaches developed to detect integer overflow at the source code level. These approaches can be classified into two categories: (a) instrumenting the source code with run-time integer overflow check [37][38][39], and (b) using static analysis to detect integer overflow [40][41][42]. Of these, the work of Coker and Hafiz [40] comes closest to the work presented here, by introducing a set of refactoring and rewrite rules to apply in an IDE to fix overflows in C programs.…”

Section: Related Workmentioning

confidence: 99%

Towards More Reliable Automated Program Repair by Integrating Static Analysis Techniques

Al-Bataineh¹,

Grishina²,

Moonen³

2021

Preprint

View full text Add to dashboard Cite

A long-standing open challenge for automated program repair is the overfitting problem, which is caused by having insufficient or incomplete specifications to validate whether a generated patch is correct or not. Most available repair systems rely on weak specifications (i.e., specifications that are synthesized from test cases) which limits the quality of generated repairs. To strengthen specifications and improve the quality of repairs, we propose to closer integrate static bug detection techniques with automated program repair. The integration combines automated program repair with static analysis techniques in such a way that bug detection patterns can be synthesized into specifications that the repair system can use. We explore the feasibility of such integration using two types of bugs: arithmetic bugs, such as integer overflow, and logical bugs, such as termination bugs. As part of our analysis, we make several observations that help to improve patch generation for these classes of bugs. Moreover, these observations assist with narrowing down the candidate patch search space, and inferring an effective search order.

show abstract

“…Automatic Vulnerability Discovery ś Many automatic vulnerability detection systems operate at the function level, both for ease of analysis, and because it is a suitable search-granularity for common bugs, such as stack-based bugs [7,12,20]. Operating at the function level is also useful for interoperability with other binary analysis primitives, such as symbolic execution, which are powerful tools for semantic analysis but do not scale to full binaries [7].…”

Section: Applicationsmentioning

confidence: 99%

Now You See Me

Goër

Rawat

Andriesse

et al. 2018

Proceedings of the 34th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim.

show abstract

Improving Accuracy of Static Integer Overflow Detection in Binary

Cited by 10 publications

References 21 publications

IntRepair: Informed Repairing of Integer Overflows

IntRepair: Informed Repairing of Integer Overflows

Towards More Reliable Automated Program Repair by Integrating Static Analysis Techniques

Now You See Me

Contact Info

Product

Resources

About