Cited By
View all- Hafiz MOverbey JLeavens G(2012)OpenRefactory/CProceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity10.1145/2384716.2384730(27-28)Online publication date: 19-Oct-2012
An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites
Pages 21 - 22
Abstract
A security-oriented program transformation is similar to a refactoring, but it is not intended to preserve behavior. Instead, it improves the security of systems, which means it preserves the expected behavior, but changes a system's response to security attacks. This demo is about a tool for Explicit Type Enforcement transformation, which adds proper typecast to integer variables. The tool is built using Eclipse CDT and applies on C programs. Preliminary results show that it is very effective in fixing integer-related vulnerabilities. Power tools such as these can improve developer productivity and produce vulnerability-free software.
References
[1]
K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 143, Washington, DC, USA, 2002. IEEE Computer Society.
[2]
blexim. Basic integer overflows. Phrack, 60, 2002.
[3]
E. N. Ceesay, J. Zhou, M. Gertz, K. N. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in C programs. In R. Büschkes and P. Laskov, editors, DIMVA, volume 4064 of Lecture Notes in Computer Science, pages 1--16. Springer, 2006.
[4]
X. C. L. David Molnar and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th USENIX Security Symposium. USENIX, Aug. 2009.
[5]
M. Hafiz. Security On Demand. PhD thesis, University of Illinois Urbana-Champaign, 2010.
[6]
M. Hafiz, P. Adamczyk, and R. Johnson. Systematically eradicating data injection attacks using security-oriented program transformations. In Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-09), Feb 2009.
[7]
T. Wang, T. Wei, Z. Lin, and W. Zou. Intscope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In NDSS, 2009.
[8]
R. Wojtczuk. UQBTng: A tool capable of automatically finding integer overflows in Win32 binaries. In 22nd Chaos Communication Congress, 2005.
Index Terms
- An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites
Recommendations
A security oriented program transformation to "add on" policies to prevent injection attacks
WRT '08: Proceedings of the 2nd Workshop on Refactoring ToolsTopping the list of the most prominent attacks on applications [6] are various types of injection attacks. Malicious inputs that cause injection attacks are numerous; programmers fail to write checks for all attack patterns. We define a program ...
Mitigating program security vulnerabilities: Approaches and challenges
Programs are implemented in a variety of languages and contain serious vulnerabilities which might be exploited to cause security breaches. These vulnerabilities have been exploited in real life and caused damages to related stakeholders such as program ...
Security-oriented program transformations to cure integer overflow vulnerabilities
SPLASH '12: Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2011
360 pages
ISBN:9781450309424
DOI:10.1145/2048147
- General Chair:
- Cristina Videira Lopes,
- Program Chair:
- Kathleen Fisher
Copyright © 2011 Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 October 2011
Check for updates
Author Tags
Qualifiers
- Demonstration
Conference
SPLASH '11
Sponsor:
SPLASH '11: Conference on Systems, Programming, and Applications: Software for Humanity
October 22 - 27, 2011
Oregon, Portland, USA
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 90Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 23 Dec 2024
Other Metrics
Citations
Cited By
View all- Hafiz MOverbey JLeavens G(2012)OpenRefactory/CProceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity10.1145/2384716.2384730(27-28)Online publication date: 19-Oct-2012
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in