1. Program Transformations to Remove Integer-Handling Vulnerabilities in C Programs Zack Coker, Munawar Hafiz zfc0001@tigermail.auburn.edu, munawar@auburn.edu Computer Science and Software Engineering, Auburn University www.eng.auburn.edu/comp S oftware A nalysis T ransformation & S ecurity Is it possible to create automated program transformations that refactor a program to remove its integer- handling vulnerabilities in C? Integer-handling vulnerabilities are common security flaws in a program In many cases it is complicated to remove the vulnerability once it is found We are developing a tool to perform source-to-source program transformations on a possible vulnerability to create a version where the vulnerability and any related vulnerabilities are removed throughout the file. This corrections are available in three refactorings: 1.Add Integer Cast 2.Replace Arithmetic Operator 3.Integer Type change This transformation adds typecasts to a program when the selected variable is used as a different integer type in a few cases. Example: … unsigned int i; int s; … // instances where s is used correctly s = i; //Notice Type Mismatch!! … while(s > 90) //Notice Type Mismatch!! … unsigned int i; int s; … // instances where s is used correctly s = (int)i; //Fixed Type Mismatch … while((unsigned int) s > 90) //Fixed Type Mismatch … In C, arithmetic operations are not checked for overflow. In vulnerable cases, these operations are replaced by functions that check for overflow. Example: … int a, b; … // a and b are assigned values If(a+b< 60) // Possible Error Due to Overflow!! … #include IntegerLib.h … int a, b; … // a and b are assigned values If(addsi(a,b)< 60) //Overflow is Prevented … In cases where the integer type is used incorrectly throughout the program, the code will change the integer to the correct type. Example: … unsigned int i; int s; //Notice Incorrect Type Decleration!! … s = i; //Notice Type Mismatch!! … while(s > 90) //Notice Type Mismatch!! … unsigned int i; unsigned int s; //Declared to Correct Type … s = i; //Fixed Type Mismatch … while(s > 90) //Fixed Type Mismatch … These transformations are implemented as an Eclipse plugin in the CR-12, a program transformation for C, a larger security transformation effort which addresses multiple vulnerability types. When completed, CR-12 should be able to address all of the security vulnerabilities which can be fixed through program transformations. At the moment, basic implementations of the add integer cast and replace arithmetic operator transformations have been completed and tested on small programs. A basic implementation of integer type change is currently being created. Once that is finished, the transformations will be tested on larger codes, and they will be refined to a more advanced state. There are two main types: integer overflow and signed vulnerabilities. Integer overflow is due to limited space to store integer values. When values become too large, they wrap around and become the lowest value. Signed Vulnerabilities are due to the different values you can store in signed and unsigned values when changing between them.