Computer Science Department
School of Computer Science, Carnegie Mellon University
Towards Automatically Eliminating
David Brumley, Dawn Song, Joseph Slember
Over 100 C integer vulnerabilities have been publicly identified to date, some of which have resulted in serious disasters such as rocket malfunction. C integer vulnerabilities can arise when one integer type is cast to another incompatible integer type. The rules which determine integer cast safety are cumbersome, lengthy, and sometimes unintuitive. As a result, it is common to find thousands of potentially unsafe casts in even moderately sized programs. Despite the importance of writing safe and secure programs, the burden of correctly using (often necessary) integer casts is placed squarely on developers.
We show that well-known sub-typing theory commonly found in type-safe languages can effectively an automatically be applied to protect against most integer casting vulnerabilities in C. We implement our techniques in a tool called PICK which statically detects potential integer vulnerabilities and inserts the necessary dynamic checks to prevent exploits. Our experiments (a) confirm potentially unsafe integer operations are rampant in source code, indicating the potential number of vulnerabilities is great, (b) show the introduced checks protect vulnerable programs, (c) show no manual modifications are needed in most cases, and (d) the inserted checks do not introduce measurable overhead. Thus, our approach and techniques provide a practical, efficient, and automatic method for protecting against integer vulnerabilities for even large programs written in C.