As-If Infinitely Ranged Integer Model

As-If Infinitely Ranged Integer Model

Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This paper presents the As-if Infinitely Ranged (AIR) Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping. The AIR Integer model either p...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Dannenberg, R B, Dormann, W, Keaton, D, Seacord, R C, Svoboda, D, Volkovitsky, A, Wilson, T, Plum, T
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Atmospheric modeling
Charge carrier processes
empirical study
Optimization
Program processors
programming languages
Runtime
security
Semantics
Wrapping
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This paper presents the As-if Infinitely Ranged (AIR) Integer model for eliminating vulnerabilities resulting from integer overflow, truncation, and unanticipated wrapping. The AIR Integer model either produces a value equivalent to that obtained using infinitely ranged integers or results in a runtime-constraint violation. With the exception of wrapping (which is optional), this model can be implemented by a C99-conforming compiler and used by the programmer with little or no change to existing source code. Fuzz testing of libraries that have been compiled using a prototype AIR integer compiler has been effective in discovering vulnerabilities in software with low false positive and false negative rates. Furthermore, the runtime overhead of the AIR Integer model is low enough that typical applications can enable it in deployed systems for additional runtime protection.
ISSN:1071-9458
2332-6549
DOI:10.1109/ISSRE.2010.29