Towards Automatically Eliminating Integer-Based Vulnerabilities

Over 100 C integer vulnerabilities have been publicly identified to date, some of which have resulted in serious disasters such as rocket malfunction. C integer vulnerabilities can arise when one integer type is cast to another incompatible integer type. The rules which determine integer cast safety are cumbersome, lengthy, and sometimes unintuitive. As a result, it is common to find thousands of potentially unsafe casts in even moderately sized programs. Despite the importance of writing safe and secure programs, the burden of correctly using (often necessary) integer casts is placed squarely on developers. We show that well-known sub-typing theory commonly found in type-safe languages can effectively an automatically be applied to protect against most integer casting vulnerabilities in C. We implement our techniques in a tool called PICK which statically detects potential integer vulnerabilities and inserts the necessary dynamic checks to prevent exploits. Our experiments (a) confirm potentially unsafe integer operations are rampant in source code, indicating the potential number of vulnerabilities is great, (b) show the introduced checks protect vulnerable programs, (c) show no manual modifications are needed in most cases, and (d) the inserted checks do not introduce measurable overhead. Thus, our approach and techniques provide a practical, efficient, and automatic method for protecting against integer vulnerabilities for even large programs written in C. This work is supported by grants from the National Science Foundation.