Filters








9 Hits in 2.4 sec

IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time [chapter]

Chao Zhang, Tielei Wang, Tao Wei, Yu Chen, Wei Zou
<span title="">2010</span> <i title="Springer Berlin Heidelberg"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/2w3awgokqne6te4nvlofavy5a4" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
In this paper, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time.  ...  The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security.  ...  Conclusion This paper surveys many IO2BO vulnerabilities, and presents a framework to model and automatically fix this kind of vulnerability. A prototype tool IntPatch is implemented based on LLVM.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-642-15497-3_5">doi:10.1007/978-3-642-15497-3_5</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/n5iann3yandsbluhhfds2bkkzq">fatcat:n5iann3yandsbluhhfds2bkkzq</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20151028020048/http://lenx.100871.net:80/papers/IntPatch-ESORICS.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/7e/60/7e60dab787749eb6f4eed6b9e1b228f18e452b88.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-642-15497-3_5"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> springer.com </button> </a>

Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat

Chao Zhang, Wei Zou, Tielei Wang, Yu Chen, Tao Wei, Dimitris Gritzalis
<span title="2011-12-23">2011</span> <i title="IOS Press"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/spxf4rshtfhgvoxv3apocfge6m" style="color: black;">Journal of Computer Security</a> </i> &nbsp;
In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time.  ...  A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow (IO2BO for short) vulnerability. IO2BO is an underestimated threat.  ...  Acknowledgments The authors would like to thank the anonymous reviewers for their valuable comments.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.3233/jcs-2011-0434">doi:10.3233/jcs-2011-0434</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/dagxlmkqxjfz7gc3kdpae6gd6u">fatcat:dagxlmkqxjfz7gc3kdpae6gd6u</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20151028020054/http://lenx.100871.net:80/papers/IntPatch-JCS.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/08/2d/082df01a85284860d14189e8c9ee18acf3917236.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.3233/jcs-2011-0434"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> Publisher / doi.org </button> </a>

Efficient Dynamic Tracking Technique for Detecting Integer-Overflow-to-Buffer-Overflow Vulnerability

Hao Sun, Xiangyu Zhang, Chao Su, Qingkai Zeng
<span title="">2015</span> <i title="ACM Press"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/rau5643b7ncwvh74y6p64hntle" style="color: black;">Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS &#39;15</a> </i> &nbsp;
Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerabilities can be exploited by attackers to cause severe damages to computer systems.  ...  IntTracker monitors whether any dirty value is used at a sink to detect IO2BO vulnerabilities.  ...  The authors would like to thank the anonymous reviewers for their insightful comments that greatly helped improve the presentation of this paper. The authors are also grateful to Tao  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2714576.2714605">doi:10.1145/2714576.2714605</a> <a target="_blank" rel="external noopener" href="https://dblp.org/rec/conf/ccs/SunZSZ15.html">dblp:conf/ccs/SunZSZ15</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/4vm2n3filvcqrl6ttq5kmg4qie">fatcat:4vm2n3filvcqrl6ttq5kmg4qie</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20190218120417/https://static.aminer.org/pdf/20170130/pdfs/ccs/hmtqif6oj0t5sgrkxobak2pvbmyvdp1a.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/81/60/8160503730bd56f573d27c3f0ba9b3600b0873c7.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2714576.2714605"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> acm.org </button> </a>

An automated approach to fix buffer overflows

Aamir Shahab, Muhammad Nadeem, Mamdouh Alenezi, Raja Asif
<span title="2020-08-01">2020</span> <i title="Institute of Advanced Engineering and Science"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/sdt65w3c4jeojd2d4wr6rbkebe" style="color: black;">International Journal of Electrical and Computer Engineering (IJECE)</a> </i> &nbsp;
Various manual and automated techniques for detecting and fixing specific types of buffer overflow vulnerability have been proposed, but the solution to fix Unicode buffer overflow has not been proposed  ...  The results suggest that the proposed approach can automatically fix buffer overflows without inducing errors.  ...  IntPatch [17] fixes integer overflow in C/C++ source code at compile time.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.11591/ijece.v10i4.pp3777-3787">doi:10.11591/ijece.v10i4.pp3777-3787</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/f4x6xjl7hjcjbet5dfobbr6ozm">fatcat:f4x6xjl7hjcjbet5dfobbr6ozm</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20200309011659/http://ijece.iaescore.com/index.php/IJECE/article/download/21284/pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/27/9c/279c459a2ff82fc8840a7fdcbd316c1eb1a43717.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.11591/ijece.v10i4.pp3777-3787"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="unlock alternate icon" style="background-color: #fb971f;"></i> Publisher / doi.org </button> </a>

Program transformations to fix C integers

Zack Coker, Munawar Hafiz
<span title="">2013</span> <i title="IEEE"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/wvv27s77dvd5flktsj246kcxwu" style="color: black;">2013 35th International Conference on Software Engineering (ICSE)</a> </i> &nbsp;
Traditional approaches at best detect these problems; they cannot guide developers to write correct code.  ...  We describe three program transformations that fix integer problems-one explicitly introduces casts to disambiguate type mismatch, another adds runtime checks to arithmetic operations, and the third one  ...  At the same time, they successfully fix all variants of integer problems that result in vulnerabilities.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1109/icse.2013.6606625">doi:10.1109/icse.2013.6606625</a> <a target="_blank" rel="external noopener" href="https://dblp.org/rec/conf/icse/CokerH13.html">dblp:conf/icse/CokerH13</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/jyrobaexprh2zd7x4jm6k6kkvq">fatcat:jyrobaexprh2zd7x4jm6k6kkvq</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20160411175347/http://www.munawarhafiz.com:80/research/intproblem/icse13_intproblem.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/82/fa/82fa3d2a0efb0bf97686c44cb8f502debf96034d.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1109/icse.2013.6606625"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> ieee.com </button> </a>

IntFlow

Marios Pomonis, Theofilos Petsios, Kangkook Jee, Michalis Polychronakis, Angelos D. Keromytis
<span title="">2014</span> <i title="ACM Press"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/5i22f6noqzcuzalvmf6ckdmcmy" style="color: black;">Proceedings of the 30th Annual Computer Security Applications Conference on - ACSAC &#39;14</a> </i> &nbsp;
Integer overflow and underflow, signedness conversion, and other types of arithmetic errors in C/C++ programs are among the most common software flaws that result in exploitable vulnerabilities.  ...  Despite significant advances in automating the detection of arithmetic errors, existing tools have not seen widespread adoption mainly due to their increased number of false positives.  ...  at compilation time.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2664243.2664282">doi:10.1145/2664243.2664282</a> <a target="_blank" rel="external noopener" href="https://dblp.org/rec/conf/acsac/PomonisPJPK14.html">dblp:conf/acsac/PomonisPJPK14</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/pj5jwjyddjgw7eszoukm4j6c7i">fatcat:pj5jwjyddjgw7eszoukm4j6c7i</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170808220243/http://www.cs.columbia.edu/%7Eangelos/Papers/2014/intflow.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/5e/21/5e21b9dbbcd5bf01ca3f4e33e7193f8fa964140a.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1145/2664243.2664282"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> acm.org </button> </a>

Practical Integer Overflow Prevention [article]

Paul Muntean, Jens Grossklags, Claudia Eckert
<span title="2017-11-03">2017</span> <i > arXiv </i> &nbsp; <span class="release-stage" >pre-print</span>
Integer overflows in commodity software are a main source for software bugs, which can result in exploitable memory corruption vulnerabilities and may eventually contribute to powerful software based exploits  ...  In this paper, we present IntGuard , a tool that can repair integer overflows with high-quality source code repairs.  ...  Finally, we believe that stand-alone compilers should not be the only tool to be used for repairing integer overflows during compile time.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1710.03720v9">arXiv:1710.03720v9</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/mjtnitnqmbbmlgoswdersm4xju">fatcat:mjtnitnqmbbmlgoswdersm4xju</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20200905193214/https://arxiv.org/pdf/1710.03720v9.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/07/4b/074b8dd5bf9be49534d28ea1be8dc96aa1652cc3.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1710.03720v9" title="arxiv.org access"> <button class="ui compact blue labeled icon button serp-button"> <i class="file alternate outline icon"></i> arxiv.org </button> </a>

IntRepair: Informed Repairing of Integer Overflows [article]

Paul Muntean and Martin Monperrus and Hao Sun and Jens Grossklags and Claudia Eckert
<span title="2019-09-28">2019</span> <i > arXiv </i> &nbsp; <span class="release-stage" >pre-print</span>
Integer overflows have threatened software applications for decades. Thus, in this paper, we propose a novel technique to provide automatic repairs of integer overflows in C source code.  ...  Our experimental results show that IntRepair is able to effectively detect integer overflows and successfully repair them, while only increasing the source code (LOC) and binary (Kb) size by around 1%,  ...  ACKNOWLEDGMENTS The authors are grateful to the anonymous reviewers for their insightful and constructive comments. Further, we want to especially thank Nenad Medvidović and Víctor A.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1807.05092v2">arXiv:1807.05092v2</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/b4r5anc52rebpilh6bw7hmb4ge">fatcat:b4r5anc52rebpilh6bw7hmb4ge</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20200822162342/https://arxiv.org/pdf/1807.05092v2.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/6b/48/6b4896d0f298ce9b3bdd2398600a406f074f794f.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/1807.05092v2" title="arxiv.org access"> <button class="ui compact blue labeled icon button serp-button"> <i class="file alternate outline icon"></i> arxiv.org </button> </a>

AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications

Mu Zhang, Heng Yin
<span title="">2014</span> <i title="Internet Society"> Proceedings 2014 Network and Distributed System Security Symposium </i> &nbsp; <span class="release-stage">unpublished</span>
It is often unrealistic to purely rely on developers to fix these vulnerabilities for two reasons: 1) it is a time-consuming process for the developers to confirm each vulnerability and release a patch  ...  Given a vulnerable Android app (without source code) and a discovered component hijacking vulnerability, we automatically generate a patch to disable this vulnerability.  ...  ACKNOWLEDGMENT We would like to thank anonymous reviewers for their comments. This research was supported in part by NSF Grant #1018217, NSF Grant #1054605 and McAfee Inc.  ... 
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.14722/ndss.2014.23255">doi:10.14722/ndss.2014.23255</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/nsbhshnyirdhviko5ckj4afcra">fatcat:nsbhshnyirdhviko5ckj4afcra</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20170809130722/http://www.internetsociety.org/sites/default/files/10_4_1.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/f1/da/f1daa2d336a65f94246b67dcd2b4484ce680b4d1.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.14722/ndss.2014.23255"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> Publisher / doi.org </button> </a>