Automated Code Repair to Ensure Memory Safety

Abstract

Software vulnerabilities constitute a major threat to DoD. Memory violations are among the most common and most severe types of vulnerabilities. 15% of CVEs in the NIST NVD and 24% of critical-severity CVEs. iPhone iOS CVE-2019-7287 (exploited by Chinese government, according to https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) Android Stage fright (2015) Cloud Bleed (2017)Huge volume of code is in use by DoD, with unknown number of vulnerabilities. Solution: Automatically repair source code to assure spatial memory safety. Abort program (or call error-handling routine) before spatial memory violation. Approach: Transform source code to an intermediate representation (IR), retaining mapping. Repair program to use fat pointers to track bounds and insert a bounds check before memory accesses. Map the repairs at the IR level back to source code.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2020
Accession Number
AD1110298

Entities

People

  • David Svoboda
  • Matt Churilla
  • Mike Mccall
  • Ruben Martins
  • Ryan P Steele
  • William Klieber

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Compilers
  • Computer Programs
  • Department Of Defense
  • Directives
  • Engineering
  • Governments
  • Guarantees
  • Lists (Data Structures)
  • Materials
  • Software Development
  • Universities
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Computer Programming and Software Development.
  • Cybersecurity.