IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time

  • Chao Zhang
  • Tielei Wang
  • Tao Wei
  • Yu Chen
  • Wei Zou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6345)


The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this paper, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and dataflow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.


Symbolic Execution Analysis Pass Runtime Check Alias Analysis Static Single Assignment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Carnegie Mellon University’s Computer Emergency Response Team,
  2. 2.
    Common vulnerabilities and exposures,
  3. 3.
    Cssbench: a css benchmark devised by nontroppo,
  4. 4.
    CUPS: a standards-based, open source printing system developed by Apple Inc.,
  5. 5.
    Cups’ erroneous patch,
  6. 6.
  7. 7.
    Cwe-680: Io2bo vulnerabilities,
  8. 8.
    Dillo: a lightweight browser,
  9. 9.
    Discussion between programmers and gcc developers,
  10. 10.
    Draft of the c99 standard with corrigenda tc1, tc2, and tc3 included,
  11. 11.
    FAAD2: A MPEG-4 and MPEG-2 AAC Decoder,
  12. 12.
    GStreamer: a framework for streaming media applications,
  13. 13.
    Intel 64 and ia-32 architectures software developer’s manuals,
  14. 14.
    libtiff: TIFF Library and Utilities,
  15. 15.
    Ming: a library for generating Macromedia Flash files,
  16. 16.
    Mp4point: a source for free mp4 / mpeg-4 video movie clips,
  17. 17.
    National vulnerability database,
  18. 18.
    oCERT: Open Source Computer Emergency Response Team,
  19. 19.
    Pngsuite: The ”official” test-suite for png applications like viewers, converters and editors,
  20. 20.
    Python interpreter suffers from gcc’s behavior,
  21. 21.
    Secunia: a Danish computer security service provider,
  22. 22.
    Vupen: a company providing security intelligence,
  23. 23.
    Ahmad, D.: The rising threat of vulnerabilities due to integer errors. IEEE Security and Privacy 1(4), 77–82 (2003)CrossRefGoogle Scholar
  24. 24.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Princiles, Techniques, and Tools, 2nd edn. Addison-Wesley, Reading (2006)Google Scholar
  25. 25.
    Brumley, D., Chiueh, T.c, Johnson, R., Lin, H., Song, D.: Rich: Automatically protecting against integer-based vulnerabilities. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)Google Scholar
  26. 26.
    Cadar, C., Dunbar, D., Engler, D.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), San Diego, CA, USA (2008)Google Scholar
  27. 27.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: automatically generating inputs of death. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006 (2006)Google Scholar
  28. 28.
    Ceesay, E., Zhou, J., Gertz, M., Levitt, K., Bishop, M.: Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs. Detection of Intrusions and Malware & Vulnerability Assessment (2006)Google Scholar
  29. 29.
    Chen, S., Kalbarczyk, Z., Xu, J., Iyer, R.K.: A data-driven finite state machine model for analyzing security vulnerabilities. In: IEEE International Conference on Dependable Systems and Networks, pp. 605–614 (2003)Google Scholar
  30. 30.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 12 (2005)Google Scholar
  31. 31.
    Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: Archerr: Runtime environment driven program safety. In: 9th European Symposium on Research in Computer Security, Sophia Antipolis (2004)Google Scholar
  32. 32.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph (1991)Google Scholar
  33. 33.
    Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: PLDI 1999: Proceedings of the ACM SIGPLAN 1999 Conference on Programming Language Design and Implementation, pp. 192–203. ACM, New York (1999)CrossRefGoogle Scholar
  34. 34.
    Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, Berlin, Germany, pp. 1–12 (2002)Google Scholar
  35. 35.
    Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 213–223 (2005)Google Scholar
  36. 36.
    Lattner, C.: LLVM: An Infrastructure for Multi-Stage Optimization. Master’s thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL (December 2002),
  37. 37.
    Lattner, C., Adve, V.: LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In: Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO 2004), Palo Alto, California (March 2004)Google Scholar
  38. 38.
    Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the 18th USENIX Security Symposium (2009)Google Scholar
  39. 39.
    Sen, K., Marinov, D., Agha, G.: Cute: a concolic unit testing engine for c. In: ESEC/FSE-13: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 263–272 (2005)Google Scholar
  40. 40.
    Sotirov, A.: Heap feng shui in javascript. In: Proceedings of Blackhat Europe (2007)Google Scholar
  41. 41.
    Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2009)Google Scholar
  42. 42.
    Weiser, M.: Program slicing. In: Proceedings of the 5th International Conference on Software Engineering (1981)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Chao Zhang
    • 1
  • Tielei Wang
    • 1
  • Tao Wei
    • 1
  • Yu Chen
    • 1
  • Wei Zou
    • 1
  1. 1.Institute of Computer Science and TechnologyPeking University, Key Laboratory of Network and Software Security Assurance (Peking University), Ministry of Education 

Personalised recommendations