Automating the Repair of Software Flaws
Codebases typically contain billions of lines of code that contain errors that can lead to costly security vulnerabilities. These errors are typically too numerous to vet manually, and finding and fixing coding errors manually is a time-consuming and error-prone process. This process is expensive; researchers from the SEI’s CERT Division report that the average cost to manually fix one defect is $14,000.
Static code analysis tools can help find these errors, but these tools are typically used late in the development process and generate a huge number of error warnings. Even after excluding false positives, the volume of actual coding errors can overwhelm developers. Consequently, only a small percentage of the vulnerabilities identified are eliminated.
In 2016, CERT researchers developed tools to automatically detect and repair two common software-coding errors: integer overflows that lead to buffer overflow, and reads of stale and potentially sensitive memory. These CERT-developed tools infer the specification the developer intends—a strongly supported guess based on the pattern—and make a repair to satisfy the inferred specification.
The tool for integer overflows performs an additional check for error conditions where the overflow can lead to a memory violation. For software that is not safety critical, if the tool cannot fully repair an overflow, it simply inserts code that checks for an overflow and ends the process if it is detected.
The tool for invalid memory reads dynamically detects when the occurrence of a memory read falls outside the valid portion of a buffer. The tool addresses the problem of security vulnerabilities caused by such reads, which can leak sensitive information.
These tools help developers reduce the number of vulnerabilities in a codebase, freeing them to focus on fixing the remaining coding errors, developing secure code, and achieving their organization’s software assurance goals.