3,929 research outputs found
Automatic Removal of Flaws in Embedded System Software
Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2022Currently, embedded systems are present in a myriad of devices, such as Internet of Things, drones,
and Cyber-physical Systems. The security of these devices can be critical, depending on the context
they are integrated and the role they play (e.g., water plant, car). C is the core language used to develop
the software for these devices and is known for missing the bounds of its data types, which leads to
vulnerabilities such as buffer overflows. These vulnerabilities, when exploited, cause severe damage and
can put human life in danger. Therefore, the software of these devices must be secure.
One of the concerns with vulnerable C programs is to correct the code automatically, employing
secure code that can remove the existing vulnerabilities and avoid attacks. However, such task faces
some challenges after finding the vulnerabilities, namely determining what code is needed to remove
them and where to insert that code, maintaining the correct behavior of the application after applying the
code correction, and verifying that the generated code correction is secure and effectively removes the
vulnerabilities. Another challenge is to accomplish all these elements automatically.
This work aims to study diverse types of buffer overflow vulnerabilities in the C programming lan guage, forms to build secure code for invalidating such vulnerabilities, including functions from the C
language that can be used to remove flaws. Based on this knowledge, we propose an approach that
automatically, after discovering and confirming potential vulnerabilities of an application, applies code
correction to fix the vulnerable code of those vulnerabilities verified and validate the new code with
fuzzing/attack injection.
We implemented our approach and evaluated it with a set of test cases and with real applications. The
experimental results showed that the tool detected the intended vulnerabilities and generated corrections
capable of removing the vulnerabilities found
- …