Software Engineering Institute

This presentation describes an automated approach for fixing memory safety vulnerabilities. Software vulnerabilities (especially spatial memory violations) are a major threat to the Department of Defense (DoD). Its systems encompass a huge volume of code that contains an unknown number of vulnerabilities. CMU SEI researchers developed an automated technique to repair C source code to eliminate memory safety vulnerabilities. It first transforms source code to an intermediate representation (IR), retaining mapping. A repair program inserts fat pointers to track bounds and perform a bounds check before accessing memory. It then maps the repairs at the IR level back to source code. The output is repaired source code that is still human-readable and maintainable. &Users can decide whether to make all possible automatic repairs or only repair likely vulnerabilities at a significantly faster runtime.