Accession Number:

ADA522532

Title:

As-If Infinitely Ranged Integer Model, Second Edition

Descriptive Note:

Final rept.

Corporate Author:

CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST

Personal Author(s):

• Dannenberg, Roger
• Dormann, Will
• Keaton, David
• Plum, Thomas
• Seacord, Robert C.
• Svoboda, David
• Volkovitsky, Alex
• Wilson, Timothy

Report Date:

2010-04-01

Pagination or Media Count:

41.0

Abstract:

Integers represent a growing and underestimated source of vulnerabilities in C and C programs. This report presents the as-if infinitely ranged AIR integer model that provides a largely auto-mated mechanism for eliminating integer overflow and truncation and other integral exceptional conditions. The AIR integer model either produces a value equivalent to that obtained using infinitely ranged integers or results in a runtime-constraint violation. Instrumented fuzz testing of libraries that have been compiled using a prototype AIR integer compiler has been effective in discovering vulnerabilities in software with low false positive and false negative rates. Further-more, the runtime overhead of the AIR integer model is low enough for typical applications to enable it in deployed systems for additional runtime protection.

Descriptors:

• *INTEGER PROGRAMMING
• DATA PROCESSING SECURITY
• VULNERABILITY
• ANALYTIC NUMBER THEORY
• ELECTRONIC SECURITY
• TRUNCATION
• NUMBER THEORY
• SOFTWARE ENGINEERING
• COMPUTER ARCHITECTURE

Subject Categories:

• Numerical Mathematics
• Computer Programming and Software
• Computer Systems
• Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE