Everyone cares about security bugs—yet until OpenRefactory, there haven’t been tools that enable developers to resolve them really efficiently. The leading developer security tools only detect bugs; after that, developers have to fix the bugs manually. It takes a developer four hours on average to fix a bug; hard-to-detect bugs such as resource leaks may even take days to be fixed. And a developer can fix only so many bugs in the budgeted time.

“What if there were tools that not only detected problems, but also fixed them?”

Fixers

OpenRefactory, Inc.’s unique end-to-end solution, referred to as Intelligent Code Repair (iCR), disrupts the current market trend. OpenRefactory offers fixers that not only detect problems, but also fix them automatically. Developers can adopt the solutions as automatic patches or upon review.

Two different categories of fixers are offered currently.

• Reliability and SecurityFixers. Each of these fixers targets a specific reliability and/or security problem. These fixers cover the most important problems in each programming language, according to the listscreated by OWASP, SANS, etc. For example, a fixer for C programs addresses buffer overflow errors by replacing unsafe library functions with safe library functions. Another fixer for Java programs addresses a resource leak problem by introducing proper statements to free up resources when they are not used.
• Compliance Fixers. Each of these fixers targets a reliability and security standard rule that code must follow. For example, MISRA is a well-known standard for C programs that was initially created for motor vehicles but is now a widely accepted standard in the embedded systems community (ISO 26262). A compliance fixer for C programs fixes C integer operations to be done in a standard-compliant manner to improve upon the weak integer semantics in C language.Similarly, Android Secure Coding Standard is a standard created by CERT for Android apps written in Java. A compliance fixer for Android programs makes modifications to ensure that sensitive information is never broadcast using an implicit intent.

iCR for C

iCR for C features 42 safety and security fixers to cover five out of the six most important security problems (buffer overflow, integer arithmetic, integer signedness and widthness, memory leak, and memory corruption). It also covers some simple scenarios of the sixth security problem: concurrency bugs. More in depth support for this problem will be offered in future releases.

iCR for C also features twenty compliance fixers that modify code to comply with 70% of the most important MISRA coding standard rules (superset of ISO 26262), and the rest will be supported in future releases

Stakeholders

C is heavily used in developing embedded software, kernels, and device drivers. Specifically, the software vendors in the automotive industry and medical devices industry will love the features of iCR for C because the implications of a security failure in these industries are so severe, and because their developers must spend a lot of time modifying their code to meet the ISO 26262 requirements.

iCR for C saves both time and money.

• Saving Time. Developers spend about 35% of their bug fixing time on security bugs. For each incident, it takes four hours to fix a security bug on average, but OpenRefactory fixers provide patches that developers can adopt instantaneously; this allows developers to explore, triage, and fix more bugs in less time making the product more secure and the developers more efficient
• Saving Money OpenRefactory’s iCR enables bugs to be detected and fixed early in the software development life cycle, significantly reducing the cost of fixing the bugs. From a software life cycle perspective, defects become more costly to organizations the later they are discovered. The cost of fixing an error close to release time can be up to 100 times as high as it would have been during the development stage, and the cost of fixing an error after a device is placed on the market can even be 1000 times higher.

A study on 85,616 bugs in the Mozilla repository reported that 46% of the bugs in Mozilla are fixed in less than three months, 27% are fixed in less than one year, and 27% are fixed in less than 3 years. iCR takes a big chunk of this delay out of everyday software development.

OpenRefactory is currently developing fixers for other languages (a Java tool is currently in progress) and other quality attributes (performance, reliability, etc.).

OpenRefactory, Inc. is the pioneer of the next wave in software development: aggressively using automation to attain quality goals faster and with fewer human errors.To learn more about iCR, email us atinfo@openrefactory.com

References:

1. Narasimhan. A Risk Management Toolkit for Integrated Engineering Asset Maintenance. Springer London, 2006.
2. Marks et al. Studying the fix-time for bugs in large open source projects. Promise 2011, ACM.
3. MISRA Consortium. MISRA-C: 2004 — Guidelines for the use of the C language in critical systems, 2004.
4. MISRA Consortium. MISRA-C: 2012 — Guidelines for the use of the C language in critical systems, 2013.
5. Open Web Application Security Project (OWASP). Attacks.https://www.owasp.org/index.php/Category:Attack
6. Openrefactory customer discovery study, 2016.
7. SANS Institute. SANS top-20 security risks.
8. US-CERT. Vulnerability notes by severitymetric.