Everyone cares about security bugs—yet until OpenRefactory, there haven’t been tools that enable developers to resolve them really efficiently. The leading developer security tools only detect bugs; after that, developers have to fix the bugs manually. It takes a developer four hours on average to fix a bug; hard-to-detect bugs such as resource leaks may even take days to be fixed. And a developer can fix only so many bugs in the budgeted time.
What if there were tools that not only detect problems, but also fix them?
OpenRefactory, Inc.’s unique end-to-end solution disrupts the current market trend. OpenRefactory offers tools, or fixers that not only detect problems, but also fix them automatically. Developers can adopt the solutions as automatic patches or upon review. Two different categories of fixers are offered currently.
- Safety and Security Fixers. Each of these fixers targets a specific safety and/or security problem. These fixers cover the most important problems in each programming language, according to the lists5,7,8 created by OWASP, SANS, etc. For example, a fixer for C programs addresses buffer overflow errors by replacing unsafe library functions with safe library functions. Another fixer for Java programs addresses a resource leak problem by introducing proper statements to free up resources when they are not used.
- Compliance Fixers. Each of these fixers targets a safety and security standard rule that code must follow. For example, MISRA3,4 is a well-known standard for C programs that was initially created for motor vehicles, but is now a widely accepted standard in the embedded systems community (ISO 26262). A compliance fixer for C programs fixes C integer operations to be done in a standard-compliant manner to improve upon the weak integer semantics in C language. Similarly, Android Secure Coding Standard is a standard created by CERT for Android apps written in Java. A compliance fixer for Android programs makes modifications to ensure that sensitive information is never broadcast using an implicit intent.
OpenRefactory/C is the first product in line—scheduled to be released in July 2017 as an Amazon EC2 based IaaS. It features ten safety and security fixers to cover five out of the six most important security problems (buffer overflow, integer arithmetic, integer signedness and widthness, memory leak, and memory corruption). It also covers some simple scenarios of the sixth security problem: concurrency bugs. More in depth support for this problem will be offered in future releases. OpenRefactory/C also features twenty compliance fixers that modify code to comply with 70% of the most important MISRA coding standard rules (superset of ISO 26262), and the rest will be supported in future releases.
C is heavily used in developing embedded software, kernels, and device drivers. Specifically, the software vendors in the automotive industry and medical devices industry will love the features of OpenRefactory/C because the implications of a security failure in these industries are so severe, and because their developers must spend a lot of time modifying their code to meet the ISO 26262 requirements. OpenRefactory/C saves both time and money.
- Saving Time. Developers spend about 35% of their bug fixing time on security bugs6. For each incident, it takes four hours to fix a security bug on average, but OpenRefactory fixers provide patches that developers can adopt instantaneously; this allows developers to explore, triage, and fix more bugs in less time making the product more secure and the developers more efficient.
- Saving Money. OpenRefactory tools allow bugs to be detected and fixed early in the software development life cycle, significantly reducing the cost of fixing the bugs. From a software life cycle perspective, defects become more costly to organizations the later they are discovered. The cost of fixing an error close to release time can be up to 100 times as high as it would have been during the development stage, and the cost of fixing an error after a device is placed on the market can even be 1000 times higher1!
A study on 85,616 bugs in the Mozilla repository reported that 46% of the bugs in Mozilla are fixed in less than three months, 27% are fixed in less than one year, and 27% are fixed in less than 3 years2. OpenRefactory tools take a big chunk of this delay out of everyday software development. OpenRefactory will also develop fixers for other languages (a Java tool is currently in progress) and other quality attributes (performance, reliability, etc.).
OpenRefactory, Inc. is the pioneer of the next wave in software development: aggressively using automation to attain quality goals faster and with fewer human errors.
The blog post is the first in a series that explains the vision of OpenRefactory and its first product, OpenRefactory/C. Watch this space for the rest of the articles in the series.
Part 1. Introducing OpenRefactory (this article)
Part 2. About Fixers
This material is based upon work supported by the National Science Foundation under Grant Number 1622201. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
- V. Narasimhan. A Risk Management Toolkit for Integrated Engineering Asset Maintenance. Springer London, 2006.
- L.Marks et al. Studying the fix-time for bugs in large open source projects. Promise 2011, ACM.
- MISRA Consortium. MISRA-C: 2004 — Guidelines for the use of the C language in critical systems, 2004.
- MISRA Consortium. MISRA-C: 2012 — Guidelines for the use of the C language in critical systems, 2013.
- Open Web Application Security Project (OWASP). Attacks. http://www.owasp.org/ index.php/.
- OpenRefactory. Openrefactory customer discovery study, 2016.
- SANS Institute. SANS top-20 security risks.
- US-CERT. Vulnerability notes by severity metric.