A Glimpse Into The Future: OpenRefactory Releases 9 Fixers as a Freemium Service

September 18th, 2017 Posted by News, Product Description

September 18, 2017: OpenRefactory releases 9 fixers that fix security and compliance bugs in C programs. This is a Beta release.

Users can access the cloud service by going to the OpenRefactory web page (www.openrefactory.com) and clicking on “Try the Fixers” option on the top menu bar.

There are two ways to interact with the SaaS.

  1. Users may upload their C project folders in a zipped file. The C project must compile with gcc and must use Makefiles for compilation.
  2. Users may type in C source code and submit so that the fixers can run on it.

The “freemium” service allows scanning and fixing at most 1000 lines of C code. The full service does not impose any limit on the number of lines of code that can be scanned.

These fixers are tagged as Beta. OpenRefactory is seeking help from C program developers to try the fixers and report bugs in Bugzilla so that we can make them better. There is a small bounty of $1.11 for each reported valid bug.

Users can access 9 fixers at this moment: four are security fixers and five are compliance fixers.

Security fixers:

There are four security fixers that fix security problems in C programs.

  • Change Integer Type: It is common for C programs to have signedness (using a signed integer in an unsigned context and vice versa) and widthness (assigning a integer with larger memory size to an integer with a smaller memory size) problems from using variable types in incorrect contexts. These errors derive from incorrectly declared variables.
    The Change Integer Type fixer changes the declared type of variables so that the uses of the variable are not conflicting with the declaration.
    The following is a vulnerability in libpng v1.4.9 (CVE-2011-3026), in lines 267-290 in pngrutil.c file.
    Before code:

    267 int ret, avail;
    268 ...
    276 avail = png_ptr->zbuf_size-png_ptr->zstream.avail_out;
    277 ...
    283 if (output != 0 && output_size > count)
    284 {
    285     int copy = output_size - count;
    286     if (avail < copy) copy = avail;
    287     png_memcpy(output + count, png_ptr->zbuf, copy);
    288 }
    289
    290 count += avail;
    291 ...
    

    After code:

    267 int ret;
    268 unsigned int avail;
    268 ... 
    276 avail = png_ptr->zbuf_size-png_ptr->zstream.avail_out; 
    277 ... 
    283 if (output != 0 && output_size > count) 
    284 { 
    285     unsigned int copy = output_size - count;
    

    The fixer identifies that the variables avail and copy are declared as integers but are used as unsigned integers in all important contexts. It modifies the type of the variables in lines 268 and 285.

  • Add Integer Cast: If integer operations have operands with different types; the end result may contain an unexpected value.
    The Add Integer Cast fixer adds explicit casts for all type mismatches so that they are visible and are properly handled.
    The following is an example form the SAMATE benchmark created by NIST. It is an example of an unexpected sign extension problem (CWE 194), in particular showing a negative value passed to a memcpy function.
    Before code:

    short data;
    ...
    data = -1;
    char dest[100] = "";
    if (data < 100) {
    	...
    	memcpy(dest, src, data);
    

    After code:

    short data;
    ...
    data = -1;
    char dest[100] = "";
    if ((unsigned int) data < 100) {
    	...
    	memcpy(dest, src, data);
    

    The fixer identifies that the comparison inside the if statement has a signedness mismatch, and it explicitly introduces the sign under which the comparison should occur.

  • Safe Library Replacement: Unsafe library functions may cause data injection attacks if they receive insufficiently validated inputs.
    The Safe Library Replacement fixer replaces unsafe functions with safe functions that are not vulnerable even if malicious data is injected.
    Before code:

    char buf[10];
    char src[100];
    memset(src,‘c’, 50);
    src[50] = ‘\0’;
    char *dst = buf;
    strcpy(dst, src);
    

    After code:

    ...
    g_strlcpy(dst, src, sizeof(buf));
    

    The fixer replaces the unsafe strcpy with a safe alternative.

  • Replace Arithmetic Operator: A C program may have a potential integer overflow (or underflow) problem originating from an arithmetic operation.
    The Replace Arithmetic Operator fixer replaces arithmetic operations with a safe function call that detects an overflow (or underflow) and explicitly handles them.
    rdesktop is a popular remote desktop program that allows Linux/Unix systems to remotely control a Windows computer. An integer overflow vulnerability (CVE-2008-1801) was reported in rdesktop version 1.5.0. The problem is integer overflow in a call to tcp_recv function in line 101 inside iso_recv_msg function in iso.c file.
    Before code:

    s = tcp_recv(s, length - 4);
    

    After code:

    s = tcp_recv(s, ui2us(subui(length , 4)));
    

    The fixer replaces the arithmetic operator with a library function that detects the integer overflow at runtime and explicitly handles the case.

Compliance fixers:

There are five compliance fixers that fix compliance problems for C programs.

  • Fix External Linkage: The Fix External Linkage fixer covers compliance with MISRA rules 8.5, 8.6, and 8.7. It ensures that external objects or functions are declared once and in only one file, that an identifier with external linkage has one external definition, and that functions and objects are not defined with external linkage when they are referenced in a single translation unit.
    Before code:

    extern int foo(); 
    int foo() { 
        return 0; 
    }
    

    After code:

    int foo(); 
    int foo() { 
        return 0; 
    }
    

    The fixer finds out that the function name foo was declared as extern in another file and removes the unnecessary specifier in the current file.

  • Canonicalize Declarations and Definitions: The Canonicalize Declarations and Definitions fixer covers MISRA rules 8.1, 8.2, 8.3, and 8.4. This fixer ensures that types are explicit, functions have prototypes, and declarations are visible at time of definition.
    Before code:

    int foo() { 
        int i = 1; 
        return i;    
    }
    

    After code:

    int foo(void); 
    int foo(void) { 
       int i;
       i = 1; 
       return i;
    }
    

    The fixer canonicalizes the function declaration and definition by explicitly introducing the void specification.

  • Ensure Object Is Initialized: The Ensure Object Is Initialized fixer covers MISRA rule 9.1. It checks usages of variables to ensure that no possible uses of uninitialized variables exist.
    Before code:

    int i; 
    if (bool) {
         i = 1; 
    } 
    return i;
    

    After code:

    int i; 
    i = 0;
    if (bool) {
         i = 1; 
    } 
    return i;
    

    The fixer identifies that the variable i may remain uninitialized and it introduces explicit initialization.

  • Ensure Unique Identifiers and Ensure Distinct Identifiers: These two fixers ensure compliance with MISRA rules that state identifiers must be unique at a specific length, depending on scope and spec.
    Before code:

    int identifiernamethatisnotuniqueat32charsA; 
    int identifiernamethatisnotuniqueat32charsB;
    

    After code:

    int identifiernamethatisnotuniqueat32charsA; 
    int MODIFIEDidentifiernamethatisnotuniqueat32charsB;
    

 

Tags: , , , , ,