Repository logo
 
Thumbnail Image
Publication

Trustworthy software by quality attesting of secure code and repairing flaws

2024Master thesis Open access
http://hdl.handle.net/10400.5/95600
Use this identifier to reference this record.
Name:Description:Size:Format: 
TM_Tomás_Ferreira.pdf1.19 MBAdobe PDF Download

Authors

Ferreira, Tomás Cardoso de Oliveira

Advisor(s)

Medeiros, Ibéria Vitória de Sousa

Abstract(s)

Embedded systems exist in many devices like IoT, drones, and cyber-physical systems. The security of these devices can be critical, depending on the context they are integrated and their role (e.g., water plant, car). C is the main language used to develop the software for these devices and is known for missing the bounds of its data types, which leads to vulnerabilities like buffers and integer overflows. These flaws, when exploited, cause severe damage and can put human life in danger. Therefore, it is important the software of these devices be secure. One of the utmost importance of C programs is how to fix its code automatically, employing the right secure code to remove existing vulnerabilities and avoid attacks. On the one hand, developers resort to safe versions of the functions susceptive to be exploited; however, if they are not correctly parameterized, vulnerabilities are not avoided. On the other hand, developers may not write secure code. Both tasks face some challenges. For example, how to remove vulnerabilities and how to attest to whether secure functions are correctly used, what is the right secure code needed to remove them, and where to insert this code. Another challenge is maintaining the application’s correct behavior after applying the code correction. This dissertation will tackle this problem through the use of a proposed solution and OverSafe tool, capable of analyzing the C source code and finding places where a vulnerability might exist. The vulnerability is going to be isolated in a Vulnerable Function Case with bound-checks around the vulnerability and fat-pointers to help the performance of the testing, testing that vulnerability, applying a patch to the vulnerability, and re-testing the patched vulnerability, and applying that patch in the source code, after that the behavior of the application is tested to verify if it is normal behavior is maintained. To evaluate the developed tool, the SARD dataset was used along with custom in-house test subjects to test the pipeline of the achieved solution, and real applications collected from the SourceForge repository were used to test if the tool is capable of analyzing real applications. The tool was capable of finding and correcting 2 vulnerabilities from a group of 6 applications, assuring that the tool satisfies the defined objectives.

Description

Tese de Mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de Ciências

Keywords

Análise Estática de Código Guided Fuzzing Buffer Overflow Correcção Automática de código Segurança de Software Teses de mestrado - 2024

URI

http://hdl.handle.net/10400.5/95600

Pedagogical Context

Citation

Research Projects

Organizational Units

Journal Issue

Publisher

Collections

FC-DI - Master Thesis (dissertation)

CC License