Medeiros, Ibéria Vitória de SousaFerreira, Tomás Cardoso de Oliveira2024-11-222024-11-2220242024http://hdl.handle.net/10400.5/95600Tese de Mestrado, Engenharia Informática, 2024, Universidade de Lisboa, Faculdade de CiênciasEmbedded systems exist in many devices like IoT, drones, and cyber-physical systems. The security of these devices can be critical, depending on the context they are integrated and their role (e.g., water plant, car). C is the main language used to develop the software for these devices and is known for missing the bounds of its data types, which leads to vulnerabilities like buffers and integer overflows. These flaws, when exploited, cause severe damage and can put human life in danger. Therefore, it is important the software of these devices be secure. One of the utmost importance of C programs is how to fix its code automatically, employing the right secure code to remove existing vulnerabilities and avoid attacks. On the one hand, developers resort to safe versions of the functions susceptive to be exploited; however, if they are not correctly parameterized, vulnerabilities are not avoided. On the other hand, developers may not write secure code. Both tasks face some challenges. For example, how to remove vulnerabilities and how to attest to whether secure functions are correctly used, what is the right secure code needed to remove them, and where to insert this code. Another challenge is maintaining the application’s correct behavior after applying the code correction. This dissertation will tackle this problem through the use of a proposed solution and OverSafe tool, capable of analyzing the C source code and finding places where a vulnerability might exist. The vulnerability is going to be isolated in a Vulnerable Function Case with bound-checks around the vulnerability and fat-pointers to help the performance of the testing, testing that vulnerability, applying a patch to the vulnerability, and re-testing the patched vulnerability, and applying that patch in the source code, after that the behavior of the application is tested to verify if it is normal behavior is maintained. To evaluate the developed tool, the SARD dataset was used along with custom in-house test subjects to test the pipeline of the achieved solution, and real applications collected from the SourceForge repository were used to test if the tool is capable of analyzing real applications. The tool was capable of finding and correcting 2 vulnerabilities from a group of 6 applications, assuring that the tool satisfies the defined objectives.engAnálise Estática de CódigoGuided FuzzingBuffer OverflowCorrecção Automática de códigoSegurança de SoftwareTeses de mestrado - 2024master thesis203741340