IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time

Abstract. The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnera-bility is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this pa-per, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ pro-grams at compile time. IntPatch utilizes classic type theory and dataflow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.