Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Open Source Programming Software

MIT Debuts Integer Overflow Debugger 40

msm1267 writes Students from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes.
This discussion has been archived. No new comments can be posted.

MIT Debuts Integer Overflow Debugger

Comments Filter:
  • Sad to say, my own code probably has a huge number of them. I'd approximate it as:

    (int)0xFFFF... with a bunch more F's
  • Flawed (Score:5, Funny)

    by ArcadeMan ( 2766669 ) on Thursday March 26, 2015 @03:18PM (#49348941)

    Researchers from the school's Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection.

    The one problem with their method is that it can only detect overflows in one direction.

    • The one problem with their method is that it can only detect overflows in one direction.

      No need to worry about that anymore. Zayn Malik has left in order to fix that.

    • The one problem with their method is that it can only detect overflows in one direction.

      Harry Styles just had an overflow...

    • The one problem with their method is that it can only detect overflows in one direction

      and that one of the modules has already dropped out.

  • by K. S. Kyosuke ( 729550 ) on Thursday March 26, 2015 @03:58PM (#49349357)
    MIT already has an "integer overflow debugger" decades ago. It was called Lisp.
  • gcc -ftrapv
    gcc -fsanitize=undefined

  • What's Mel Kaye [wikipedia.org]'s opinion about all this?
  • I ran this on my microcontroller code, and it found all sorts of these errors in all my timer and counter code. Now I have to go patch it all before any of those overflows happen. Thanks MIT!

If all else fails, lower your standards.

Working...