Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs

Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, the authors present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. The tool is based on CQual, a static analysis tool using type theory. The techniques have been implemented and tested on several widely used open source applications. Using the tool, they found known and unknown integer related vulnerabilities in these applications.