CorCA: An Automatic Program Repair Tool for Checking and Removing Effectively C Flaws

Embedded systems are present in many devices, such as the Internet of Things, drones, and cyber-physical systems. The software security of these devices can be critical, depending on the context they are integrated and the role they play (e.g., water plants, vehicles). C is the core language used to develop the software for these devices and is known for missing the bounds of its data types, which leads to vulnerabilities such as buffer overflows. These vulnerabilities, when exploited, can cause severe damage and put human life in danger. One of the concerns with vulnerable C programs is to correct the code automatically and adequately, employing secure code that can remove the existing vulnerabilities and avoid attacks. However, such a task faces some challenges, namely determining what code is needed to remove them and, at the same time, ensuring the correct behaviour of the program, where to insert it, and verifying that the correction applied is secure and effectively removes the vulnerabilities. Another challenge is to accomplish all these elements in an automated manner. This paper presents an approach that automatically, after discovering and confirming potential vulnerabilities of an application, applies code correction to fix the vulnerable code of those confirmed vulnerabilities and validates the new code. We implemented the approach, resulting in the CorCA [1] tool, and evaluated it with a set of tests and real applications. The experimental results showed that the tool was capable of detecting vulnerabilities and fixing them correctly.