Integer overflow is one of the most dangerous defects for programs. Many kinds of static analysis techniques and dynamic test methods have been provided to detect it, not only for programs with source code but also with binary code. One of the most important problems which restrict their effectiveness is the test oracle problem. Especially for scientific computing programs and other complex programs integer overflow detection, it is not an easy work because there is often no test oracle to indicate whether it is an integer overflow error, unless the program throws an exception or leads to crash. And more important, in most cases, the program will be an undistinguished performance, when an integer overflow happens. Thus, integer overflows cannot be detected as soon as possible. To help address the problem, this paper proposes a technique in which metamorphic relations are plugged in the program for runtime-testing integer overflows. In order to illustrate the feasibility and evaluate the effectiveness of our method, two case studies are introduced. The results show that, metamorphic relations cannot only alleviate the oracle problem, but can also be used to detect integer overflow effectively, which will prevent the inducing sink accidents. Our method will also be helpful to other kinds of fault detection.
MaoguiH. and JinfengW., Application of Automated Testing Tool in Gis Modeling, Paper Presented at the Software Engineering, wcse 09, World Congress on, 2009.
2.
ChenT.Y., KuoF.-C. and WongW.E., Does Adaptive Random Testing Deliver a Higher Confidence Than Random Testing?Paper Presented at the Quality Software, Qsic 08, the Eighth International Conference on, 2008.
3.
Nvd: National Vulnerability Database. In http://nvd.nist.gov/, 2010.
MITRE, Corporation. “Cve-2002-0639: Integer Overflow in Sshd in Openssh.” (2002), http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2002-0639.
6.
Cve-2010-2753: Integer Overflow in Mozilla Firefox, Thunderbird and Seamonkey.” (2010), http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2010-2753.
7.
OffuttA.J., RothermelG. and ZapfC., An Experimental Evaluation of Selective Mutation, Paper Presented at the Software Engineering, Proceedings, International Conference on, 1993.
8.
DietzW., LiP., RegehrJ., AdveV., Understanding Integer Overflow in C/C++, Paper Presented at the International Conference on Software Engineering, Zurich, Switzerland, 2012.
9.
WangT., WeiT., LinZ. and ZouW., Intscope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution, Paper Presented at the In Proceedings of the 16th Network and Distributed System Security Symposium (NDSS’09), San Diego, CA, 2009.
10.
ChanF.T., ChenT.Y., MakI.K. and YuY.T., Proportional sampling strategy: Guidelines for software testing practitioners, Information and Software Technology38(12) (1996), 775–782.
11.
ErnstM.D., Invited Talk Static and Dynamic Analysis: Synergy and Duality. In Proceedings of the 5th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, Washington DC, USA: ACM, 2004, pp. 35–35.
12.
WichmannB.A., CanningA.A., ClutterbuckD.L., WinsborrowL.A., WardN.J. and MarshD.W.R., Industrial perspective on static analysis, Software Engineering Journal10(2) (1995), 69–75.
13.
ChenP., WangY., XinZ., MaoB. and LiX., Brick: A Binary Tool for Run-Time Detecting and Locating Integer-Based Vulnerability, Paper presented at the Availability, Reliability and Security, 2009, ARES ’09. International Conference on, 2009, pp. 16–19.
14.
WangT., WeiT., LinZ. and ZouW., Intscope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution, Paper presented at the Proceedings of 2009 Network and Distributed System Security Symp, San Diego, 2009.
15.
CeesayE.N., ZhouJ., GertzM., LevittK. and BishopM., Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs, Paper presented at the Proceedings of DIMVA 2006, 2006.
16.
WagnerD., FosterJ.S., BrewerE.A. and AikenA., A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, In Network and Distributed System Security Symposium, 2000.
17.
SezerE.C., NingP., KilC. and XuJ., Memsherlock: An Automated Debugger for Unknown Memory Corruption Vulnerabilities, In ACM Conference on Computer and Communications Security, 2007, pp. 562–572.
18.
GodefroidP., LevinM.Y. and MolnarD.A., Automated Whitebox Fuzz Testing, In Network and Distributed System Security Symposium, 2008.
19.
BabićD., MartignoniL., McCamantS. and SongD., Statically-Directed Dynamic Automated Test Generation, 2011.
20.
WeyukerE.J., On testing non-testable programs, The Computer Journal25(4) (1982), 465–470.
21.
LionsJ.L., Ariane 501 Failure: Report by the Inquiry Board, 1996.
22.
HailpernB. and SanthanamP., Software debugging, testing, and verification, IBM Systems Journal41(1) (2002), 4–12.
23.
ChenT.Y., CheungS.C. and YiuS.M., Metamorphic Testing: A New Approach for Generating Next Test Cases, Department of Computer Science, Hong Kong University of Science and Technology, Tech Rep HKUST-CS98-01, 1998.
24.
HuiZ., HuangS., RenZ. and YaoY., Metamorphic testing integer overflow faults of mission critical program: A case study, Mathematical Problems in Engineering2013 (2013), 6.
25.
SeacordR., Secure coding in C and C++ of strings and integers, Security & Privacy, IEEE4(1) (2006), 74–76.
26.
MolnarD., LiX.C. and WagnerD., Dynamic Test Generation to Find Integer Bugs in X86 Binary Linux Programs, In USENIX Security Symposium, 2009, pp. 67–82.
27.
SchwartzE.J., AvgerinosT. and BrumleyD., All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask), In IEEE Symposium on Security and Privacy, 2010, pp. 317–31.
28.
ChenT.Y., KuoF.-C., LiuY. and TangA., Metamorphic Testing and Testing with Special Values. Paper presented at the SNPD, 2004.
29.
HuiZ.W. and HuangS., A Formal Model for Metamorphic Relation Decomposition, In 2013 Fourth World Congress on Software Engineering, Hong Kong, China, 2013, pp. 64–68.
30.
ChenT.Y., HuangD.H., TseT.H. and ZhouZ.Q., Case Studies on the Selection of Useful Relations in Metamorphic Testing, (JIISIC 2004), Paper presented at the Proceedings of the 4th Ibero-American Symposium on Software Engineering and Knowledge Engineering, 2004.
31.
ChessB. and WestJ., Secure Programming with Static Analysis: Addison-Wesley Professional, 2007.
HuiZ., HuangS., HuB. and RenZ., A Taxonomy of Software Security Defects for Sst, 2010.
35.
MorascaS., Serra-CapizzanoS., On the Analytical Comparison of Testing Techniques, Paper presented at the ACM SIGSOFT Software Engineering Notes, 2004.
36.
ChenT.Y., KuoF.-C. and MerkelR., On the Statistical Properties of the F-Measure, Paper presented at the Quality Software, 2004 QSIC 2004 Proceedings Fourth International Conference on, 2004.
37.
MayerJ. and GuderleiR., An Empirical Study on the Selection of Good Metamorphic Relations, Paper presented at the Computer Software and Applications Conference, 2006 COMPSAC’06 30th Annual International, 2006.
38.
DoH., ElbaumS.G. and RothermelG., Supporting controlled experimentation with testing techniques: An infrastructure and its potential impact, Empirical Software Engineering10(4) (2005), 405–435.
39.
ChenT.Y., KuoF.-C., TseT.H. and ZhouZ.Q., Metamorphic Testing and Beyond, Paper presented at the Software Technology and Engineering Practice, 2003. Eleventh Annual International Workshop on, 2003.
