Software Engineering Institute

A serious limitation in assuring the security of DoD software is the inability to take a codebase and either verify that it is memory safe or repair potential bugs to make it memory safe. Existing static analysis tools either report an enormous number of false alarms or fail to report true vulnerabilities. We propose to design and implement a technique for automatically repairing (in the source code) all potential violations of memory safety so that the program is provably memory safe.