Reactive Systems logo
October 22, 2018

Reactis for C Finds Runtime Error in Open-Source Encryption Program

Cary, NC (March 21, 2011) -- A beta version of Reactis for C, Reactive Systems' newly released automated test-generation tool and simulation environment for C programs, was used to find a previously unknown runtime error in an open-source version of the AES encryption standard. AES is a symmetric-key encryption algorithm adopted by the US government in 2000, and declared secure enough to protect classified information up to the TOP SECRET level in 2003. The AES program was published on the Planet Source Code open-source code repository in 2004. The bug discovered by Reactis for C was reported to the program's developer, who subsequently published it along with instructions on how to fix the coding error, so others could benefit from the finding.

The bug in question was an out-of-bounds array index, a runtime error that goes by the name of "Buffer Overflow" in the Computer Security community. It had gone undiscovered since the AES program's initial release, a period of seven years. Buffer overflow is a well known security breach responsible for a number of highly publicized attacks, including the Code Red worm, which exploited a buffer overflow in Microsoft's Internet Information Services (IIS) 5.0, and the SQL Slammer worm, which compromised machines running Microsoft SQL Server 2000.

The application of Reactis for C on the Planet Source Code AES program was carried out by Stony Brook University Computer Science undergraduate Chris Wischerth. Chris was enrolled in the Fall 2010 version of CSE 487, Research in Computer Science, under the supervision of Professor Scott Smolka, a Stony Brook Computer Science faculty member and co-founder of Reactive Systems.

Reactis for C's ability to unearth this runtime error in the Planet Source Code AES program nicely illustrates the tool's capabilities. Reactis for C should be part of every C-code developer's tool-box.