Abstract
Integer overflows causing an undefined behavior (called time bombs) are a source of serious vulnerabilities. To effectively detect the time bombs in a lightweight way, this paper proposes a method using 6 fixed integer values (called integer boundary values), and provides a quantitative evaluation by applying it to 19 open source programs. The result shows that the integer boundary values detected 36.7% more time bombs on average than the existing random method. The result also shows that the comparison/bitwise operations amount to 61.3% of undefined behaviors in integer operations, while there is no significant difference between the detection rate of time bombs by the integer boundary values for the comparison/bitwise operations and the others.
