Results 1  10
of
92
A First Step towards Automated Detection of Buffer Overrun Vulnerabilities
 In Network and Distributed System Security Symposium
, 2000
"... We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can ..."
Abstract

Cited by 338 (10 self)
 Add to MetaCart
We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotelyexploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.
Verification by abstract interpretation
 In Verification: Theory and Practice
, 2003
"... Dedicated to Zohar Manna, for his 2 6 th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is ..."
Abstract

Cited by 195 (16 self)
 Add to MetaCart
Dedicated to Zohar Manna, for his 2 6 th birthday. Abstract. Abstract interpretation theory formalizes the idea of abstraction of mathematical structures, in particular those involved in the specification of properties and proof methods of computer systems. Verification by abstract interpretation is illustrated on the particular cases of predicate abstraction, which is revisited to handle infinitary abstractions, and on the new parametric predicate abstraction. 1
CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows In C
, 2000
"... Erroneous string manipulations are a major source of software defects in C programs yielding vulnerabilities which are exploited by software viruses. We present C String Static Verifyer (CSSV), a tool that statically uncovers all string manipulation errors. Being a conservative tool, it reports all ..."
Abstract

Cited by 116 (6 self)
 Add to MetaCart
Erroneous string manipulations are a major source of software defects in C programs yielding vulnerabilities which are exploited by software viruses. We present C String Static Verifyer (CSSV), a tool that statically uncovers all string manipulation errors. Being a conservative tool, it reports all such errors at the expense of sometimes generating false alarms. Fortunately, only a small number of false alarms are reported, thereby proving that statically reducing software vulnerability is achievable. CSSV handles large programs by analyzing each procedure separately. For this, procedures' contracts are allowed which are veri ed by the tool.
Analyzing Memory Accesses in x86 Executables
 In CC
, 2004
"... This paper concerns staticanalysis algorithms for analyzing x86 executables. ..."
Abstract

Cited by 114 (27 self)
 Add to MetaCart
This paper concerns staticanalysis algorithms for analyzing x86 executables.
Model Checking in CLP
, 1999
"... We show that Constraint Logic Programming (CLP) can serve as a conceptual basis and as a practical implementation platform for the model checking of infinitestate systems. Our contributions are: (1) a semanticspreserving translation of concurrent systems into CLP programs, (2) a method for verifyi ..."
Abstract

Cited by 89 (27 self)
 Add to MetaCart
We show that Constraint Logic Programming (CLP) can serve as a conceptual basis and as a practical implementation platform for the model checking of infinitestate systems. Our contributions are: (1) a semanticspreserving translation of concurrent systems into CLP programs, (2) a method for verifying safety and liveness properties on the CLP programs produced by the translation. We have implemented the method in a CLP system and verified wellknown examples of infinitestate programs over integers, using here linear constraints as opposed to Presburger arithmetic as in previous solutions.
SATbased Verification without State Space Traversal
 In Formal Methods in ComputerAided Design
, 2000
"... . Binary Decision Diagrams (BDDs) have dominated the area of symbolic model checking for the past decade. Recently, the use of satisfiability (SAT) solvers has emerged as an interesting complement to BDDs. SATbased methods are capable of coping with some of the systems that BDDs are unable to h ..."
Abstract

Cited by 67 (3 self)
 Add to MetaCart
. Binary Decision Diagrams (BDDs) have dominated the area of symbolic model checking for the past decade. Recently, the use of satisfiability (SAT) solvers has emerged as an interesting complement to BDDs. SATbased methods are capable of coping with some of the systems that BDDs are unable to handle. The most challenging problem that has to be solved in order to adapt standard symbolic model checking to SATsolvers is the boolean quantification necessary for traversing the state space. A possible approach to extending the applicability of SATbased model checkers is therefore to reduce the amount of traversal. In this paper, we investigate a BDDbased verification algorithm due to van Eijk. Van Eijk's algorithm tries to compute information that is sufficient to prove a given safety property directly. When this is not possible, the computed information can be used to reduce the amount of traversal needed by standard model checking algorithms. We convert van Eijk's algori...
Scalable analysis of linear systems using mathematical programming
 In Proc. VMCAI, LNCS 3385
, 2005
"... Abstract. We present a method for generating linear invariants for domain consisting of arbitrary polyhedra of a predefined fixed shape. The basic operations on the domain like abstraction, intersection, join and inclusion tests are all posed as linear optimization queries, which can be solved effic ..."
Abstract

Cited by 67 (8 self)
 Add to MetaCart
Abstract. We present a method for generating linear invariants for domain consisting of arbitrary polyhedra of a predefined fixed shape. The basic operations on the domain like abstraction, intersection, join and inclusion tests are all posed as linear optimization queries, which can be solved efficiently by existing LP solvers. The number and dimensionality of the LP queries are polynomial in the program dimensionality, size and the number of target invariants. The method generalizes similar analyses in the interval, octagon, and octahedra domains, without resorting to polyhedral manipulations. We demonstrate the performance of our method on some benchmark programs. 1
Linear invariant generation using nonlinear constraint solving
 IN COMPUTER AIDED VERIFICATION
, 2003
"... We present a new method for the generation of linear invariants which reduces the problem to a nonlinear constraint solving problem. Our method, based on Farkas' Lemma, synthesizes linear invariants by extracting nonlinear constraints on the coefficients of a target invariant from a program. These ..."
Abstract

Cited by 66 (12 self)
 Add to MetaCart
We present a new method for the generation of linear invariants which reduces the problem to a nonlinear constraint solving problem. Our method, based on Farkas' Lemma, synthesizes linear invariants by extracting nonlinear constraints on the coefficients of a target invariant from a program. These constraints guarantee that the linear invariant is inductive. We then apply existing techniques, including specialized quantifier elimination methods over the reals, to solve these nonlinear constraints. Our method has the advantage of being complete for inductive invariants. To our knowledge, this is the first sound and complete technique for generating inductive invariants of this form. We illustrate the practicality of our method on several examples, including cases in which traditional methods based on abstract interpretation with widening fail to generate sufficiently strong invariants.
WYSINWYX: What You See Is Not What You eXecute
, 2009
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how the ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how they are used to recover intermediate representations (IRs) from executables that are similar to the IRs that would be available if one started from source code, and describes their application in the context of program understanding and automated bug hunting. Unlike algorithms for analyzing executables that existed prior to our work, the ones presented in this paper provide useful information about memory accesses, even in the absence of debugging information. The ideas described in the paper are incorporated in a tool for analyzing Intel x86 executables, called CodeSurfer/x86. CodeSurfer/x86 builds a system dependence graph for the program, and provides a GUI for exploring the graph by (i) navigating its edges, and (ii) invoking operations, such as forward slicing, backward slicing, and chopping, to discover how parts of the program can impact other parts. To assess the usefulness of the IRs recovered by CodeSurfer/x86 in the context of automated bug hunting, we built a tool on top of CodeSurfer/x86, called DeviceDriver Analyzer for x86
Calculating Sized Types
 HigherOrder and Symbolic Computation
, 2001
"... Many program optimizations and analyses, such as arraybounds checking, termination analysis, etc, depend on knowing the size of a function's input and output. However, size information can be dicult to compute. Firstly, accurate size computation requires detecting a size relation between different ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
Many program optimizations and analyses, such as arraybounds checking, termination analysis, etc, depend on knowing the size of a function's input and output. However, size information can be dicult to compute. Firstly, accurate size computation requires detecting a size relation between different inputs of a function. Secondly, different optimizations and analyses may require slightly different size information, and thus slightly different computation. Literature in size computation has mainly concentrated on size checking, instead of size inference. In this paper, we provide a generic framework on which di erent size variants can be expressed and computed. We also describe an effective algorithm for inferring, instead of checking, size information. Size information are expressed in terms of Presburger formulae, and our algorithm utilizes the Omega Calculator to compute as exact a size information as possible, within the linear arithmetic capability.