Results 1 
9 of
9
A First Step towards Automated Detection of Buffer Overrun Vulnerabilities
 In Network and Distributed System Security Symposium
, 2000
"... We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can ..."
Abstract

Cited by 339 (10 self)
 Add to MetaCart
We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotelyexploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.
A Class of Polynomially Solvable Range Constraints for Interval Analysis without Widenings and Narrowings
 In Tools and Algorithms for the Construction and Analysis of Systems
, 2004
"... In this paper, we study the problem of solving integer range constraints that arise in many static program analysis problems. In particular, we present the first polynomial time algorithm for a general class of integer range constraints. In contrast with abstract interpretation techniques based o ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
In this paper, we study the problem of solving integer range constraints that arise in many static program analysis problems. In particular, we present the first polynomial time algorithm for a general class of integer range constraints. In contrast with abstract interpretation techniques based on widenings and narrowings, our algorithm computes, in polynomial time, the optimal solution of the arising fixpoint equations. Our result implies that "precise" range analysis can be performed in polynomial time without widening and narrowing operations.
Modular Verification of SRT Division
, 1996
"... . We describe a formal specification and mechanized verification in PVS of the general theory of SRT division along with a specific hardware realization of the algorithm. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
. We describe a formal specification and mechanized verification in PVS of the general theory of SRT division along with a specific hardware realization of the algorithm. The specification demonstrates how attributes of the PVS language (in particular, predicate subtypes) allow the general theory to be developed in a readable manner that is similar to textbook presentations, while the PVS table construct allows direct specification of the implementation's quotient lookup table. Verification of the derivations in the SRT theory and for the data path and lookup table of the implementation are highly automated and performed for arbitrary, but finite precision; in addition, the theory is verified for general radix, while the implementation is specialized to radix 4. The effectiveness of the automation stems from the tight integration in PVS of rewriting with decision procedures for equality, linear arithmetic over integers and rationals, and propositional logic. This example demonstrates t...
Integrating Sensing, Task Planning and Execution for Robotic Assembly
 IEEE Trans. on Robotics and Automation
, 1996
"... AbstractThis paper deals with enhancing the level of autonomy in a robotic work cell. With that mission in mind, we present here an integrated framework for the sensing, the planning, and the execution aspects of assembly. In experimental demonstrations of this system on a PUMA762, we can now throw ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
AbstractThis paper deals with enhancing the level of autonomy in a robotic work cell. With that mission in mind, we present here an integrated framework for the sensing, the planning, and the execution aspects of assembly. In experimental demonstrations of this system on a PUMA762, we can now throw objects randomly into the workspace of the robot and the robot then automatically synthesizes a manipulation plan that includes the operations of sensing, grasping, and regrasping. Each operation is invoked only when it is deemed necessary for the successful execution of assembly. I.
Extending the classical AI planning paradigm to robotic assembly planning
 In Proceedings 1990 IEEE Internactional Conference on Robotics and Automation
, 1990
"... This paper describes SPAR, a task planner that has been implemented on a PUMA 762. SPAR is capable of formulating manipulation plans to meet specified assembly goals; these manipulation plans include grasping and regrasping operations if they are deemed necessary for successful completion of assembl ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
This paper describes SPAR, a task planner that has been implemented on a PUMA 762. SPAR is capable of formulating manipulation plans to meet specified assembly goals; these manipulation plans include grasping and regrasping operations if they are deemed necessary for successful completion of assembly. SPAR goes beyond the classical AI planners, in the sense that SPAR is capable of solving geometric goals associated with highlevel symbolic goals. So if a highlevel symbolic goal is on(A,B), SPAR can also entertain the geometric conditions associated with such a goal. Therefore, a simple goal such as on(A,B) may or may not be found to be feasible depending on the kinematic constraints implied by the associated geometric conditions. SPAR has available to it a userdefined repertoire of actions for solving goals and associated with each action is an uncertainty precondition that defines the mazimum uncertainty in the world description that would guarantee the successful ezecution of that action. SPAR has been implemented as a nonlinear constraint posting planner. 1.
Recognition of Object Classes From Range Data
 Artificial Intelligence
, 1995
"... We develop techniques for recognizing instances of 3D object classes (which may consist of multiple and/or repeated subparts with internal degrees of freedom, linked by parameterized transformations), from sets of 3D feature observations. Recognition of a class instance is structured as a search of ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We develop techniques for recognizing instances of 3D object classes (which may consist of multiple and/or repeated subparts with internal degrees of freedom, linked by parameterized transformations), from sets of 3D feature observations. Recognition of a class instance is structured as a search of an interpretation tree in which geometric constraints on pairs of sensed features not only prune the tree, but are used to determine upper and lower bounds on the model parameter values of the instance. A realvalued constraint propagation network unifies the representations of the model parameters, model constraints and feature constraints, and provides a simple and effective mechanism for accessing and updating parameter values. Recognition of objects with multiple internal degrees of freedom, including nonuniform scaling and stretching, articulations, and subpart repetitions, is demonstrated and analysed for two different types of real range data: 3D edge fragments from a stereo vision ...
Formal Methods For RealTime Systems
, 1996
"... Model At this point, while the model is defined formally, the notion of event is not. The notion of event is an intuitive idea, and is meant to be identified with some occurrence of the system being modeled that is of interest to the user. While this is a useful idea, it is not a formal definition. ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Model At this point, while the model is defined formally, the notion of event is not. The notion of event is an intuitive idea, and is meant to be identified with some occurrence of the system being modeled that is of interest to the user. While this is a useful idea, it is not a formal definition. The semantics of the previous section charac 21 terize an event by its properties, namely, what kind of event is it, and when does it happen. That information is sufficient for the RTM, and what follows. This section, however, will recast the model by attempting to give a more explicit definition of event, and show how the semantics can be built up from this definition. The definition in this section will not be referred to again in what follows though, and is intended primarily as an illustration that if necessary, the intuitive notion of event can be defined, although the intuitive notion may be more satisfying, and is more useful from the perspective of a specification writer. The abst...
Validity Checking for Finite Automata over Linear Arithmetic Constraints
"... Abstract In this paper, we introduce a new validity checking problem over linear arithmetic constraints and present a decision procedure for the problem. Instead of considering the validity of any particular linear arithmetic constraint, we consider the following problem: Given a finite automaton ac ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract In this paper, we introduce a new validity checking problem over linear arithmetic constraints and present a decision procedure for the problem. Instead of considering the validity of any particular linear arithmetic constraint, we consider the following problem: Given a finite automaton accepting linear arithmetic constraints, does the automaton produce any constraint that is a tautology? This problem arises in the context of static verification of metaprograms, i.e., programs dynamically generating other programs. This paper gives the first decision procedure to perform validity checking of finite automata over linear arithmetic constraints. Our algorithm will enable advanced verification of metaprograms. 1