Results 1  10
of
107
A First Step towards Automated Detection of Buffer Overrun Vulnerabilities
 IN NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM
, 2000
"... We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can ..."
Abstract

Cited by 396 (9 self)
 Add to MetaCart
(Show Context)
We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotelyexploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs.
The Octagon Abstract Domain
"... ... domain for static analysis by abstract interpretation. It extends a former numerical abstract domain based on DifferenceBound Matrices and allows us to represent invariants of the form (±x ± y ≤ c), where x and y are program variables and c is a real constant. We focus on giving an efficient re ..."
Abstract

Cited by 328 (24 self)
 Add to MetaCart
(Show Context)
... domain for static analysis by abstract interpretation. It extends a former numerical abstract domain based on DifferenceBound Matrices and allows us to represent invariants of the form (±x ± y ≤ c), where x and y are program variables and c is a real constant. We focus on giving an efficient representation based on DifferenceBound Matrices—O(n²) memory cost, where n is the number of variables—and graphbased algorithms for all common abstract operators—O(n³) time cost. This includes a normal form algorithm to test equivalence of representation and a widening operator to compute least fixpoint approximations.
Extended static checking
 SRC RESEARCH REPORT 159, COMPAQ SYSTEMS RESEARCH CENTER
, 1998
"... ..."
(Show Context)
Termination proofs for systems code
 In PLDI ’06: Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
, 2006
"... Program termination is central to the process of ensuring that systems code can always react. We describe a new program termination prover that performs a pathsensitive and contextsensitive program analysis and provides capacity for large program fragments (i.e. more than 20,000 lines of code) tog ..."
Abstract

Cited by 179 (40 self)
 Add to MetaCart
Program termination is central to the process of ensuring that systems code can always react. We describe a new program termination prover that performs a pathsensitive and contextsensitive program analysis and provides capacity for large program fragments (i.e. more than 20,000 lines of code) together with support for programming language features such as arbitrarily nested loops, pointers, functionpointers, sideeffects, etc. We also present experimental results on device driver dispatch routines from the Windows operating system. The most distinguishing aspect of our tool is how it shifts the balance between the two tasks of constructing and respectively checking the termination argument. Checking becomes the hard step. In this paper we show how we solve the corresponding challenge of checking with binary reachability analysis.
Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions
 PLDI 2000
, 2000
"... This paper presents a novel framework for the symbolic bounds analysis of pointers, array indices, and accessed memory regions. Our framework formulates each analysis problem as a system of inequality constraints between symbolic bound polynomials. It then reduces the constraint system to a linear p ..."
Abstract

Cited by 135 (15 self)
 Add to MetaCart
This paper presents a novel framework for the symbolic bounds analysis of pointers, array indices, and accessed memory regions. Our framework formulates each analysis problem as a system of inequality constraints between symbolic bound polynomials. It then reduces the constraint system to a linear program. The solution to the linear program provides symbolic lower and upper bounds for the values of pointer and array index variables and for the regions of memory that each statement and procedure accesses. This approach eliminates fundamental problems associated with applying standard xedpoint approaches to symbolic analysis problems. Experimental results from our implemented compiler show that the analysis can solve several important problems, including static race detection, automatic parallelization, static detection of array bounds violations, elimination of array bounds checks, and reduction of the number of bits used to store computed values.
The Range Test: A Dependence Test for Symbolic, Nonlinear
 Proceedings of Supercomputing '94, Washington D.C
, 1994
"... Most current data dependence tests cannot handle loop bounds or array subscripts that are symbolic, nonlinear expressions (e.g. A(n i+j), where 0 j n). In this paper, we describe a dependencetest,called the range test, that can handle such expressions. Briefly, the range test proves independence ..."
Abstract

Cited by 89 (17 self)
 Add to MetaCart
Most current data dependence tests cannot handle loop bounds or array subscripts that are symbolic, nonlinear expressions (e.g. A(n i+j), where 0 j n). In this paper, we describe a dependencetest,called the range test, that can handle such expressions. Briefly, the range test proves independence by determining whether certain symbolic inequalities hold for a permutation of the loop nest. Powerful symbolic analyses and constraint propagation techniques were developedtoprove such inequalities.Therange test has been implemented in Polaris, a parallelizing compiler being developed at the University of Illinois.
Putting static analysis to work for verification: A case study
 In Int. Symp. on Softw. Testing and Analysis
, 2000
"... Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algor ..."
Abstract

Cited by 88 (20 self)
 Add to MetaCart
(Show Context)
Abstract We study how program analysis can be used to:* Automatically prove partial correctness of correct programs.* Discover, locate, and diagnose bugs in incorrect programs. Specifically, we present an algorithm that analyzes sorting programs that manipulate linked lists. A prototype of the algorithm has been implemented. We show that the algorithm is sufficiently precise to discover that (correct versions) of bubblesort and insertionsort procedures do, in fact, produce correctly sorted lists as outputs, and that the invariant "issorted " is maintained by listmanipulation operations such as elementinsertion, elementdeletion, and even destructive list reversal and merging of two sorted lists. When we run the algorithm on erroneous versions of bubblesort and insertionsort procedures, it is able to discover and sometimes even locate and diagnose the error. 1 Introduction This paper shows that static analysis can be employed to* Automatically prove partial correctness of correct programs.*
Catching Bugs in the Web of Program Invariants
, 1996
"... MrSpidey is a userfriendly, interactive static debugger for Scheme. A static debugger supplements the standard debugger by analyzing the program and pinpointing those program operations that may cause runtime errors such as dereferencing the null pointer or applying nonfunctions. The program anal ..."
Abstract

Cited by 72 (26 self)
 Add to MetaCart
(Show Context)
MrSpidey is a userfriendly, interactive static debugger for Scheme. A static debugger supplements the standard debugger by analyzing the program and pinpointing those program operations that may cause runtime errors such as dereferencing the null pointer or applying nonfunctions. The program analysis of MrSpidey computes value set descriptions for each term in the program and constructs a value flow graph connecting the set descriptions. Using the set descriptions, MrSpidey can identify and highlight potentially erroneous program operations, whose cause the programmer can then explore by selectively exposing portions of the value flow graph.
DrScheme: A Pedagogic Programming Environment for Scheme
 In Proc. International Symposium on Programming Languages: Implementations, Logics, and Programs
, 1997
"... . Teaching introductory computing courses with Scheme elevates the intellectual level of the course and thus makes the subject more appealing to students with scientific interests. Unfortunately, the poor quality of the available programming environments negates many of the pedagogic advantages. To ..."
Abstract

Cited by 69 (24 self)
 Add to MetaCart
(Show Context)
. Teaching introductory computing courses with Scheme elevates the intellectual level of the course and thus makes the subject more appealing to students with scientific interests. Unfortunately, the poor quality of the available programming environments negates many of the pedagogic advantages. To overcome this problem, we have developed DrScheme, a comprehensive programming environment for Scheme. It fully integrates a graphicsenriched editor, a multilingual parser that can process a hierarchy of syntactically restrictive variants of Scheme, a functional readevalprint loop, and an algebraically sensible printer. The environment catches the typical syntactic mistakes of beginners and pinpoints the exact source location of runtime exceptions. DrScheme also provides an algebraic stepper, a syntax checker and a static debugger. The first reduces Scheme programs, including programs with assignment and control effects, to values (and effects). The tool is useful for explaining the sem...
Transition predicate abstraction and fair termination
 In POPL
, 2005
"... Predicate abstraction is the basis of many program verification tools. Until now, the only known way to overcome the inherent limitation of predicate abstraction to safety properties was to manually annotate the finitestate abstraction of a program. We extend predicate abstraction to transition p ..."
Abstract

Cited by 65 (15 self)
 Add to MetaCart
(Show Context)
Predicate abstraction is the basis of many program verification tools. Until now, the only known way to overcome the inherent limitation of predicate abstraction to safety properties was to manually annotate the finitestate abstraction of a program. We extend predicate abstraction to transition predicate abstraction. Transition predicate abstraction goes beyond the idea of finite abstractstate programs (and checking the absence of loops). Instead, our abstraction algorithm transforms a program into a finite abstracttransition program. Then, a second algorithm checks fair termination. The two algorithms together yield an automated method for the verification of liveness properties under full fairness assumptions (justice and compassion). In summary, we exhibit principles that extend the applicability of predicate abstractionbased program verification to the full set of temporal properties.