We describe a new technique for finding potential buffer overrun vulnerabilities in security-critical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotely-exploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.

Introduction 1.1 Preliminaries Constraint programming is an alternative approach to programming in which the programming process is limited to a generation of requirements (constraints) and a solution of these requirements by means of general or domain specific methods. The general methods are usually concerned with techniques of reducing the search space and with specific search methods. In contrast, the domain specific methods are usually provided in the form of special purpose algorithms or specialised packages, usually called constraint solvers. Typical examples of constraint solvers are: ffl a program that solves systems of linear equations, ffl a package for linear programming, ffl an implementation of the unification algorithm, a cornerstone of automated theorem proving. Problems that can be solved in a natural way by means of constraint programming are usually those for which efficient algorithms are

The design and implementation of constraint logic programming (CLP) languages over intervals is revisited. Instead of decomposing complex constraints in terms of simple primitive constraints as in CLP(BNR), complex constraints are manipulated as a whole, enabling more sophisticated narrowing procedures to be applied in the solver. This idea is embodied in a new CLP language Newton whose operational semantics is based on the notion of box-consistency, an approximation of arc-consistency, and whose implementation uses Newton interval method. Experimental results indicate that Newton outperforms existing languages by an order of magnitude and is competitive with some state-of-the-art tools on some standard benchmarks. Limitations of our current implementation and directions for further work are also identified.

Constraint programming is newly flowering in industry. Several companies have recently started up to exploit the technology, and the number of industrial applications is now growing very quickly. This survey will seek, by examples,

This paper provides a comprehensive survey of the most popular constraint-handling techniques currently used with evolutionary algorithms. We review approaches that go from simple variations of a penalty function, to others, more sophisticated, that are biologically inspired on emulations of the immune system, culture or ant colonies. Besides describing briefly each of these approaches (or groups of techniques), we provide some criticism regarding their highlights and drawbacks. A small comparative study is also conducted, in order to assess the performance of several penalty-based approaches with respect to a dominance-based technique proposed by the author, and with respect to some mathematical programming approaches. Finally, we provide some guidelines regarding how to select the most appropriate constraint-handling technique for a certain application, ad we conclude with some of the the most promising paths of future research in this area.

. We show that several constraint propagation algorithms (also called (local) consistency, consistency enforcing, Waltz, filtering or narrowing algorithms) are instances of algorithms that deal with chaotic iteration. To this end we propose a simple abstract framework that allows us to classify and compare these algorithms and to establish in a uniform way their basic properties. Note. This is a full, revised version of our article "From Chaotic Iteration to Constraint Propagation", Proc. of 24th International Colloquium on Automata, Languages and Programming (ICALP '97), (invited lecture) , Springer-Verlag Lecture Notes in Computer Science 1256, pp. 3655, (1997). Keywords: constraint propagation, chaotic iteration, generic algorithms. 1 Introduction 1.1 Motivation Over the last ten years constraint programming emerged as an interesting and viable approach to programming. In this approach the programming process is limited to a generation of requirements ("constraints") and a solut...

Incomplete knowledge of the structure of mechanisms is an important fact of life in reasoning, commonsense or expert, about the physical world. Qualitative simulation captures an important kind of incomplete, ordinal, knowledge, and predicts the set of qualitatively possible behaviors of a mechanism, given a qualitative description of its structure and initial state. However, one frequently has quantitative knowledge as well as qualitative, though seldom enough to specify a numerical simulation.

Search algorithms for solving CSP (Constraint Satisfaction Problems) usually fall into one of two main families: local search algorithms and systematic algorithms. Both families have their advantages. Designing hybrid approaches seems promising since those advantages may be combined into a single approach. In this paper, we present a new hybrid technique. It performs a local search over partial assignments instead of complete assignments, and uses filtering techniques and conflict-based techniques to efficiently guide the search. This new technique benefits from both classical approaches: aprioripruning of the search space from filtering-based search and possible repair of early mistakes from local search. We focus on a specific version of this technique: tabu decision-repair.Experiments done on open-shop scheduling problems show that our approach competes well with the best highly specialized algorithms. 2002 Elsevier Science B.V. All rights reserved.

Prolog can be extended by a system of constraints on closed intervals to perform declarative relational arithmetic. Imposing constraints on an interval can narrow its range and propagate the narrowing to other intervals related to it by constraint equations or inequalities. Relational interval arithmetic can be used to contain #oating point errors and, when combined with Prolog backtracking, to obtain numeric solutions to linear and non-linear rational constraint satisfaction problems over the reals #e.g. n-degree polynomial equations#. This technique di#ers from other constraint logic programming #CLP# systems like CLP### or Prolog-III in that it does not do any symbolic processing. 1

We consider constraint satisfaction problemswith variables in continuous,numerical domains. Contrary to most existing techniques, which focus on computing one single optimal solution, we address the problem of computing a compact representation of the space of all solutions admitted by the constraints. In particular, we show how globally consistent (also called decomposable) labelings of a constraint satisfaction problem can be computed.