## Buffer Overrun Detection using Linear Programming and Static Analysis (2003)

### Cached

### Download Links

Venue: | In Proceedings of the 10th ACM conference on Computer and communications security |

Citations: | 44 - 0 self |

### BibTeX

@INPROCEEDINGS{Ganapathy03bufferoverrun,

author = {Vinod Ganapathy and Somesh Jha},

title = {Buffer Overrun Detection using Linear Programming and Static Analysis},

booktitle = {In Proceedings of the 10th ACM conference on Computer and communications security},

year = {2003},

pages = {345--354},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper addresses the issue of identifying buffer overrun vulnerabilities by statically analyzing C source code. We demonstrate a light-weight analysis based on modeling C string manipulations as a linear program. We also present fast, scalable solvers based on linear programming, and demonstrate techniques to make the program analysis context sensitive. Based on these techniques, we built a prototype and used it to identify several vulnerabilities in popular security critical applications.

### Citations

8542 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
- 1990
(Show Context)
Citation Context ...set of constraints. Some kinds of constraint systems have fast solvers, for instance, the problem of finding a solution to a set of difference constraints can be formulated as a shortest-path problem =-=[13]-=-. • Lastly, for very large constraint systems, one could envision solving the SCCs at the same depth in parallel. Thus, a DAG with depth D can be solved in D steps. 95 Adding Context Sensitivity The ... |

1462 |
Theory of linear and integer programming
- Schrijver
- 1986
(Show Context)
Citation Context ...owest possible value. It is important to note that the above form is just one of the numerous ways in which a linear program can be expressed. For a more comprehensive view of linear programming, see =-=[11, 30]-=-. Linear programming works on finite real numbers; that is, the variables in the vector x are only allowed to take finite real values. Hence the optimum value of the objective function, if it exists, ... |

1414 |
Network flows: Theory, Algorithms and Applications
- Ahuja, Magnanti, et al.
- 1993
(Show Context)
Citation Context ... linear programming algorithms and yet obtain integer solutions to the variables in the linear program. This is possible when the constraints can be expressed as A·x ≥ b, and A is a unimodular matrix =-=[5, 19, 30, 32]-=-. Here A is an m × n matrix of integer constants, x is an n × 1 vector of variables, and b is an m × 1 vector of integer constants. In our experience, the constraints produced by the tool have always ... |

842 | Efficiently computing static single assignment form and the control dependence graph
- Cytron, Ferrante, et al.
- 1991
(Show Context)
Citation Context ...Through the use of slicing we were able to weed out the false alarms, nevertheless it was a manual and often painstaking procedure. By transitioning to a Static Single Assignment (SSA) representation =-=[15]-=- of the program, we can add a limited form of flow sensitivity to the program. This will result in a large number of constraint variables. Fortunately, we have observed that the solvers readily scale ... |

816 |
Linear Programming and Extensions
- Dantzig
- 1963
(Show Context)
Citation Context ...of the objective function, if it exists, is always guaranteed to be finite. Linear programming is well studied in the literature, and there are well-known techniques to solve linear programs, Simplex =-=[16]-=- being the most popular of them. Other known techniques, such interior point methods [35] work provably in polynomial time. Commercially available solvers for solving linear programs, such as SoPlex [... |

696 | Interprocedural slicing using dependence graphs
- Horwitz, Reps, et al.
- 1988
(Show Context)
Citation Context ...raint generator and the detector front-end are both developed as plug-ins to CodeSurfer. CodeSurfer is a code-understanding tool that was originally designed to compute precise interprocedural slices =-=[20, 21]-=-. CodeSurfer builds a whole program representation that includes a system dependence graph (that is composed of program dependence graphs for each procedure), an interprocedural control-flow graph, ab... |

528 | Program Analysis and Specialization for the C Programming Language
- Andersen
- 1994
(Show Context)
Citation Context ...as two primary uses in the buffer overrun tool: (1) the constraint generator is a CodeSurfer plug-in that makes use of CodeSurfer’s ASTs and pointer analysis (an implementation of Andersen’s analysis =-=[6]-=-). (2) the detector front-end is a CodeSurfer plug-in that uses CodeSurfer’s GUI in order to display potential overruns. Information about potential overruns is linked to CodeSurfer’s internal program... |

461 | Primal-Dual Interior-Point Methods - Wright - 1997 |

338 | A first step towards automated detection of buffer overrun vulnerabilities
- Wagner, Foster, et al.
- 2000
(Show Context)
Citation Context ... the vulnerable machine. To add to the problem, these vulnerabilities are easy to exploit, and several “cookbooks” [4, 31] are available to construct such exploits. As observed by several researchers =-=[23, 34]-=-, C is highly vulnerable because there are several library functions that manipulate buffers in an unsafe way. Millions of lines of legacy code have been written in C, and systems running these applic... |

327 | CCured: type-safe retrofitting of legacy code
- Necula, McPeak, et al.
- 2002
(Show Context)
Citation Context ... fail to eliminate the buffer overflows from the source code, which is the goal around which our tool is built. Static techniques have also been used to reduce the overhead of run-time checks. CCured =-=[12, 24]-=- is a program transformation system that adds memory safety guarantees to C programs by statically analyzing the source code and classifying pointers as safe or unsafe. Appropriate run-time checks are... |

302 | Two approaches to interprocedural data-flow analysis - Sharir, Pnueli - 1981 |

169 | Statically detecting likely buffer overflow vulnerabilities
- Larochelle, Evans
- 2001
(Show Context)
Citation Context ... the vulnerable machine. To add to the problem, these vulnerabilities are easy to exploit, and several “cookbooks” [4, 31] are available to construct such exploits. As observed by several researchers =-=[23, 34]-=-, C is highly vulnerable because there are several library functions that manipulate buffers in an unsafe way. Millions of lines of legacy code have been written in C, and systems running these applic... |

169 | Eliminating array bound checking through dependent types
- Xi, Pfenning
- 1998
(Show Context)
Citation Context ...ic information from annotations in the program to make inferences on buffer bounds. The tool works like a compiler and produces warnings by making inferences based on the annotations. Xi and Pfenning =-=[38]-=- propose an extension to ML that supports type annotations. These annotations are then used to determine the type safety of the programs. However, in both these techniques, the onus is on the user to ... |

126 | Fourier-Motzkin elimination and its dual - Dantzig, Eaves - 1973 |

116 | Towards a realistic tool for statically detecting all buffer overflows in C
- Dor, Rodeh, et al.
- 2003
(Show Context)
Citation Context ...erable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques [8, 10, 12, 14, 24, 27] that prevent attacks based on buffer overruns, to static techniques =-=[17, 23, 29, 33, 34]-=- that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynamic techniques have also been proposed where the results of static analysis are used to re... |

111 | Symbolic bounds analysis of pointers, array indices, and accessed memory regions
- Rugina, Rinard
- 2000
(Show Context)
Citation Context ...erable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques [8, 10, 12, 14, 24, 27] that prevent attacks based on buffer overruns, to static techniques =-=[17, 23, 29, 33, 34]-=- that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynamic techniques have also been proposed where the results of static analysis are used to re... |

79 | Speeding up slicing
- Reps, Horwitz, et al.
- 1994
(Show Context)
Citation Context ...raint generator and the detector front-end are both developed as plug-ins to CodeSurfer. CodeSurfer is a code-understanding tool that was originally designed to compute precise interprocedural slices =-=[20, 21]-=-. CodeSurfer builds a whole program representation that includes a system dependence graph (that is composed of program dependence graphs for each procedure), an interprocedural control-flow graph, ab... |

65 | Pointer analysis for programs with structures and casting
- Yong, Horwitz, et al.
- 1999
(Show Context)
Citation Context ...veral pointer analysis algorithms; in each case we performed the experiments with a field-sensitive version of Andersen’s analysis [6] that uses the commoninitial-prefix technique of Yong and Horwitz =-=[39]-=- to deal with structure casts. We configured the tool to use the hierarchical solver described in Section 4 for constraint resolution (so the values obtained will be precise), and 10produce constrain... |

63 | using symbolic, path-sensitive analysis to detect memory access errors - Xie, Chou, et al. |

53 |
Precise interprocedural chopping
- Reps, Rosay
(Show Context)
Citation Context ... program representations. The queries that CodeSurfer supports include forward and backward slicing from a program point, precise interprocedural chopping between two program points (for details, see =-=[28]-=-), finding data and control dependence predecessors and successors from a program point, and examining the points-to set of a program variable. CodeSurfer presents the user with a listing of their sou... |

51 | A Binary Rewriting Defense against Stack based Buffer Overflow Attacks
- Prasad, Chiueh
- 2003
(Show Context)
Citation Context ...gacy code have been written in C, and systems running these applications continue to be vulnerable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques =-=[8, 10, 12, 14, 24, 27]-=- that prevent attacks based on buffer overruns, to static techniques [17, 23, 29, 33, 34] that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynam... |

41 |
Stackguard: Automatic detection and prevention of buffer-overrun attacks
- COWAN, PU, et al.
- 1998
(Show Context)
Citation Context ...gacy code have been written in C, and systems running these applications continue to be vulnerable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques =-=[8, 10, 12, 14, 24, 27]-=- that prevent attacks based on buffer overruns, to static techniques [17, 23, 29, 33, 34] that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynam... |

37 | Pointguardtm: protecting pointers from buffer overflow vulnerabilities - Cowan, Beattie, et al. - 2003 |

34 | Paralleler und objektorientierter Simplex-Algorithmus - Wunderling - 1996 |

33 |
A compile-time solution to buffer overflow attacks
- RAD
- 2001
(Show Context)
Citation Context ...gacy code have been written in C, and systems running these applications continue to be vulnerable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques =-=[8, 10, 12, 14, 24, 27]-=- that prevent attacks based on buffer overruns, to static techniques [17, 23, 29, 33, 34] that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynam... |

22 |
Smashing the stack for fun and profit
- AlephOne
- 1996
(Show Context)
Citation Context ...problem. Consequences can be as serious as a remote user acquiring root privileges on the vulnerable machine. To add to the problem, these vulnerabilities are easy to exploit, and several “cookbooks” =-=[4, 31]-=- are available to construct such exploits. As observed by several researchers [23, 34], C is highly vulnerable because there are several library functions that manipulate buffers in an unsafe way. Mil... |

22 | Static analysis and computer security: New techniques for software assurance
- Wagner
- 2000
(Show Context)
Citation Context ...erable. Several approaches have been proposed to mitigate the problem – these range from dynamic techniques [8, 10, 12, 14, 24, 27] that prevent attacks based on buffer overruns, to static techniques =-=[17, 23, 29, 33, 34]-=- that examine source code to eliminate these bugs before the code is deployed. Combinations of static and dynamic techniques have also been proposed where the results of static analysis are used to re... |

18 | Stack Smashing vulnerabilities in the UNIX Operating System. http://millcomm.com/˜nate/ machines/security/stack-smashing/ nate-buffer.ps
- Smith
- 1997
(Show Context)
Citation Context ...problem. Consequences can be as serious as a remote user acquiring root privileges on the vulnerable machine. To add to the problem, these vulnerabilities are easy to exploit, and several “cookbooks” =-=[4, 31]-=- are available to construct such exploits. As observed by several researchers [23, 34], C is highly vulnerable because there are several library functions that manipulate buffers in an unsafe way. Mil... |

18 | Primal-dual interior-point methods, SIAM Publication - Wright - 1997 |

15 | K.: Protecting from stack-smashing attacks - Etoh, Yoda - 2000 |

13 |
Integral extreme points
- VEINOTT, DANTZIG
- 1968
(Show Context)
Citation Context ... linear programming algorithms and yet obtain integer solutions to the variables in the linear program. This is possible when the constraints can be expressed as A·x ≥ b, and A is a unimodular matrix =-=[5, 19, 30, 32]-=-. Here A is an m × n matrix of integer constants, x is an n × 1 vector of variables, and b is an m × 1 vector of integer constants. In our experience, the constraints produced by the tool have always ... |

10 |
Presolving in linear programming
- Anderson, Anderson
- 1995
(Show Context)
Citation Context ...nferences about the constraints; for instance, if x ≥ 5 is the only constraint involving x, and we wish to minimize x, it is clear that x is 5. Several such techniques are described in the literature =-=[7]-=-; we have incorporated some of them in our solver. 4 Solving Constraint Systems Hierarchically In the previous section, we described an approach that used linear programming to determine bounds on the... |

7 | ABCD: Eliminating array-bounds checks on demand
- Bodik, Gupta, et al.
- 2000
(Show Context)
Citation Context |

4 |
SOPLEX: the sequential object-oriented simplex class library, http://www.zib.de/ Optimization/Software/Soplex
- Wunderling
(Show Context)
Citation Context ...] being the most popular of them. Other known techniques, such interior point methods [35] work provably in polynomial time. Commercially available solvers for solving linear programs, such as SoPlex =-=[36, 37]-=- and CPLEX [26] implement these and related methods. The set of constraints that we obtained after program analysis are linear constraints, hence we can formulate our problem as a linear program. Our ... |

1 |
Locating minimal infeasible constraint sets in linear programs
- Chinnek, Dravinieks
- 1991
(Show Context)
Citation Context ...of “correcting” infeasible linear programs to make them feasible is a well studied problem in the operations research community. The approach is to identify Irreducibly Inconsistent Sets (called IIS) =-=[9]-=-. An IIS is a minimal set of inconsistent constraints, i.e., the constraints in the IIS together are infeasible, but any subset of constraints in the IIS form a feasible set. For instance, both the co... |

1 |
Integral boundary points of complex polyhedra
- Hoffman, Kruskal
- 1956
(Show Context)
Citation Context ... linear programming algorithms and yet obtain integer solutions to the variables in the linear program. This is possible when the constraints can be expressed as A·x ≥ b, and A is a unimodular matrix =-=[5, 19, 30, 32]-=-. Here A is an m × n matrix of integer constants, x is an n × 1 vector of variables, and b is an m × 1 vector of integer constants. In our experience, the constraints produced by the tool have always ... |

1 |
WU-FTPD resource center; personal communication
- Landfield
- 2003
(Show Context)
Citation Context ...an be used to cause the overrun. As before, PATH FTPACCESS typically has privileged access, but could be written to by a local user in non-standard configurations. We contacted the wu-ftpd developers =-=[22]-=-, and they have acknowledged the presence of these bugs in their code, and are in the process of fixing the bugs (at the time of writing this paper). 6.1.2 wu-ftpd-2.5.0 wu-ftpd-2.5.0 has about 16K li... |

1 | High coverage detection of input related security faults - Larson, Austin - 2003 |