A First Step towards Automated Detection of Buffer Overrun Vulnerabilities

A First Step towards Automated Detection of Buffer Overrun Vulnerabilities (2000)

Cached

Download Links

Other Repositories/Bibliography

DBLP

by David Wagner , Jeffrey S. Foster , Eric A. Brewer , Alexander Aiken

Venue:	In Network and Distributed System Security Symposium
Citations:	314 - 9 self

BibTeX

@INPROCEEDINGS{Wagner00afirst,
    author = {David Wagner and Jeffrey S. Foster and Eric A. Brewer and Alexander Aiken},
    title = {A First Step towards Automated Detection of Buffer Overrun Vulnerabilities},
    booktitle = {In Network and Distributed System Security Symposium},
    year = {2000},
    pages = {3--17}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

We describe a new technique for finding potential buffer overrun vulnerabilities in security-critical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotely-exploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.

Citations

1232	Theory of Linear and Integer Programming - SCHRIJVER - 1986
470	Automatic discovery of linear restraints among the variables of a program - COUSOT, HALBWACHS - 1978
334	Dependence Analysis for Supercomputing - Banerjee - 1988
273	Extended static checking - Detlefs, Leino, et al. - 1998
245	The Design and Implementation of a Certifying Compiler - Necula, Lee - 2004
198	An efficient method of computing static single assignment form - Cytron, Ferrante, et al.
195	Efficient detection of all pointer and array access errors - Austin, Breach, et al. - 1994
188	Constraint propagation with interval labels - Davis - 1987
163	An Empirical Study of the Reliability of UNIX Utilities - Miller, Fredriksen, et al. - 1990
162	Eliminating Array Bound Checking Through Dependent Types - Xi, Pfenning - 1998
158	Consistency techniques for numeric CSPs - Lhomme - 1993
146	Static detection of dynamic memory errors - Evans - 1996
125	R.: Static determination of dynamic properties of programs - Cousot, Cousot - 1976
113	M.S.: Efficient and exact data dependence analysis - Maydan, Hennessy, et al. - 1991
106	With microscope and tweezers: An analysis of the Internet virus of - Eichin, Rochlis - 1988
104	LCLint: A tool for using specifications to check code - Evans, Guttag, et al. - 1994
91	Abstract debugging of higher-order imperative languages - Bourdoncle - 1993
91	Putting pointer analysis to work - Ghiya, Hendren - 1998
91	Verication of real-time systems using linear relation analysis - Halbwachs, Proy, et al. - 1997
89	Constraint Reasoning Based on Interval Arithmetic: The Tolerance Propagation Approach - Hyvonen - 1992
88	Type-based alias analysis - Diwan, McKinley, et al. - 1998
78	Fuzz revisited: A re-examination of the reliability of unix utilities and services - Miller, Koski, et al. - 1995
76	Compiler analysis of the value ranges for variables - Harrison - 1977
75	Verication of linear hybrid systems by means of convex approximations - Halbwachs, Proy, et al. - 1994
71	M.: Constraint Satisfaction using Constraint Logic Programming - Hentenryck, Simonis, et al. - 1992
70	Optimizing array bound checks using flow analysis - Gupta - 1993
69	Set constraints: results, applications, and future directions - Aiken - 1994
69	Eliminating false data dependences using the Omega test - Pugh, Wonnacott - 1992
69	Deciding linear inequalities by computing loop residues - Shostak - 1981
66	A portable machine-independent global optimizer–design and measurements - Chow - 1984
61	Accurate static branch prediction by value range propagation - Patterson - 1995
58	K.: Implementation of an array bound checker - Suzuki, Ishihata - 1977
48	Simple and fast algorithms for linear and integer programs with two variables per inequality - Hochbaum, Naor
46	A Toolkit for Constructing Type- and Constraint-Based Program Analyses - Aiken, Flhndrich, et al. - 1998
46	Optimization of range checking - Markstein, Cocke, et al. - 1982
38	Automatic testing of reactive systems - Raymond, Nicollin, et al. - 1998
33	On the SUP-INF method for proving Presburger formulas - Shostak - 1977
32	An Automated Approach for Identifying Potential Vulnerabilities - Ghosh, O‘Connor, et al. - 1998
26	Improved algorithms for linear inequalities with two variables per inequality - Cohen, Megiddo - 1991
24	Generalized constant propagation: A study in C - Verbrugge, Co, et al. - 1996
13	Bounds Checking for C. http://www-ala.doc.ic.ac.uk/˜phjk/ BoundsChecking.html - Jones, Kelly - 1995
11	The Sup-Inf method in Presburger arithmetic - Bledsoe - 1974
10	Set based analysis of arithmetic - Heintze - 1993
9	a C program checker. Computer Science - Johnson
5	Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/ BoundsChecking.html - Jones, Kelly - 1995
5	Linear programming with two variables per inequality in poly log time - Lueker, Megiddo, et al.
4	Abstract interpretation of constraint logic programs using convex polyhedra - Handjieva - 1996
4	A static analyzer for CLP(R) based on abstract interpretation,” SAS’96: Static Analysis Symp - Handjieva, “STAN
3	Incomplete list of Unix vulnerabilities," http://www.cs.iastate.edu/ghelmer/ unixsecurity/unix_vuln.html - Helmer - 1994
3	de Raadt, "strlcpy and strlcat---Consistent, Safe, String Copy and Concatenation - Miller, T - 1996