## A First Step towards Automated Detection of Buffer Overrun Vulnerabilities (2000)

### Cached

### Download Links

- [www.cs.umd.edu]
- [www.cs.umd.edu]
- [www.isoc.org]
- [www.eecs.umich.edu]
- [www.bennetyee.org]
- [www.bennetyee.org]
- [www.bennetyee.org]
- [www.bennetyee.org]
- [www.simovits.com]
- [www.cs.cornell.edu]
- [www.cs.berkeley.edu]
- [HTTP.CS.Berkeley.EDU]
- [www.cs.umd.edu]
- [now.cs.berkeley.edu]
- [www.cs.berkeley.edu]
- [http.cs.berkeley.edu]
- [www.eecs.berkeley.edu]
- [www.gnucash.org]
- [www.cs.stonybrook.edu]
- [alum.cs.sunysb.edu]
- [www.cs.sunysb.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Network and Distributed System Security Symposium |

Citations: | 359 - 10 self |

### BibTeX

@INPROCEEDINGS{Wagner00afirst,

author = {David Wagner and Jeffrey S. Foster and Eric A. Brewer and Alexander Aiken},

title = {A First Step towards Automated Detection of Buffer Overrun Vulnerabilities},

booktitle = {In Network and Distributed System Security Symposium},

year = {2000},

pages = {3--17}

}

### Years of Citing Articles

### OpenURL

### Abstract

We describe a new technique for finding potential buffer overrun vulnerabilities in security-critical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotely-exploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.

### Citations

1535 |
Theory of Linear and Integer Programming
- Schrijver
- 1986
(Show Context)
Citation Context .... 6. Related work LINEAR PROGRAMMING. Many papers have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination =-=[53]-=-, the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abst... |

598 | Automatic discovery of linear restraints among variables of a program - Cousot, Halbwachs |

356 |
Dependence Analysis for Supercomputing
- Banerjee
(Show Context)
Citation Context ...ge analysis, it is not clear how well they scale. PARALLELIZING COMPILERS. One important application for array reference analysis is in discovering implicit parallelism in sequential Fortran programs =-=[40, 4, 50]-=-; however, those techniques do not seem to help with the buffer overrun problem because they focus too narrowly on the special case of loop optimization. ARRAY BOUNDS CHECKING. One way to avoid buffer... |

310 | Extended static checking - Detlefs, Rustan, et al. - 1998 |

277 | The Design and Implementation of a Certifying Compiler
- Necula, Lee
- 1998
(Show Context)
Citation Context ... all bounds checks for some type-safe languages. For example, Necula and Lee develop a certifying compiler for a type-safe subset of C that eliminates most bounds checks using Shostak’s loop residues =-=[45]-=-. Also, Xi and Pfenning propose a method to eliminate runtime array bounds checking for ML with the help of some assertions added by the programmer to capture certain program invariants [60, 61]. Of c... |

224 |
An Efficient Method of Computing Static Single Assignment Form
- Cytron, Ferrante, et al.
- 1989
(Show Context)
Citation Context ... all program executions.) These figures suggest that, in retrospect, it might have been better to use a more precise but slower analysis. We expect that standard analysis techniques (such as SSA form =-=[13]-=-, Pratt’s method [49] or Shostak’s loop residues [56], and a points-to analysis) could be used to improve on our current prototype by an order of magnitude or more. However, significant engineering ef... |

221 |
Constraint propagation with interval labels
- Davis
- 1987
(Show Context)
Citation Context ...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever... |

219 | An empirical study of the reliability of UNIX utilities
- Miller, Fredriksen, et al.
- 1990
(Show Context)
Citation Context ...ate heuristics that capture the class of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing =-=[41, 42]-=- or software fault injection [21] to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src... |

218 | Efficient Detection of All Pointer and Array Access Errors - Austin, Breach, et al. - 1994 |

211 | Consistency techniques for numerical csp
- Lhomme
- 1999
(Show Context)
Citation Context ...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever... |

175 |
Static determination of dynamic properties of programs
- Cousot, Cousot
(Show Context)
Citation Context ... then a buffer overrun always occurs in any execution that uses s. 3. If the two ranges overlap, then we cannot rule out the possibility of a violation of the safety property, and we char s[20], *p, t=-=[10]-=-; strcpy(s, "Hello"); p = s + 5; strcpy(p, " world!"); strcpy(t, s); Figure 3. A buffer overrun that the analysis would not find due to the pointer aliasing. In this example, a 13-byte string is copie... |

175 | Eliminating Array Bound Checking Through Dependent Types
- Xi, Pfenning
- 1998
(Show Context)
Citation Context ... residues [45]. Also, Xi and Pfenning propose a method to eliminate runtime array bounds checking for ML with the help of some assertions added by the programmer to capture certain program invariants =-=[60, 61]-=-. Of course, none of these tools can eliminate buffer overruns in large legacy applications written in C. RANGE ANALYSIS. Our approach to range analysis builds on much prior work in the literature, in... |

165 | Static detection of dynamic memory errors
- Evans
- 1996
(Show Context)
Citation Context ...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma... |

122 | Efficient and exact data dependence analysis - Maydan, Hennessy, et al. - 1991 |

120 | With microscope and tweezers: An analysis of the Internet virus of November 1988
- Eichin, Rochlis
- 1989
(Show Context)
Citation Context ...plagued security architects for at least a decade. In November 1988, the infamous Internet worm infected thousands or tens of thousands of network-connected hosts and fragmented much of the known net =-=[17]-=-. One of the primary replication mechanisms was exploitation of a buffer overrun vulnerability in the fingerd daemon. Since then, buffer overruns have been a serious, continuing menace to system secur... |

120 | LCLint: A tool for using specifications to check code
- Evans, Guttag, et al.
- 1994
(Show Context)
Citation Context ...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma... |

115 | Veri of real-time systems using linear relation analysis
- Halbwachs, Proy, et al.
- 1997
(Show Context)
Citation Context ...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an... |

105 |
Constraint reasoning based on interval arithmetic: the tolerance propagation approach
- Hyvönen
- 1992
(Show Context)
Citation Context ... arithmetical operators obey most of the usual algebraic laws. For instance, , �, , , �, and so on. However, the distributive rule does not hold (in general we only have �� �� ����� ����� � ; see � � =-=[32]-=-) �and the rule for subtraction introduces a slightly ugly feature since in general ��. In practice, it is useful to extend the constraint language to include�and�operators:C code Interpretation char... |

98 | Type-based alias analysis - DIWAN, MCKINLEY, et al. - 1998 |

94 |
Abstract Debugging of Higher-Order Imperative Languages
- Bourdoncle
- 1993
(Show Context)
Citation Context ...range analysis builds on much prior work in the literature, including early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging =-=[6]-=-, generalized constant propagation [59], and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-B... |

93 | Putting Pointer Analysis to Work - Ghiya, Hendren - 1998 |

91 | Fuzz revisited: A re-examination of the reliability of unix utilities and services
- Miller, Koski, et al.
- 1995
(Show Context)
Citation Context ...ate heuristics that capture the class of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing =-=[41, 42]-=- or software fault injection [21] to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src... |

86 |
III. Compiler Analysis of the Value Ranges for Variables
- Harrison
- 1977
(Show Context)
Citation Context ...egacy applications written in C. RANGE ANALYSIS. Our approach to range analysis builds on much prior work in the literature, including early work on abstract interpretation [10] and range propagation =-=[27]-=- as well as more mature work on systems for static debugging [6], generalized constant propagation [59], and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to d... |

85 | Verication of linear hybrid systems by means of convex approximations
- Halbwachs, Proy, et al.
- 1994
(Show Context)
Citation Context ...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an... |

78 | Optimizing array bounds checks using flow analysis
- Gupta
- 1993
(Show Context)
Citation Context ..., gcc extensions [35], Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions =-=[3, 35, 8, 22]-=-). As a result, the tools are usually used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques ... |

77 |
Eliminating False Data Dependences Using the Omega Test
- Pugh, Wonnacott
- 1992
(Show Context)
Citation Context ...R PROGRAMMING. Many papers have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method =-=[50]-=-, the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation ove... |

76 | Constraint Satisfaction using Constraint Logic Programming
- Pascal, Simonis, et al.
- 1992
(Show Context)
Citation Context ...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever... |

74 |
Deciding linear inequalities by computing loop residues
- Shostak
- 1981
(Show Context)
Citation Context ...oint of the constraint subsystem associated with each cycle. A typical cycle looks like Transitively expanding this cycle, we find where���Æ that� � Æ�. (We may view�loosely as Shostak’s loop residue =-=[56]-=- for the cycle.) The composition of affine functions is affine, so�is affine. The observation is if��� that we can precisely solve this cyclic constraint system without any divergence whatsoever, by u... |

71 | Set Constraints: Results, Applications and Future Directions
- Aiken
(Show Context)
Citation Context ... on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our analysis may be viewed as a constraint-based analysis =-=[1]-=-; however, it is unusual to incorporate arithmetic expressions in the set constraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving intege... |

69 |
A portable machine-independent global optimizer-Design and measurements
- CHOW
- 1983
(Show Context)
Citation Context ..., gcc extensions [35], Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions =-=[3, 35, 8, 22]-=-). As a result, the tools are usually used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques ... |

69 |
Implementation of an Array Bound Checker
- Susuki, Ishihata
- 1977
(Show Context)
Citation Context ...ally used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques for eliminating redundant checks =-=[22, 39, 57]-=-. However, they typically focus on moving bounds checks to less frequently executed locations, rather than on eliminating all bounds checks. For example, hoisting bounds checks out of loops using loop... |

68 | Accurate static branch prediction by value range propagation
- Patterson
- 1995
(Show Context)
Citation Context ...ing early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging [6], generalized constant propagation [59], and branch prediction =-=[47]-=-; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our analysis may be viewed as a con... |

59 |
Simple and Fast Algorithms for Linear and Integer Programs with Two Variables per Inequality
- Hochbaum, Naor
- 1994
(Show Context)
Citation Context ...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a... |

49 | A toolkit for constructing type- and constraint-based program analyses
- Aiken, Fähndrich, et al.
- 1998
(Show Context)
Citation Context ...es. For example, when then���,� ������������������ ������ �����������℄and 3. Constraint generation ������������℄, ����℄, The first step is to parse the source code; we use the and ����℄. BANE toolkit =-=[2]-=-. Our analysis proceeds by traversing the We define an integer range expression�as parse tree for the input C source code and generating a system of integer range constraints. With each integer progra... |

49 | Automatic testing of reactive systems
- Raymond, Nicollin, et al.
- 1998
(Show Context)
Citation Context ...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an... |

47 |
Optimization of Range Checking
- Markstein, Cocke, et al.
(Show Context)
Citation Context ...ally used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques for eliminating redundant checks =-=[22, 39, 57]-=-. However, they typically focus on moving bounds checks to less frequently executed locations, rather than on eliminating all bounds checks. For example, hoisting bounds checks out of loops using loop... |

43 | An automated approach for identifying potential vulnerabilities in software
- Ghosh, O’Connor, et al.
- 1998
(Show Context)
Citation Context ... of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing [41, 42] or software fault injection =-=[21]-=- to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src) > sizeof dst) break; strcpy(dst... |

36 |
On the SUP-INF method for proving Presburger formulas
- Shostak
- 1977
(Show Context)
Citation Context ...rs have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method =-=[5, 55]-=-, Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (conve... |

29 | Generalized constant propagation: A study in C
- Verbrugge, Co, et al.
- 1996
(Show Context)
Citation Context ...rk in the literature, including early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging [6], generalized constant propagation =-=[59]-=-, and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our ana... |

27 |
Improved algorithms for linear inequalities with two variables per inequality
- Cohen, Megiddo
- 1994
(Show Context)
Citation Context ...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a... |

14 |
Bounds Checking for C. http: //www-ala.doc.ic.ac.uk/ ~phjk/BoundsChecking.html
- Jones, Kelly
- 1995
(Show Context)
Citation Context ...ion. ARRAY BOUNDS CHECKING. One way to avoid buffer overruns is to use runtime array bounds checks. There are several implementations of array bounds checking for C, including SCC [3], gcc extensions =-=[35]-=-, Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions [3, 35, 8, 22]). As a... |

11 |
The Sup-Inf method in Presburger arithmetic
- Bledsoe
- 1974
(Show Context)
Citation Context ...rs have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method =-=[5, 55]-=-, Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (conve... |

11 |
a C program checker. Computer Science
- Johnson, Lint
- 1977
(Show Context)
Citation Context ...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma... |

10 | Set based analysis and arithmetic
- Heintze
- 1993
(Show Context)
Citation Context ...ALYSES. Philosophically, our analysis may be viewed as a constraint-based analysis [1]; however, it is unusual to incorporate arithmetic expressions in the set constraint language and solver (but see =-=[28]-=- for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature [14, 32, 37, 58]; however, their algorithm... |

5 | Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/ BoundsChecking.html - Jones, Kelly - 1995 |

4 |
Abstract interpretation of constraint logic programs using convex polyhedra
- Handjieva
- 1996
(Show Context)
Citation Context |

4 | A static analyzer for CLP(R) based on abstract interpretation,” SAS’96: Static Analysis Symp
- Handjieva, “STAN
(Show Context)
Citation Context |

4 | Linear programming with two variables per inequality in poly log time
- LUEKER, MEGIDDO, et al.
- 1990
(Show Context)
Citation Context ...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a... |

3 | Incomplete list of Unix vulnerabilities," http://www.cs.iastate.edu/ghelmer/ unixsecurity/unix_vuln.html - Helmer - 1994 |

3 | de Raadt, "strlcpy and strlcat---Consistent, Safe, String Copy and Concatenation - Miller, T - 1996 |