Citation Context

.... 6. Related work LINEAR PROGRAMMING. Many papers have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination =-=[53]-=-, the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abst...

Citation Context

...ge analysis, it is not clear how well they scale. PARALLELIZING COMPILERS. One important application for array reference analysis is in discovering implicit parallelism in sequential Fortran programs =-=[40, 4, 50]-=-; however, those techniques do not seem to help with the buffer overrun problem because they focus too narrowly on the special case of loop optimization. ARRAY BOUNDS CHECKING. One way to avoid buffer...

Citation Context

... all bounds checks for some type-safe languages. For example, Necula and Lee develop a certifying compiler for a type-safe subset of C that eliminates most bounds checks using Shostak’s loop residues =-=[45]-=-. Also, Xi and Pfenning propose a method to eliminate runtime array bounds checking for ML with the help of some assertions added by the programmer to capture certain program invariants [60, 61]. Of c...

Citation Context

... all program executions.) These figures suggest that, in retrospect, it might have been better to use a more precise but slower analysis. We expect that standard analysis techniques (such as SSA form =-=[13]-=-, Pratt’s method [49] or Shostak’s loop residues [56], and a points-to analysis) could be used to improve on our current prototype by an order of magnitude or more. However, significant engineering ef...

Citation Context

...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever...

Citation Context

...ate heuristics that capture the class of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing =-=[41, 42]-=- or software fault injection [21] to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src...

Citation Context

...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever...

Citation Context

... then a buffer overrun always occurs in any execution that uses s. 3. If the two ranges overlap, then we cannot rule out the possibility of a violation of the safety property, and we char s[20], *p, t=-=[10]-=-; strcpy(s, "Hello"); p = s + 5; strcpy(p, " world!"); strcpy(t, s); Figure 3. A buffer overrun that the analysis would not find due to the pointer aliasing. In this example, a 13-byte string is copie...

Citation Context

... residues [45]. Also, Xi and Pfenning propose a method to eliminate runtime array bounds checking for ML with the help of some assertions added by the programmer to capture certain program invariants =-=[60, 61]-=-. Of course, none of these tools can eliminate buffer overruns in large legacy applications written in C. RANGE ANALYSIS. Our approach to range analysis builds on much prior work in the literature, in...

Citation Context

...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma...

Citation Context

...plagued security architects for at least a decade. In November 1988, the infamous Internet worm infected thousands or tens of thousands of network-connected hosts and fragmented much of the known net =-=[17]-=-. One of the primary replication mechanisms was exploitation of a buffer overrun vulnerability in the fingerd daemon. Since then, buffer overruns have been a serious, continuing menace to system secur...

Citation Context

...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma...

Citation Context

...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an...

Citation Context

... arithmetical operators obey most of the usual algebraic laws. For instance, , �, , , �, and so on. However, the distributive rule does not hold (in general we only have �� �� ����� ����� � ; see � � =-=[32]-=-) �and the rule for subtraction introduces a slightly ugly feature since in general ��. In practice, it is useful to extend the constraint language to include�and�operators:C code Interpretation char...

Citation Context

...range analysis builds on much prior work in the literature, including early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging =-=[6]-=-, generalized constant propagation [59], and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-B...

Citation Context

...ate heuristics that capture the class of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing =-=[41, 42]-=- or software fault injection [21] to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src...

Citation Context

...egacy applications written in C. RANGE ANALYSIS. Our approach to range analysis builds on much prior work in the literature, including early work on abstract interpretation [10] and range propagation =-=[27]-=- as well as more mature work on systems for static debugging [6], generalized constant propagation [59], and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to d...

Citation Context

...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an...

Citation Context

..., gcc extensions [35], Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions =-=[3, 35, 8, 22]-=-). As a result, the tools are usually used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques ...

Citation Context

...R PROGRAMMING. Many papers have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method =-=[50]-=-, the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation ove...

Citation Context

...nstraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature =-=[14, 32, 37, 58]-=-; however, their algorithms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Sever...

Citation Context

...oint of the constraint subsystem associated with each cycle. A typical cycle looks like Transitively expanding this cycle, we find where���Æ that� � Æ�. (We may view�loosely as Shostak’s loop residue =-=[56]-=- for the cycle.) The composition of affine functions is affine, so�is affine. The observation is if��� that we can precisely solve this cyclic constraint system without any divergence whatsoever, by u...

Citation Context

... on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our analysis may be viewed as a constraint-based analysis =-=[1]-=-; however, it is unusual to incorporate arithmetic expressions in the set constraint language and solver (but see [28] for an important partial exception).Note also that techniques for solving intege...

Citation Context

..., gcc extensions [35], Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions =-=[3, 35, 8, 22]-=-). As a result, the tools are usually used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques ...

Citation Context

...ally used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques for eliminating redundant checks =-=[22, 39, 57]-=-. However, they typically focus on moving bounds checks to less frequently executed locations, rather than on eliminating all bounds checks. For example, hoisting bounds checks out of loops using loop...

Citation Context

...ing early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging [6], generalized constant propagation [59], and branch prediction =-=[47]-=-; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our analysis may be viewed as a con...

Citation Context

...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a...

Citation Context

...es. For example, when then���,� ������������������ ������ �����������℄and 3. Constraint generation ������������℄, ����℄, The first step is to parse the source code; we use the and ����℄. BANE toolkit =-=[2]-=-. Our analysis proceeds by traversing the We define an integer range expression�as parse tree for the input C source code and generating a system of integer range constraints. With each integer progra...

Citation Context

...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an...

Citation Context

...ally used only for debugging, not for production systems. To reduce the high cost of runtime bounds checking, several researchers have studied optimization techniques for eliminating redundant checks =-=[22, 39, 57]-=-. However, they typically focus on moving bounds checks to less frequently executed locations, rather than on eliminating all bounds checks. For example, hoisting bounds checks out of loops using loop...

Citation Context

... of security-relevant bugs that tend to occur in real programs. Others have applied runtime code-testing techniques to the problem, using, e.g., black-box testing [41, 42] or software fault injection =-=[21]-=- to find buffer overruns in real-world applications. However, runtime testing seems likely to miss many vulnerabilities. Consider the following example: if (strlen(src) > sizeof dst) break; strcpy(dst...

Citation Context

...rs have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method =-=[5, 55]-=-, Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (conve...

Citation Context

...rk in the literature, including early work on abstract interpretation [10] and range propagation [27] as well as more mature work on systems for static debugging [6], generalized constant propagation =-=[59]-=-, and branch prediction [47]; however, our emphasis on analysis of large programs spurred us to develop new techniques with better scaling behavior. CONSTRAINT-BASED ANALYSES. Philosophically, our ana...

Citation Context

...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a...

Citation Context

...ion. ARRAY BOUNDS CHECKING. One way to avoid buffer overruns is to use runtime array bounds checks. There are several implementations of array bounds checking for C, including SCC [3], gcc extensions =-=[35]-=-, Purify [51], and BoundsChecker [46]. However, many of these tools impose a large performance overhead (instrumented programs are typically 2–3 slower than the original versions [3, 35, 8, 22]). As a...

Citation Context

...rs have suggested using linear programming techniques to discover program invariants, including the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method =-=[5, 55]-=-, Shostak’s loop residues [56], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (conve...

Citation Context

...thms typically stress generality for small problems (“hundreds of nodes and constraints” [14]) over scalability and thus are not directly applicable here. LINT-LIKE TOOLS. Several commonly used tools =-=[34, 18, 19]-=- use static analysis and some heuristics to detect common programming errors (such as type errors, abstraction violations, and memory management bugs), but these tools don’t detect buffer overruns. Ma...

Citation Context

...ALYSES. Philosophically, our analysis may be viewed as a constraint-based analysis [1]; however, it is unusual to incorporate arithmetic expressions in the set constraint language and solver (but see =-=[28]-=- for an important partial exception).Note also that techniques for solving integer constraint systems may be found in the artificial intelligence literature [14, 32, 37, 58]; however, their algorithm...

Citation Context

...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an...

Citation Context

...], and algorithms for special classes of linear systems [30, 9, 38]. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) =-=[10, 11, 23, 25, 26, 24, 52]-=-. In this context, linear programming algorithms provide a tool for manipulating subsets of��, with operations such as�,�, projection, widening, and testing for feasibility. See especially [11] for an...

Citation Context

...ing the simplex method, Fourier-Motzkin variable elimination [53], the Omega method [50], the SUPINF method [5, 55], Shostak’s loop residues [56], and algorithms for special classes of linear systems =-=[30, 9, 38]-=-. Typically, one combines linear programming with abstract interpretation over some simple domain (convex polyhedra, octagons, etc.) [10, 11, 23, 25, 26, 24, 52]. In this context, linear programming a...