A First Step towards Automated Detection of Buffer Overrun Vulnerabilities

A First Step towards Automated Detection of Buffer Overrun Vulnerabilities (2000)

Cached

Download Links

Other Repositories/Bibliography

DBLP

by David Wagner , Jeffrey S. Foster , Eric A. Brewer , Alexander Aiken

Venue:	In Network and Distributed System Security Symposium
Citations:	339 - 10 self

BibTeX

@INPROCEEDINGS{Wagner00afirst,
    author = {David Wagner and Jeffrey S. Foster and Eric A. Brewer and Alexander Aiken},
    title = {A First Step towards Automated Detection of Buffer Overrun Vulnerabilities},
    booktitle = {In Network and Distributed System Security Symposium},
    year = {2000},
    pages = {3--17}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

We describe a new technique for finding potential buffer overrun vulnerabilities in security-critical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotely-exploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.

Citations

1463	Theory of linear and integer programming - Schrijver - 2002
570	Automatic Discovery of Linear Restraints Among Variables of a Program - Cousot, Halbwachs - 1978
347	Dependence Analysis for Supercomputing - Banerjee - 1988
291	Extended static checking - Detlefs, Leino, et al. - 1998
269	The design and implementation of a certifying compiler - Necula, Lee - 1998
214	Constraint propagation with interval labels - Davis - 1987
213	Efficient detection of all pointer and array access errors - Austin, Breach, et al. - 1994
212	An efficient method of computing static single assignment form - Cytron, Ferrante, et al. - 1989
200	Consistency Techniques for Numeric CSPs - Lhomme - 1993
196	Empirical study of the reliability of unix utilities - Miller, Fredricksen, et al. - 1990
169	Eliminating array bound checking through dependent types - Xi, Pfenning - 1998
165	Static determination of dynamic properties of programs - Cousot, Cousot - 1976
154	Static detection of dynamic memory errors - Evans - 1996
120	Efficient and exact data dependence analysis - Maydan, Hennessy, et al. - 1991
116	With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 - Eichin, Rochlis - 1989
111	LCLint: A Tool for Using Specifications to Check Code - Evans, Guttag, et al. - 1994
108	Verification of real-time systems using linear relation analysis - Halbwachs, Proy, et al. - 1997
102	Constraint reasoning based on interval arithmetics: the tolerance propagation approach - Hyvonen - 1992
95	Type-based alias analysis - Diwan, McKinley, et al. - 1998
94	Abstract debugging of higher-order imperative languages - Bourdoncle - 1993
93	Putting Pointer Analysis to Work - Ghiya, Hendren - 1998
82	Compiler Analysis of the Value Ranges for Variables - Harrison - 1977
81	Fuzz revisited: A re-examination of the reliability of UNIX utilities and services - Miller, Koski, et al. - 1995
79	P.: Verification of Linear Hybrid Systems by Means of Convex Approximations - Halbwachs, Proy, et al. - 1994
74	Eliminating false data dependences using the omega test - Pugh, Wonnacott - 1992
74	Constraint Satisfaction Using Constraint Logic Programming - Hentenryck, Simonis, et al. - 1992
73	Optimizing array bound checks using flow analysis - Gupta - 1994
71	Deciding linear inequalities by computing loop residues - Shostak - 1981
69	Set Constraints: Results, Applications, and Future Directions - Aiken - 1994
67	A portable machine-independent global optimizer—Design and measurements - Chow - 1983
65	Implementation of an array bound checker - Suzuki, Ishihata
63	Accurate Static Branch Prediction by Value Range - Jason, Patterson
57	Simple and fast algorithms for linear and integer programs with two variables per inequality - Hochbaum, Naor - 1994
48	A toolkit for constructing type- and constraint-based program analyses - Aiken, Fähndrich, et al. - 1998
46	Optimization of range checking - Markstein, Cocke, et al. - 1982
46	Automatic testing of reactive systems - Raymond, Weber, et al. - 1998
37	An automated approach for identifying potential vulnerabilities in software - Ghosh, O’Connor, et al. - 1998
34	On the SUP-INF method for proving Presburger formulas - Shostak - 1977
28	Improved algorithms for linear inequalities with two variables per inequality - Cohen, Megiddo - 1994
25	Generalized constant propagation: A study in C - Verbrugge, Co, et al. - 1996
13	Bounds Checking for C. http://www-ala.doc.ic.ac.uk/˜phjk/ BoundsChecking.html - Jones, Kelly - 1995
11	The Sup-Inf method in Presburger arithmetic - Bledsoe - 1974
10	Set based analysis and arithmetic - Heintze - 1993
10	a C program checker. Computer Science - Johnson
5	Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/ BoundsChecking.html - Jones, Kelly - 1995
5	Linear programming with two variables per inequality in poly log time - Lueker, Megiddo, et al.
4	Abstract interpretation of constraint logic programs using convex polyhedra - Handjieva - 1996
4	A static analyzer for CLP(R) based on abstract interpretation,” SAS’96: Static Analysis Symp - Handjieva, “STAN
3	Incomplete list of Unix vulnerabilities," http://www.cs.iastate.edu/ghelmer/ unixsecurity/unix_vuln.html - Helmer - 1994
3	de Raadt, "strlcpy and strlcat---Consistent, Safe, String Copy and Concatenation - Miller, T - 1996