A First Step towards Automated Detection of Buffer Overrun Vulnerabilities

A First Step towards Automated Detection of Buffer Overrun Vulnerabilities (2000)

Cached

Download Links

Other Repositories/Bibliography

DBLP

by David Wagner , Jeffrey S. Foster , Eric A. Brewer , Alexander Aiken

Venue:	In Network and Distributed System Security Symposium
Citations:	327 - 9 self

BibTeX

@INPROCEEDINGS{Wagner00afirst,
    author = {David Wagner and Jeffrey S. Foster and Eric A. Brewer and Alexander Aiken},
    title = {A First Step towards Automated Detection of Buffer Overrun Vulnerabilities},
    booktitle = {In Network and Distributed System Security Symposium},
    year = {2000},
    pages = {3--17}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

We describe a new technique for finding potential buffer overrun vulnerabilities in security-critical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotely-exploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs. 1.

Citations

1386	Theory of Linear and Integer Programming - Schrijver - 1986
537	Automatic discovery of linear restraints among variables of a program - Cousot, Halbwachs - 1978
344	Dependence Analysis for Supercomputing - Banerjee - 1988
286	Extended static checking - Detlefs, Leino, et al. - 1998
264	The design and implementation of a certifying compiler - Necula, Lee - 1998
208	Efficient Detection of All Pointer and Array Access Errors - Austin, Breach, et al. - 1994
206	An efficient method of computing static single assignment form - Cytron, Ferrante, et al. - 1989
203	Constraint propagation with interval labels - Davis - 1987
189	An empirical study of the reliability of unix utilities - Miller, Fredriksen, et al. - 1990
178	Consistency techniques for numeric CSPs - Lhomme - 1993
168	Eliminating array bound checking through dependent types - Xi, Pfenning - 1998
151	Static determination of dynamic properties of programs - Cousot, Cousot - 1976
149	Static detection of dynamic memory errors - Evans - 1996
115	Efficient and Exact Data Dependence Analysis - Maydan, Hennessy, et al. - 1991
114	With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 - Eichin, Rochlis - 1989
110	LCLint: A tool for using specifications to check code - Evans, Guttag, et al. - 1994
99	Verification of real-time systems using linear relation analysis - Halbwachs, Proy, et al. - 1997
98	Constraint reasoning based on interval arithmetic; The tolerance propagation approach - Hyvönen - 1992
94	Abstract debugging of higher-order imperative languages - Bourdoncle - 1993
94	Type-based alias analysis - DIWAN, MCKINLEY, et al. - 1998
93	Putting pointer analysis to work - GHIYA, HENDREN - 1998
80	Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services,” technical report - Miller, Koski, et al. - 1995
79	Compiler analysis of the value ranges for variables - Harrison - 1977
77	Verification of linear hybrid systems by means of convex approximations - Halbwachs, Proy, et al. - 1994
73	Eliminating false data dependences using the Omega test - Pugh, Wonnacott - 1992
72	Optimizing Array Bounds Checks Using Flow Analysis - Gupta - 1993
72	Constraint satisfaction using constraint logic programming. Constraint-Based Reasoning - Hentenryck, Simonis, et al. - 1994
69	Set constraints: Results, applications, and future directions - Aiken - 1994
69	Deciding linear inequalities by computing loop residues - Shostak - 1981
66	A portable machine-independent global optimizer–design and measurements - Chow - 1984
64	Implementation of an array bound checker - Suzuki, Ishihata - 1977
62	Accurate static branch prediction by value range propagation - Patterson - 1995
52	Simple and fast algorithms for linear and integer programs with two variables per inequality - Hochbaum, Naor - 1994
47	A toolkit for constructing type- and constraint-based program analyses - Aiken, Faehndrich, et al. - 1998
46	Optimization of range checking - Markstein, Cocke, et al. - 1982
44	Automatic testing of reactive systems - Raymond, Weber, et al. - 1998
34	An automated approach for identifying potential vulnerabilities in software - Ghosh, OConnor, et al. - 1998
34	On the SUP-INF method for proving Presburger formulas - Shostak - 1977
26	Improved algorithms for linear inequalities with two variables per inequality - Cohen, Megiddo - 1991
24	Generalized constant propagation A study in C - Verbrugge, Co, et al. - 1996
13	Bounds Checking for C. http://www-ala.doc.ic.ac.uk/ phjk/BoundsChecking.html - Jones, Kelly
11	The Sup-Inf method in Presburger arithmetic - Bledsoe - 1974
10	Set based analysis of arithmetic - Heintze - 1993
10	a C program checker. Computer Science - Johnson
5	Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/ BoundsChecking.html - Jones, Kelly - 1995
5	Linear programming with two variables per inequality in poly log time - Lueker, Megiddo, et al.
4	Abstract interpretation of constraint logic programs using convex polyhedra - Handjieva - 1996
4	A static analyzer for CLP(R) based on abstract interpretation,” SAS’96: Static Analysis Symp - Handjieva, “STAN
3	Incomplete list of Unix vulnerabilities," http://www.cs.iastate.edu/ghelmer/ unixsecurity/unix_vuln.html - Helmer - 1994
3	de Raadt, "strlcpy and strlcat---Consistent, Safe, String Copy and Concatenation - Miller, T - 1996