Modular checking for buffer overflows in the large

Proceedings - International Conference on Software Engineering

Volumn 2006, Issue , 2006, Pages 232-241

  Hackett, Brian ^a   Das, Manuvir ^b   Wang, Daniel ^b   Yang, Zhe ^b  

^a Stanford University   (United States)

^b MICROSOFT   (United States)

Author keywords

Annotation design; Annotation inference; Buffer overflows; Modular analysis

Indexed keywords

AUTOMATION; DATA ACQUISITION; INFERENCE ENGINES; INFORMATION TECHNOLOGY; SOFTWARE ENGINEERING; SPECIFICATION LANGUAGES;

ANNOTATION DESIGNS; ANNOTATION INFERENCES; BUFFER OVERFLOWS; MODULAR ANALYSIS;

BUFFER STORAGE;

EID: 34247099396     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1134285.1134319     Document Type: Conference Paper

References (18)

1. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes, May 2002. In IEEE Symposium on Security and Privacy, Oakland, California.
2. B. Chess. Improving computer security using extended static checking. In SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 160, Washington, DC, USA, 2002. IEEE Computer Society.
3. J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In PLDI '03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pages 232-244, New York, NY, USA, 2003.
4. C. Cowan, G. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Conference, pages 63-78, San Antonio, Texas, Jan 1998.
5. N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In PLDI '03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pages 155-167, New York, NY, USA, 2003. ACM Press.
6. M. Ernst, J. Cockrell, W. Griswold, and D. Notkin. Dynamically discovering likely program invariants to support program evolution. IEEE Transactions in Software Engineering, 27(2):99-123, February 2001.
7. D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42-51, 2002.
8. C. Flanagan and K. R. M. Leino. Houdini, an annotation assistant for ESC/Java. In Symposium of Formal Methods Europe, 2001.
9. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Proceedings of the 29th ACM Symposium on Principles of Programming Languages, 2002.
10. J. Nimmer and M. Ernst. Static verification of dynamically detected program invariants: Integrating Daikon and ESC/Java. In Proceedings of RV'01, First Workshop on Runtime Verification, 2001.
11. Polyspace - automatic detection of run-time errors at compile time, www.polyspace.com.
12. T. Reps, M. Sagiv, and S. Horwitz. Precise interprocedural dataflow analysis via graph reachability. In Conference Record of the Twenty-Second ACM Symposium on Principles of Programming Languages, 1995.
13. M. Rinard, C. Cadar, D. Dumitran, D. Roy, T. Leu, and W. Beebee Jr. Enhancing server availability and security through failure-oblivious computing. In Proceedings of the 6th Symposium on Operating Systems Design and Implementation, 2004.
14. O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, pages 159-169, 2004.
15. D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, pages 3-17, San Diego, CA, February 2000.
16. Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In FSE '03: Proceedings of the 10th ACM SIGSOFT international symbosium on Foundations of software engineering, 2003.
17. J. Yang, T. Kremenek, Y. Xie, and D. Engler. MEGA: an extensible, expressive system and language for statically checking security properties. In Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003.
18. M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pages 97-106, New York, NY, USA, 2004. ACM Press.