A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities.

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2000

Volumn , Issue , 2000, Pages

  Wagner, David ^a   Foster, Jeffrey S ^a   Brewer, Eric A ^a   Aiken, Alexander ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C (PROGRAMMING LANGUAGE); NETWORK SECURITY;

ANALYSIS PROBLEMS; AUTOMATED DETECTION; BUFFER OVERRUN; C++ CODES; DEPLOYED SOFTWARE; RANGE ANALYSIS; SECURITY BUGS; SECURITY-CRITICAL;

STATIC ANALYSIS;

EID: 85081874807     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (61)

1. A. Aiken, "Set constraints: results, applications, and future directions," PPCP'94: Principles and Practice of Constraint Programming, Springer-Verlag, pp.326-335.
2. A. Aiken, M. Fähndrich, J.S. Foster, Z. Su, "A toolkit for constructing type- and constraint-based program analyses," TIC'98: Types in Compilation, Springer-Verlag, 1998, pp.78-96.
3. T.M. Austin, S.E. Breach, G.S. Sohi, "Efficient Detection of All Pointer and Array Access Errors," PLDI'94, ACM.
4. U. Banerjee, Dependence analysis for supercomputing, Kluwer Academic Publishers, Norwell, MA, 1988.
5. W.W. Bledsoe, "The SUP-INF method in Presburger arithmetic,", Memo ATP-18, Math Dept., U. Texas Austin, Dec. 1974.
6. F. Bourdoncle, "Abstract debugging of higher-order imperative languages," PLDI'93, ACM.
7. The bugtraq mailing list, http://www.securityfocus.com/.
8. F. Chow, "A portable machine-independent global optimizer-Design and measurements," Tech. report 83-254, PhD thesis, Computer Systems Lab, Stanford Univ., 1983.
9. E. Cohen, N. Megiddo, "Improved algorithms for linear inequalities with two variables per inequality," SIAM J. Computing, vol.23 no.6, pp.1313-1347, Dec. 1994.
10. P. Cousot, R. Cousot, "Static determination of dynamic properties of programs," Proc. 2nd Intl. Symp. on Programming, Paris, Apr. 1976.
11. P. Cousot, N. Halbwachs, "Automatic Discovery of Linear Restraints among Variables of a Program," 5th ACM POPL, 1978, pp.84-97.
12. C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. 7th USENIX Security Conf., Jan. 1998.
13. R. Cytron, J. Ferrante, B.K. Rosen, M.N. Wegman, F.K. Zadeck, "An Efficient Method of Computing Static Single Assignment Form," POPL'89.
14. E. Davis, "Constraint propagation with interval labels," Artificial Intelligence, vol.32 no.3, July 1987, pp.281-331.
15. D.L. Detlefs, K.R.M. Leino, G. Nelson, J.B. Saxe, "Extended Static Checking," Compaq SRC Research Report 159, 1998.
16. A. Diwan, K. McKinley, E. Moss, "Type-Based Alias Analysis," PLDI'98.
17. M.W. Eichin, J.A. Rochlis, "With microscope and tweezers: an analysis of the Internet virus of Nov. 1988," 1989 IEEE Symp. Security and Privacy.
18. D. Evans, J. Guttag, J. Horning, Y.M. Tan, "LCLint: a tool for using specifications to check code," SIGSOFT Symp. on Foundations of Software Engineering, Dec. 1994.
19. D. Evans, "Static detection of dynamic memory errors," PLDI'96.
20. R. Ghiya, L.J. Hendren, "Putting pointer analysis to work," POPL'98.
21. A.K. Ghosh, T. O'Connor, G. McGraw, "An automated approach for identifying potential vulnerabilities in software," Proc. IEEE Symp. on Security and Privacy, May 1998, pp.104-114.
22. R. Gupta, "Optimizing array bound checks using flow analysis," ACM Letters on Programming Languages and Systems, vol.2 no.1-4, Mar.-Dec. 1993, pp.135-150.
23. N. Halbwachs, Y.-E. Proy, P. Raymond, "Verification of linear hybrid systems by means of convex approximations," SAS'94: Static Analysis Symp., Springer-Verlag, 1994, pp.223-237.
24. N. Halbwachs, Y.-E. Proy, P. Roumanoff, "Verification of real-time systems using linear relation analysis," CAV'93: Computer Aided Verification, Published in Formal Methods in System Design, vol.11 no.2, Aug. 1997, Kluwer Academic Publishers, pp.157-185.
25. M. Handjieva, "Abstract interpretation of constraint logic programs using convex polyhedra," Tech. report LIX/RR/96/06, LIX, Ecole Polytechnique, May 1996.
26. M. Handjieva, "STAN: A static analyzer for CLP(R) based on abstract interpretation," SAS'96: Static Analysis Symp.
27. W.H. Harrison, "Compiler analysis of the value ranges for variables," IEEE Trans. Software Engineering, vol.SE-3 no.3, May 1977, pp.243-250.
28. N. Heintze, "Set based analysis and arithmetic," Tech. report CS-93-221, Carnegie Mellon Univ.
29. G. Helmer, "Incomplete list of Unix vulnerabilities," http://www.cs.iastate.edu/~ghelmer/unixsecurity/unix-vuln.html.
30. D.S. Hochbaum, J.S. Naor, "Simple and fast algorithms for linear and integer programs with two variables per inequality," SIAM J. Computing, vol.23 no.6, Dec. 1994, pp. 1179-1192.
31. D. Holland, http://www.hcs.harvard.edu/dholland/computers/netkit.html.
32. E. Hyvönen, "Constraint reasoning based on interval arithmetic: the tolerance propagation approach," Artificial Intelligence, vol.58, 1992, pp.71-112.
33. http://www.infilsec.com/vulnerabilities/.
34. S.C. Johnson, "Lint, a C program checker," Computer Science Tech. report 65, Bell Laboratories, 1978.
35. R. Jones, P. Kelly, "Bounds Checking for C," http://www-ala.doc.ic.ac.uk/phjk/BoundsChecking.html.
36. O. Kirch, "The poisoned NUL byte," post to the bugtraq mailing list, Oct. 1998.
37. O. Lhomme, "Consistency techniques for numeric CSPs," IJCN'93: 13th Intl. Joint Conf. on Artificial Intelligence, vol.1, 1993.
38. G. Lueker, N. Megiddo, V. Ramachandran, "Linear programming with two variables per inequality in poly-log time," SIAM J. Computing, vol.19 no.6, Dec. 1990, pp.1000-1010.
39. V. Markstein, J. Cocke, P. Markstein, "Optimization of range checking," SIGPLAN Notices, vol.17 no.6, Proc. Symp. on Compiler Construction, June 1982, p.114-119.
40. D.E. Maydan, J.L. Hennessy, M.S. Lam, "Efficient and Exact Data Dependence Analysis," PLDI'91.
41. B.P. Miller, L. Fredricksen, B. So, "An empirical study of the reliability of Unix utilities," CACM, vol.33 no.12, Dec. 1990, pp.32-44.
42. B.P. Miller, D. Koski, C.P. Lee, V. Maganty, R. Murphy, A. Natarajan, J. Steidl, "Fuzz revisited: a re-examination of the reliability of Unix utilities and services," Tech. report CSTR-95-1268, U. Wisconsin, Apr. 1995.
43. T.C. Miller, T. de Raadt, "strlcpy and strlcat-Consistent, Safe, String Copy and Concatenation," FREENIX'99, USENIX Assoc., Berkeley, CA.
44. Mudge, "Sendmail 8.7.5 vulnerability," post to the bugtraq mailing list, Sep. 1996.
45. G.C. Necula, P. Lee, "The Design and Implementation of a Certifying Compiler," PLDI'98.
46. NuMega BoundsChecker, http://www.numega.com/products/aed/vc-more.shtml.
47. J. Patterson. "Accurate Static Branch Prediction by Value Range Propagation". PLDI'95, pp.67-78.
48. Phrack Magazine, "The Frame Pointer Overwrite," Sep. 1999, vol.9 no.55.
49. V.R. Pratt, "Two easy theories whose combination is hard," unpublished manuscript, Sep. 1977.
50. W. Pugh, D. Wonnacott, "Eliminating false data dependences using the Omega test," PLDI'92, pp.140-151.
51. Pure Atria Purify, http://www.rational.com/products/purify-unix/index.jtmpl.
52. P. Raymond, X. Nicollin, N. Halbwachs, D. Weber, "Automatic testing of reactive systems," Proc. 19th IEEE Real-Time Systems Symp., 1998, pp.200-209.
53. A. Schrijver, Theory of linear and integer programming, Series in Discrete Mathematics, John Wiley & Sons, 1986.
54. M. Shapiro, S. Horwitz, "The effects of precision of pointer analysis," SAS'97: Static Analysis Symp., Springer-Verlag, pp.16-34.
55. R. Shostak, "On the SUP-INF method for proving Presburger formulas," J. ACM, vol.24 no.4, Oct. 1977, pp.529-543.
56. R. Shostak, "Deciding linear inequalities by computing loop residues," J. ACM, vol.28 no.4, Oct. 1981, pp.769-779.
57. N. Sosuki, K. Ishihata, "Implementation of array bound checker," POPL'77, pp.132-143.
58. P. Van Hentenryck, H. Simonis, M. Dincbas, "Constraint satisfaction using constraint logic programming," Artificial Intelligence, vol.58, 1992, pp.113-159.
59. C. Verbrugge, P. Co, L.J. Hendren, "Generalized constant propagation: A study in C," Compiler Construction, 6th Intl. Conf., LNCS 1060, Apr. 1996, pp.74-90.
60. H. Xi, F. Pfenning, "Eliminating array bound checking through dependent types," PLDI'98, pp.249-257.
61. H. Xi, F. Pfenning, "Dependent Types in Practical Programming," POPL'99.