Sound, complete and scalable path-sensitive analysis
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Small formulas for large programs: on-line constraint simplification in scalable static analysis
SAS'10 Proceedings of the 17th international conference on Static analysis
Inferring data polymorphism in systems code
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Diagnosys: automatic generation of a debugging interface to the Linux kernel
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
| Hi-index | 0.00 |
Operating systems divide virtual memory addresses into kernel space and user space. The interface of a modern operating system consists of a set of system call procedures that may take pointer arguments called user pointers. It is safe to dereference a user pointer if and only if it points into user space. If the operating system dereferences a user pointer that does not point into user space, then a malicious user application could gain control of the operating system, reveal sensitive data from kernel space, or crash the machine. Because the operating system cannot trust user processes, the operating system must check that the user pointer points to user space before dereferencing it. In this paper, we present a scalable and precise static analysis capable of verifying the absence of unchecked user pointer dereferences. We evaluate an implementation of our analysis on the entire Linux operating system with over 6.2 million lines of code with false alarms reported on only 0.05% of dereference sites.