Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs

Authors:
Ebrima N. Ceesay;Jingmin Zhou;Michael Gertz;Karl Levitt;Matt Bishop
Affiliations:
Computer Security Laboratory, University of California at Davis, Davis, CA;Computer Security Laboratory, University of California at Davis, Davis, CA;Computer Security Laboratory, University of California at Davis, Davis, CA;Computer Security Laboratory, University of California at Davis, Davis, CA;Computer Security Laboratory, University of California at Davis, Davis, CA
Venue:
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Year:
2006

Citing 6
Cited 6

Static detection of dynamic memory errors

PLDI '96 Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation
A theory of type qualifiers

Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation
Using Programmer-Written Compiler Extensions to Catch Security Holes

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Type qualifiers: lightweight specifications to improve software quality

Type qualifiers: lightweight specifications to improve software quality
Detecting format string vulnerabilities with type qualifiers

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding user/kernel pointer bugs with type inference

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites

Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion
Improving integer security for systems with KINT

OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
Program transformations to fix C integers

Proceedings of the 2013 International Conference on Software Engineering
Sound input filter generation for integer overflow errors

Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
Using type analysis in compiler to mitigate integer-overflow-to-buffer-overflow threat

Journal of Computer Security - ESORICS 2010

Quantified Score

Hi-index	0.00

Visualization

Abstract

Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications