Communications of the ACM
The C programming language
Efficient detection of all pointer and array access errors
PLDI '94 Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation
Verification of Real-Time Systems using Linear Relation Analysis
Formal Methods in System Design - Special issue on computer aided verification (CAV 93)
Pointer analysis for programs with structures and casting
Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation
Automatic discovery of linear restraints among variables of a program
POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Debugging via Run-Time Type Checking
FASE '01 Proceedings of the 4th International Conference on Fundamental Approaches to Software Engineering
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
AMAST '02 Proceedings of the 9th International Conference on Algebraic Methodology and Software Technology
Verification of Embedded Software: Problems and Perspectives
EMSOFT '01 Proceedings of the First International Workshop on Embedded Software
Possibly Not Closed Convex Polyhedra and the Parma Polyhedra Library
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
A Few Graph-Based Relational Numerical Abstract Domains
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Statically detecting likely buffer overflow vulnerabilities
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Deriving numerical abstract domains via principal component analysis
SAS'10 Proceedings of the 17th international conference on Static analysis
The two variable per inequality abstract domain
Higher-Order and Symbolic Computation
Combining widening and acceleration in linear relation analysis
SAS'06 Proceedings of the 13th international conference on Static Analysis
A generic framework for interprocedural analysis of numerical properties
SAS'05 Proceedings of the 12th international conference on Static Analysis
Widening polyhedra with landmarks
APLAS'06 Proceedings of the 4th Asian conference on Programming Languages and Systems
Discovering invariants via simple component analysis
Journal of Symbolic Computation
Taming the wrapping of integer arithmetic
SAS'07 Proceedings of the 14th international conference on Static Analysis
Hi-index | 0.00 |
All practical C programs use structures, arrays, and/or strings. At runtime, such objects are mapped into consecutive memory locations, hereafter referred to as buffers. Many software defects are caused by buffer overflow -- unintentional access to memory outside the intended object. Stringma nipulation is a major source of such defects. Accordingto the FUZZ study, they are the cause of most UNIX failures. We present a new algorithm for statically detecting buffer overflow defects caused by string manipulations in C programs. In many programs, our algorithm is capable of precisely handling destructive memory updates, even in the presence of overlapping pointer variables which reference the same buffer at different offsets. Thus, our algorithm can uncover defects which go undetected by previous works. We reduce the problem of checkings tring manipulation to that of analyzing integer variables. A prototype of the algorithm has been implemented and applied to statically uncover defects in real C applications, i.e., errors which occur on some inputs to the program. The applications were selected without a priori knowledge of the number of string manipulation errors. A significant number of string manipulation errors were found in every application, further indicating the extensiveness of such errors. We are encouraged by the fact that our algorithm reports very few false alarms, i.e., warnings on errors that never occur at runtime.