The trouble with for-loop invariants
SIGCSE '88 Proceedings of the nineteenth SIGCSE technical symposium on Computer science education
Static detection of dynamic memory errors
PLDI '96 Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation
Safe kernel extensions without run-time checking
OSDI '96 Proceedings of the second USENIX symposium on Operating systems design and implementation
Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Dynamically discovering likely program invariants to support program evolution
Proceedings of the 21st international conference on Software engineering
SASI enforcement of security policies: a retrospective
Proceedings of the 1999 workshop on New security paradigms
Proceedings of the 22nd international conference on Software engineering
Introduction to set constraint-based program analysis
Science of Computer Programming
Linux Journal
SIGSOFT '00/FSE-8 Proceedings of the 8th ACM SIGSOFT international symposium on Foundations of software engineering: twenty-first century applications
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Cleanness Checking of String Manipulations in C Programs via Integer Analysis
SAS '01 Proceedings of the 8th International Symposium on Static Analysis
ITS4: A static vulnerability scanner for C and C++ code
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
IRM Enforcement of Java Stack Inspection
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Policy-directed code safety
Static analysis and computer security: new techniques for software assurance
Static analysis and computer security: new techniques for software assurance
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Transparent run-time defense against stack smashing attacks
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Token-based scanning of source code for security problems
ACM Transactions on Information and System Security (TISSEC)
Runtime verification of authorization hook placement for the linux security modules framework
Proceedings of the 9th ACM conference on Computer and communications security
Enabling trusted software integrity
Proceedings of the 10th international conference on Architectural support for programming languages and operating systems
AMAST '02 Proceedings of the 9th International Conference on Algebraic Methodology and Software Technology
Encoding Function Pointers and Memory Arrangement Checking against Buffer Overflow Attack
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Cleanness Checking of String Manipulations in C Programs via Integer Analysis
SAS '01 Proceedings of the 8th International Symposium on Static Analysis
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
Type-Assisted Dynamic Buffer Overflow Detection
Proceedings of the 11th USENIX Security Symposium
CSSV: towards a realistic tool for statically detecting all buffer overflows in C
PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Buffer overflow and format string overflow vulnerabilities
Software—Practice & Experience - Special issue: Security software
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Model-carrying code: a practical approach for safe execution of untrusted applications
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Buffer overrun detection using linear programming and static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Protection against Indirect Overflow Attacks on Pointers
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
An efficient and backwards-compatible transformation to ensure memory safety of C programs
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
A holistic approach to service survivability
Proceedings of the 2003 ACM workshop on Survivable and self-regenerative systems: in association with 10th ACM Conference on Computer and Communications Security
IEEE Security and Privacy
A Hardware-Software Platform for Intrusion Prevention
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Randomized instruction set emulation
ACM Transactions on Information and System Security (TISSEC)
Using instruction block signatures to counter code injection attacks
ACM SIGARCH Computer Architecture News - Special issue: Workshop on architectural support for security and anti-virus (WASSA)
Improving network applications security: a new heuristic to generate stress testing data
GECCO '05 Proceedings of the 7th annual conference on Genetic and evolutionary computation
Static Analysis Method for Detecting Buffer Overflow Vulnerabilities
Programming and Computing Software
Detection and prevention of stack buffer overflow attacks
Communications of the ACM
A similarity-aware approach to testing based fault localization
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Proceedings of the 12th ACM conference on Computer and communications security
String analysis for x86 binaries
PASTE '05 Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Gaining and maintaining confidence in operating systems security
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
The case for analysis preserving language transformation
Proceedings of the 2006 international symposium on Software testing and analysis
SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address
IEEE Transactions on Computers
Using common off-the-shelf tools to implement dynamic aspects
ACM SIGPLAN Notices
Creating a portable programming language using open source software
ATEC '04 Proceedings of the annual conference on USENIX Annual Technical Conference
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Preventing privilege escalation
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
TIED, LibsafePlus: tools for runtime buffer overflow protection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Privtrans: automatically partitioning programs for privilege separation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Protecting against unexpected system calls
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Efficient techniques for comprehensive protection from memory error exploits
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Variably interprocedural program analysis for runtime error detection
Proceedings of the 2007 international symposium on Software testing and analysis
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
Proceedings of the 14th ACM conference on Computer and communications security
Detecting buffer overflow via automatic test input data generation
Computers and Operations Research
CMV: automatic verification of complete mediation for java virtual machines
Proceedings of the 2008 ACM symposium on Information, computer and communications security
An efficient runtime instruction block verification for secure embedded systems
Journal of Embedded Computing - Embeded Processors and Systems: Architectural Issues and Solutions for Emerging Applications
On similarity-awareness in testing-based fault localization
Automated Software Engineering
Toasters, Seat Belts, and Inferring Program Properties
Verified Software: Theories, Tools, Experiments
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Proceedings of the 2009 ACM SIGPLAN workshop on Partial evaluation and program manipulation
Static Analysis of a Class of Memory Leaks in TrustedBSD MAC Framework
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Interprocedural and Flow-Sensitive Type Analysis for Memory and Type Safety of C Code
Journal of Automated Reasoning
Hardware-assisted run-time monitoring for secure program execution on embedded processors
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
A Lightweight Buffer Overflow Protection Mechanism with Failure-Oblivious Capability
ICA3PP '09 Proceedings of the 9th International Conference on Algorithms and Architectures for Parallel Processing
Control flow obfuscation with information flow tracking
Proceedings of the 42nd Annual IEEE/ACM International Symposium on Microarchitecture
Pentagons: A weakly relational abstract domain for the efficient validation of array accesses
Science of Computer Programming
Automatic detection of unsafe component loadings
Proceedings of the 19th international symposium on Software testing and analysis
Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
HSP: A solution against heap sprays
Journal of Systems and Software
A framework for defending embedded systems against software attacks
ACM Transactions on Embedded Computing Systems (TECS)
Rigorous evidence of freedom from concurrency faults in industrial control software
SAFECOMP'11 Proceedings of the 30th international conference on Computer safety, reliability, and security
Orion: high-precision methods for static error analysis of c and c++ programs
FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
Static analysis of string manipulations in critical embedded c programs
SAS'06 Proceedings of the 13th international conference on Static Analysis
Using static program analysis to aid intrusion detection
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Self debugging mode for patch-independent nullification of unknown remote process infection
CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
SWIPE: eager erasure of sensitive data in large scale systems software
Proceedings of the second ACM conference on Data and Application Security and Privacy
LADC'05 Proceedings of the Second Latin-American conference on Dependable Computing
An expressive aspect language for system applications with arachne
Transactions on Aspect-Oriented Software Development I
Static consistency checking for Verilog wire interconnects
Higher-Order and Symbolic Computation
A method of software defects mining based on static analysis
IEA/AIE'12 Proceedings of the 25th international conference on Industrial Engineering and Other Applications of Applied Intelligent Systems: advanced research in applied artificial intelligence
Binary stirring: self-randomizing instruction addresses of legacy x86 binary code
Proceedings of the 2012 ACM conference on Computer and communications security
Hails: protecting data privacy in untrusted web applications
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
Security Evaluation of Service-Oriented Systems Using the SiSOA Method
International Journal of Secure Software Engineering
An empirical study of cryptographic misuse in android applications
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
SEC'13 Proceedings of the 22nd USENIX conference on Security
Jekyll on iOS: when benign apps become evil
SEC'13 Proceedings of the 22nd USENIX conference on Security
ARMORY: An automatic security testing tool for buffer overflow defect detection
Computers and Electrical Engineering
Control-flow integrity principles, implementations, and applications
ACM Transactions on Information and System Security (TISSEC)
A distributed framework for demand-driven software vulnerability detection
Journal of Systems and Software
| Hi-index | 0.02 |
Buffer overflow attacks may be today's single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.