The SLAM project: debugging system software via static analysis
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
CCured: type-safe retrofitting of legacy code
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
ITS4: A static vulnerability scanner for C and C++ code
ACSAC '00 Proceedings of the 16th Annual Computer Security Applications Conference
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Flow-insensitive type qualifiers
ACM Transactions on Programming Languages and Systems (TOPLAS)
Detecting format string vulnerabilities with type qualifiers
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Scrash: a system for generating secure crash information
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Context-sensitive program analysis as database queries
Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems
Visualizing type qualifier inference with Eclipse
eclipse '04 Proceedings of the 2004 OOPSLA workshop on eclipse technology eXchange
LOCKSMITH: context-sensitive correlation analysis for race detection
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
Osprey: a practical type system for validating dimensional unit correctness of C programs
Proceedings of the 28th international conference on Software engineering
Applying flow-sensitive CQUAL to verify MINIX authorization check placement
Proceedings of the 2006 workshop on Programming languages and analysis for security
The case for analysis preserving language transformation
Proceedings of the 2006 international symposium on Software testing and analysis
A literature survey of the quality economics of defect-detection techniques
Proceedings of the 2006 ACM/IEEE international symposium on Empirical software engineering
Flow-insensitive type qualifiers
ACM Transactions on Programming Languages and Systems (TOPLAS)
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Large-scale analysis of format string vulnerabilities in Debian Linux
Proceedings of the 2007 workshop on Programming languages and analysis for security
Efficient field-sensitive pointer analysis of C
ACM Transactions on Programming Languages and Systems (TOPLAS)
Type qualifier inference for java
Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications
SafeDrive: safe and recoverable extensions using language-based techniques
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Rule-based static analysis of network protocol implementations
Information and Computation
Effective blame for information-flow violations
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Implicit Flows: Can't Live with `Em, Can't Live without `Em
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Interprocedural and Flow-Sensitive Type Analysis for Memory and Type Safety of C Code
Journal of Automated Reasoning
Cooperative bug isolation: winning thesis of the 2005 ACM doctoral dissertation competition
Cooperative bug isolation: winning thesis of the 2005 ACM doctoral dissertation competition
An empirical investigation into open source web applications' implementation vulnerabilities
Empirical Software Engineering
Static analysis for detecting taint-style vulnerabilities in web applications
Journal of Computer Security
LOCKSMITH: Practical static race detection for C
ACM Transactions on Programming Languages and Systems (TOPLAS)
A formal nethod (a networked formal method)
Innovations in Systems and Software Engineering
Zero-sized heap allocations vulnerability analysis
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Extending type systems in a library: Type-safe XML processing in C++
Science of Computer Programming
Generating analyses for detecting faults in path segments
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Practical elimination of external interaction vulnerabilities in web applications
Journal of Web Engineering
Inferring data polymorphism in systems code
Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering
Trust extension as a mechanism for secure code execution on commodity computers
Trust extension as a mechanism for secure code execution on commodity computers
Existential label flow inference via CFL reachability
SAS'06 Proceedings of the 13th international conference on Static Analysis
Analysis of low-level code using cooperating decompilers
SAS'06 Proceedings of the 13th international conference on Static Analysis
Ada-Europe'06 Proceedings of the 11th Ada-Europe international conference on Reliable Software Technologies
Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Checking for deadlock, double-free and other abuses in the linux kernel source code
ICCS'06 Proceedings of the 6th international conference on Computational Science - Volume Part IV
Using dependent types to certify the safety of assembly code
SAS'05 Proceedings of the 12th international conference on Static Analysis
Comparing bug finding tools with reviews and tests
TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Security type error diagnosis for higher-order, polymorphic languages
PEPM '13 Proceedings of the ACM SIGPLAN 2013 workshop on Partial evaluation and program manipulation
Marple: Detecting faults in path segments using automatically generated analyses
ACM Transactions on Software Engineering and Methodology (TOSEM) - In memoriam, fault detection and localization, formal methods, modeling and design
Development of automatically verifiable systems using data representation synthesis
Proceedings of the 2013 companion publication for conference on Systems, programming, & applications: software for humanity
| Hi-index | 0.00 |
Today's operating systems struggle with vulnerabilities from careless handling of user space pointers. User/kernel pointer bugs have serious consequences for security: a malicious user could exploit a user/kernel pointer bug to gain elevated privileges, read sensitive data, or crash the system. We show how to detect user/kernel pointer bugs using type-qualifier inference, and we apply this method to the Linux kernel using CQUAL, a type-qualifier inference tool. We extend the basic type-inference capabilities of CQUAL to support context-sensitivity and greater precision when analyzing structures so that CQUAL requires fewer annotations and generates fewer false positives. With these enhancements, we were able to use CQUAL to find 17 exploitable user/kernel pointer bugs in the Linux kernel. Several of the bugs we found were missed by careful hand audits, other program analysis tools, or both.