Article

Refining buffer overflow detection via demand-driven path-sensitive analysis

Authors:

Mary Lou SoffaAuthors Info & Claims

PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering

Pages 63 - 68

https://doi.org/10.1145/1251535.1251546

Published: 13 June 2007 Publication History

Abstract

Although static analysis is an important technique for detecting buffer overflow before software deployment, current static tools rely on considerable human effort for annotating code to help analysis, or for diagnosing warnings, many of which are false positives. This paper presents an analysis technique that refines information about the paths that involve a potential buffer overflow to help in the diagnosis and debugging of vulnerabilities. Instead of only reporting a vulnerable buffer or statement in the program, which most tools do, our analysis categorizes paths of a possibly vulnerable statement into five types: Vulnerable, Overflow-User-Independent, Safe, Infeasible and Don't-Know. Thus, safe and infeasible paths can be excluded from being inspected, providing focus on problematic paths. For scalability, we designed and implemented our analysis as an interprocedural, demand-driven path-sensitive analysis. Our experiments demonstrate that various path types do go through a possibly vulnerable buffer statement. The results also indicate that our technique is efficient and practical.

References

[1]

T. Ball and J. R. Larus. Programs follow paths. Microsoft Technical Report MSR--TR--99--01, 1999.

[2]

R. Bodik, R. Gupta, and M. L. Soffa. Interprocedural conditional branch elimination. In Proceedings of the ACM SIGPLAN 1997 conference on Programming language design and implementation, 1997.

Digital Library

[3]

R. Bodik, R. Gupta, and M. L. Soffa. Refining data flow information using infeasible paths. In Proceedings of the 5th ACM SIGSOFT international symposium on Foundations of software engineering, 1997.

Digital Library

[4]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software: Practice and Experience, 2000.

Digital Library

[5]

CERT. http://www.cert.org.

[6]

H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM conference on Computer and communications security, 2002.

Digital Library

[7]

S. Chen, J. Xu, E. Sezer, P. Gauriar, and R. Iyer. Non--control--data attacks are realistic threats. In Proceedings of the 14th USENIX Security Symposium, 2005.

Digital Library

[8]

M. Das, S. Lerner, and M. Seigle. ESP: path--sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementation, 2002.

Digital Library

[9]

E. Duesterwald, R. Gupta, and M. L. Soffa. A demand--driven analyzer for data flow testing at the integration level. In Proceedings of the 18th international conference on Software engineering, 1996.

Digital Library

[10]

E. Duesterwald, R. Gupta, and M. L. Soffa. A practical framework for demand--driven interprocedural data flow analysis. ACM Transactions on Programming Languages and Systems, 1997.

Digital Library

[11]

D. Evans. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 conference on Programming language design and implementation, 1996.

Digital Library

[12]

Fortify. http://www.fortifysoftware.com.

[13]

B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In Proceedings of the 28th international conference on Software engineering, 2006.

Digital Library

[14]

M. J. Harrold and M. L. Soffa. Efficient computation of interprocedural definition--use chains. ACM Transactions on Programming Languages and Systems, 1994.

Digital Library

[15]

S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou. Bugbench: Benchmarks for evaluating bug detection tools. In Proceedings of Workshop on the Evaluation of Software Defect Detection Tools, 2005.

[16]

R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. PSE: explaining program failures via postmortem static analysis. In Proceedings of the 12th ACM SIGSOFT international symposium on Foundations of software engineering, 2004.

Digital Library

[17]

Microsoft. Phoenix: A software optimization and analysis framework. http://research.microsoft.com/phoenix/.

[18]

Microsoft. Prefast.http://www.microsoft.com/whdc/devtools/tools/prefast.mspx.

[19]

A. One. Smashing the stack for fun and profit. http://www.phrack.org/archives/49/P49--14.

[20]

M. Orlovich and R. Rugina. Memory leak analysis by contradiction. In Proceedings of the 13th International Static Analysis Symposium, 2006.

Digital Library

[21]

SecuriTeam. http://www.securiteam.com/.

[22]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of Network and Distributed System Security Symposium, 2000.

[23]

R. Wojtczuk. The advanced return--into-lib(c) exploits. http://www.phrack.org, 2001.

[24]

Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path--sensitive analysis to detect memory access errors. In Proceedings of the 11th ACM SIGSOFT international symposium on Foundations of software engineering, 2003.

Digital Library

[25]

M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In Proceedings of the 12th ACM SIGSOFT international symposium on Foundations of software engineering, 2004.

Digital Library

Cited By

Maas ANazaré HLiblit BLo DApel SKhurshid S(2016)Array length inference for C library bindingsProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering10.1145/2970276.2970310(461-471)Online publication date: 25-Aug-2016
https://dl.acm.org/doi/10.1145/2970276.2970310
Mayr CZdun UDustdar S(2013)Enhancing traceability of persistent data access flows in process-driven SOAsDistributed and Parallel Databases10.1007/s10619-012-7102-631:1(1-45)Online publication date: 1-Mar-2013
https://dl.acm.org/doi/10.1007/s10619-012-7102-6
Sui YYe SXue JYew P(2011)SPASProceedings of the 9th Asian conference on Programming Languages and Systems10.1007/978-3-642-25318-8_14(155-171)Online publication date: 5-Dec-2011
https://dl.acm.org/doi/10.1007/978-3-642-25318-8_14
Show More Cited By

Index Terms

Refining buffer overflow detection via demand-driven path-sensitive analysis

Recommendations

Demand-driven context-sensitive alias analysis for Java
ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

Software tools for program understanding, transformation, verification, and testing often require an efficient yet highly-precise alias analysis. Typically this is done by computing points-to information, from which alias queries can be answered. This ...
Demand-driven memory leak detection based on flow- and context-sensitive pointer analysis

We present a demand-driven approach to memory leak detection algorithm based on flow- and context-sensitive pointer analysis. The detection algorithm firstly assumes the presence of a memory leak at some program point and then runs a backward analysis to ...
Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13: Proceedings of the 2013 international symposium on memory management

In this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering

June 2007

96 pages

ISBN:9781595935953

DOI:10.1145/1251535

General Chairs:
Manuvir Das
Center for Software Excellence, Microsoft Corp, USA
,
Dan Grossman
University of Washington, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

PASTE07

Sponsor:

PASTE07: PASTE '07 - ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering

June 13 - 14, 2007

California, San Diego, USA

Acceptance Rates

Overall Acceptance Rate 57 of 159 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
445
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Maas ANazaré HLiblit BLo DApel SKhurshid S(2016)Array length inference for C library bindingsProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering10.1145/2970276.2970310(461-471)Online publication date: 25-Aug-2016
https://dl.acm.org/doi/10.1145/2970276.2970310
Mayr CZdun UDustdar S(2013)Enhancing traceability of persistent data access flows in process-driven SOAsDistributed and Parallel Databases10.1007/s10619-012-7102-631:1(1-45)Online publication date: 1-Mar-2013
https://dl.acm.org/doi/10.1007/s10619-012-7102-6
Sui YYe SXue JYew P(2011)SPASProceedings of the 9th Asian conference on Programming Languages and Systems10.1007/978-3-642-25318-8_14(155-171)Online publication date: 5-Dec-2011
https://dl.acm.org/doi/10.1007/978-3-642-25318-8_14
Ceara DMounier LPotet M(2010)Taint Dependency SequencesProceedings of the 2010 Third International Conference on Software Testing, Verification, and Validation Workshops10.1109/ICSTW.2010.28(371-380)Online publication date: 6-Apr-2010
https://dl.acm.org/doi/10.1109/ICSTW.2010.28
Le WSoffa MHarrold MMurphy G(2008)MarpleProceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering10.1145/1453101.1453137(272-282)Online publication date: 9-Nov-2008
https://dl.acm.org/doi/10.1145/1453101.1453137
Cifuentes CScholz BBlack PVenet A(2008)ParfaitProceedings of the 2008 workshop on Static analysis10.1145/1394504.1394505(4-11)Online publication date: 12-Jun-2008
https://dl.acm.org/doi/10.1145/1394504.1394505

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten