Precise Compositional Buffer Overflow Detection via Heap Disjointness
Pages 63 - 75
Abstract
Static analysis techniques for buffer overflow detection still struggle with being scalable for millions of lines of code, while being precise enough to have an acceptable false positive rate. The checking of buffer overflow necessitates reasoning about the heap reachability and numerical relations, which are mutually dependent. Existing techniques to resolve the dependency cycle either sacrifice precision or efficiency due to their limitations in reasoning about symbolic heap location, i.e., heap location with possibly symbolic numerical offsets. A symbolic heap location potentially aliases a large number of other heap locations, leading to a disjunction of heap states that is particularly challenging to reason precisely. Acknowledging the inherent difficulties in heap and numerical reasoning, we introduce a disjointness assumption into the analysis by shrinking the program state space so that all the symbolic locations involved in memory accesses are disjoint from each other. The disjointness property permits strong updates to be performed at symbolic heap locations, significantly improving the precision by incorporating numerical information in heap reasoning. Also, it aids in the design of a compositional analysis to boost scalability, where compact and precise function summaries are efficiently generated and reused. We implement the idea in the static buffer overflow detector Cod. When applying it to large, real-world software such as PHP and QEMU, we have uncovered 29 buffer overflow bugs with a false positive rate of 37%, while projects of millions of lines of code can be successfully analyzed within four hours.
References
[1]
2022. The Clang Static Analyzer. https://clang-analyzer.llvm.org/ Online; accessed 28-July-2022.
[2]
Domagoj Babic and Alan J. Hu. 2008. Calysto: Scalable and Precise Extended Static Checking. In Proceedings of the 30th International Conference on Software Engineering (ICSE ’08). Association for Computing Machinery, New York, NY, USA. 211–220. isbn:9781605580791 https://doi.org/10.1145/1368088.1368118
[3]
Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commun. ACM, 53, 2 (2010), Feb., 66–75. issn:0001-0782 https://doi.org/10.1145/1646353.1646374
[4]
Sam Blackshear, Bor-Yuh Evan Chang, and Manu Sridharan. 2013. Thresher: Precise Refutations for Heap Reachability. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’13). Association for Computing Machinery, New York, NY, USA. 275–286. isbn:9781450320146 https://doi.org/10.1145/2491956.2462186
[5]
Sam Blackshear, Nikos Gorogiannis, Peter W. O’Hearn, and Ilya Sergey. 2018. RacerD: Compositional Static Race Detection. Proc. ACM Program. Lang., 2, OOPSLA (2018), Article 144, oct, 28 pages. https://doi.org/10.1145/3276514
[6]
Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérome Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A Static Analyzer for Large Safety-Critical Software. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI ’03). Association for Computing Machinery, New York, NY, USA. 196–207. isbn:1581136625 https://doi.org/10.1145/781131.781153
[7]
Guillaume Brat, Jorge A. Navas, Nija Shi, and Arnaud Venet. 2014. IKOS: A Framework for Static Analysis Based on Abstract Interpretation. In Software Engineering and Formal Methods, Dimitra Giannakopoulou and Gwen Salaün (Eds.). Springer International Publishing, Cham. 271–277. isbn:978-3-319-10431-7
[8]
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). USENIX Association, USA. 209–224.
[9]
Cristiano Calcagno and Dino Distefano. 2011. Infer: An Automatic Program Verifier for Memory Safety of C Programs. In NASA Formal Methods, Mihaela Bobaru, Klaus Havelund, Gerard J. Holzmann, and Rajeev Joshi (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 459–465. isbn:978-3-642-20398-5
[10]
Cristiano Calcagno, Dino Distefano, Peter O’Hearn, and Hongseok Yang. 2009. Compositional Shape Analysis by Means of Bi-Abduction. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’09). Association for Computing Machinery, New York, NY, USA. 289–300. isbn:9781605583792 https://doi.org/10.1145/1480881.1480917
[11]
Supratik Chakraborty, Ashutosh Gupta, and Divyesh Unadkat. 2017. Verifying array manipulating programs by tiling. In International Static Analysis Symposium. 428–449.
[12]
Marek Chalupa, Vincent Mihalkovič, Anna Řechtáčková, Lukáš Zaoral, and Jan Strejček. 2022. Symbiotic 9: String Analysis and Backward Symbolic Execution with Loop Folding. In Tools and Algorithms for the Construction and Analysis of Systems, Dana Fisman and Grigore Rosu (Eds.). Springer International Publishing, Cham. 462–467. isbn:978-3-030-99527-0
[13]
Marek Chalupa and Jan Strejček. 2021. Backward Symbolic Execution with Loop Folding. In Static Analysis: 28th International Symposium, SAS 2021, Chicago, IL, USA, October 17–19, 2021, Proceedings. Springer-Verlag, Berlin, Heidelberg. 49–76. isbn:978-3-030-88805-3 https://doi.org/10.1007/978-3-030-88806-0_3
[14]
Bor-Yuh Evan Chang and Xavier Rival. 2013. Modular Construction of Shape-Numeric Analyzers. In Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday, Manhattan, Kansas, USA, 19-20th September 2013, Anindya Banerjee, Olivier Danvy, Kyung-Goo Doh, and John Hatcliff (Eds.) (EPTCS, Vol. 129). 161–185. https://doi.org/10.4204/EPTCS.129.11
[15]
Bor-Yuh Evan Chang, Xavier Rival, and George C. Necula. 2007. Shape Analysis with Structural Invariant Checkers. In Static Analysis, Hanne Riis Nielson and Gilberto Filé (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 384–401. isbn:978-3-540-74061-2
[16]
Ramkrishna Chatterjee, Barbara G Ryder, and William A Landi. 1999. Relevant context inference. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages. 133–146.
[17]
Patrick Cousot and Radhia Cousot. 1977. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’77). Association for Computing Machinery, New York, NY, USA. 238–252. isbn:9781450373500 https://doi.org/10.1145/512950.512973
[18]
Patrick Cousot, Radhia Cousot, and Francesco Logozzo. 2011. A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis. SIGPLAN Not., 46, 1 (2011), jan, 105–118. issn:0362-1340 https://doi.org/10.1145/1925844.1926399
[19]
Patrick Cousot and Nicolas Halbwachs. 1978. Automatic Discovery of Linear Restraints among Variables of a Program. In Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’78). Association for Computing Machinery, New York, NY, USA. 84–96. isbn:9781450373487 https://doi.org/10.1145/512760.512770
[20]
Isil Dillig, Thomas Dillig, and Alex Aiken. 2008. Sound, Complete and Scalable Path-Sensitive Analysis. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’08). Association for Computing Machinery, New York, NY, USA. 270–280. isbn:9781595938602 https://doi.org/10.1145/1375581.1375615
[21]
Isil Dillig, Thomas Dillig, and Alex Aiken. 2010. Fluid Updates: Beyond Strong vs. Weak Updates. In Proceedings of the 19th European Conference on Programming Languages and Systems (ESOP’10). Springer-Verlag, Berlin, Heidelberg. 246–266. isbn:3-642-11956-5, 978-3-642-11956-9
[22]
Isil Dillig, Thomas Dillig, and Alex Aiken. 2010. Symbolic heap abstraction with demand-driven axiomatization of memory invariants. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’10). ACM, New York, NY, USA. 397–410. isbn:978-1-4503-0203-6
[23]
Isil Dillig, Thomas Dillig, Alex Aiken, and Mooly Sagiv. 2011. Precise and compact modular procedure summaries for heap manipulating programs. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’11). ACM, New York, NY, USA. 567–577. isbn:978-1-4503-0663-8
[24]
Dino Distefano, Manuel Fähndrich, Francesco Logozzo, and Peter W O’Hearn. 2019. Scaling static analyses at Facebook. Commun. ACM, 62, 8 (2019), 62–70.
[25]
Manuel Fähndrich and Francesco Logozzo. 2011. Static Contract Checking with Abstract Interpretation. In Formal Verification of Object-Oriented Software, Bernhard Beckert and Claude Marché (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 10–30. isbn:978-3-642-18070-5
[26]
Pietro Ferrara. 2014. Generic Combination of Heap and Value Analyses in Abstract Interpretation. In Verification, Model Checking, and Abstract Interpretation, Kenneth L. McMillan and Xavier Rival (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 302–321. isbn:978-3-642-54013-4
[27]
Zhoulai Fu. 2014. Modularly Combining Numeric Abstract Domains with Points-to Analysis, and a Scalable Static Numeric Analyzer for Java. In Verification, Model Checking, and Abstract Interpretation, Kenneth L. McMillan and Xavier Rival (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 282–301. isbn:978-3-642-54013-4
[28]
Vinod Ganapathy, Somesh Jha, David Chandler, David Melski, and David Vitek. 2003. Buffer Overrun Detection Using Linear Programming and Static Analysis. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ’03). Association for Computing Machinery, New York, NY, USA. 345–354. isbn:1581137389 https://doi.org/10.1145/948109.948155
[29]
Vijay Ganesh and David L. Dill. 2007. A Decision Procedure for Bit-Vectors and Arrays. In Computer Aided Verification, Werner Damm and Holger Hermanns (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 519–531. isbn:978-3-540-73368-3
[30]
Isabel Garcia-Contreras, Arie Gurfinkel, and Jorge A. Navas. 2022. Efficient Modular SMT-Based Model Checking of Pointer Programs. In Static Analysis, Gagandeep Singh and Caterina Urban (Eds.). Springer Nature Switzerland, Cham. 227–246. isbn:978-3-031-22308-2
[31]
Denis Gopan, Thomas Reps, and Mooly Sagiv. 2005. A Framework for Numeric Analysis of Array Operations. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’05). Association for Computing Machinery, New York, NY, USA. 338–350. isbn:158113830X https://doi.org/10.1145/1040305.1040333
[32]
Nikos Gorogiannis, Peter W. O’Hearn, and Ilya Sergey. 2019. A True Positives Theorem for a Static Race Detector. Proc. ACM Program. Lang., 3, POPL (2019), Article 57, jan, 29 pages. https://doi.org/10.1145/3290370
[33]
Bhargav S Gulavani, Supratik Chakraborty, Ganesan Ramalingam, and Aditya V Nori. 2009. Bottom-up shape analysis. In International Static Analysis Symposium. 188–204.
[34]
Arie Gurfinkel, Temesghen Kahsai, Anvesh Komuravelli, and Jorge A. Navas. 2015. The SeaHorn Verification Framework. In Computer Aided Verification, Daniel Kroening and Corina S. Păsăreanu (Eds.). Springer International Publishing, Cham. 343–361. isbn:978-3-319-21690-4
[35]
Arie Gurfinkel and Jorge A Navas. 2019. Automatic Program Verification with SEAHORN. In Engineering Secure and Dependable Software Systems. IOS Press, 83–111.
[36]
Nicolas Halbwachs and Mathias Péron. 2008. Discovering Properties about Arrays in Simple Programs. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’08). Association for Computing Machinery, New York, NY, USA. 339–348. isbn:9781595938602 https://doi.org/10.1145/1375581.1375623
[37]
Vini Kanvar and Uday P. Khedker. 2016. Heap Abstractions for Static Analysis. ACM Comput. Surv., 49, 2 (2016), Article 29, jun, 47 pages. issn:0360-0300 https://doi.org/10.1145/2931098
[38]
Sarfraz Khurshid, Corina S. Păsăreanu, and Willem Visser. 2003. Generalized Symbolic Execution for Model Checking and Testing. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’03). Springer-Verlag, Berlin, Heidelberg. 553–568. isbn:3540008985
[39]
Se-Won Kim, Xavier Rival, and Sukyoung Ryu. 2018. A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework. ACM Trans. Program. Lang. Syst., 40, 3 (2018), Article 13, aug, 44 pages. issn:0164-0925 https://doi.org/10.1145/3230624
[40]
Yoonseok Ko and Hakjoo Oh. 2023. Learning to Boost Disjunctive Static Bug-Finders.
[41]
Anvesh Komuravelli, Nikolaj Bjorner, Arie Gurfinkel, and Kenneth L. Mcmillan. 2015. Compositional verification of procedural programs using horn clauses over integers and arrays. In 2015 Formal Methods in Computer-Aided Design (FMCAD). 89–96. https://doi.org/10.1109/FMCAD.2015.7542257
[42]
C. Lattner and V. Adve. 2004. LLVM: a compilation framework for lifelong program analysis amp; transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004. 75–86. https://doi.org/10.1109/CGO.2004.1281665
[43]
Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making Context-Sensitive Points-to Analysis with Heap Cloning Practical for the Real World. SIGPLAN Not., 42, 6 (2007), jun, 278–289. issn:0362-1340 https://doi.org/10.1145/1273442.1250766
[44]
Quang Loc Le, Azalea Raad, Jules Villard, Josh Berdine, Derek Dreyer, and Peter W. O’Hearn. 2022. Finding Real Bugs in Big Programs with Incorrectness Logic. Proc. ACM Program. Lang., 6, OOPSLA1 (2022), Article 81, apr, 27 pages. https://doi.org/10.1145/3527325
[45]
Wei Le and Mary Lou Soffa. 2008. Marple: A Demand-Driven Path-Sensitive Buffer Overflow Detector. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of Software Engineering (SIGSOFT ’08/FSE-16). Association for Computing Machinery, New York, NY, USA. 272–282. isbn:9781595939951 https://doi.org/10.1145/1453101.1453137
[46]
Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In FOOL 2012: 19th International Workshop on Foundations of Object-Oriented Languages. 96.
[47]
Huisong Li, Francois Berenger, Bor-Yuh Evan Chang, and Xavier Rival. 2017. Semantic-Directed Clumping of Disjunctive Abstract States. SIGPLAN Not., 52, 1 (2017), jan, 32–45. issn:0362-1340 https://doi.org/10.1145/3093333.3009881
[48]
Lian Li, Cristina Cifuentes, and Nathan Keynes. 2010. Practical and Effective Symbolic Analysis for Buffer Overflow Detection. In Proceedings of the Eighteenth ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE ’10). Association for Computing Machinery, New York, NY, USA. 317–326. isbn:9781605587912 https://doi.org/10.1145/1882291.1882338
[49]
Lian Li, Cristina Cifuentes, and Nathan Keynes. 2011. Boosting the Performance of Flow-Sensitive Points-to Analysis Using Value Flow. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (ESEC/FSE ’11). Association for Computing Machinery, New York, NY, USA. 343–353. isbn:9781450304436 https://doi.org/10.1145/2025113.2025160
[50]
Jiangchao Liu and Xavier Rival. 2015. Abstraction of arrays based on non contiguous partitions. In International Workshop on Verification, Model Checking, and Abstract Interpretation. 282–299.
[51]
V Benjamin Livshits and Monica S Lam. 2003. Tracking pointers with path and context sensitivity for bug detection in C programs. In Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering. 317–326.
[52]
Bill McCloskey, Thomas Reps, and Mooly Sagiv. 2010. Statically Inferring Complex Heap, Array, and Numeric Invariants. In Static Analysis, Radhia Cousot and Matthieu Martel (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg. 71–99. isbn:978-3-642-15769-1
[53]
Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. 2012. Design and Implementation of Sparse Global Analyses for C-like Languages. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’12). Association for Computing Machinery, New York, NY, USA. 229–238. isbn:9781450312059 https://doi.org/10.1145/2254064.2254092
[54]
Peter W. O’Hearn. 2019. Incorrectness Logic. Proc. ACM Program. Lang., 4, POPL (2019), Article 10, dec, 32 pages. https://doi.org/10.1145/3371078
[55]
OpenSSL. 2022. OpenSSL Security Advisory [01 November 2022]. https://www.openssl.org/news/secadv/20221101.txt Online; accessed 7-Nov-2022.
[56]
David M Perry, Andrea Mattavelli, Xiangyu Zhang, and Cristian Cadar. 2017. Accelerating array constraints in symbolic execution. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. 68–78.
[57]
Zvonimir Rakamarić and Michael Emmi. 2014. SMACK: Decoupling Source Language Details from Verifier Implementations. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham. 106–113. isbn:978-3-319-08867-9
[58]
J.C. Reynolds. 2002. Separation logic: a logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science. 55–74. https://doi.org/10.1109/LICS.2002.1029817
[59]
Xavier Rival and Laurent Mauborgne. 2007. The Trace Partitioning Abstract Domain. ACM Trans. Program. Lang. Syst., 29, 5 (2007), Aug., 26–es. issn:0164-0925 https://doi.org/10.1145/1275497.1275501
[60]
Mooly Sagiv, Thomas Reps, and Reinhard Wilhelm. 1998. Solving Shape-Analysis Problems in Languages with Destructive Updating. ACM Trans. Program. Lang. Syst., 20, 1 (1998), jan, 1–50. issn:0164-0925 https://doi.org/10.1145/271510.271517
[61]
Mooly Sagiv, Thomas Reps, and Reinhard Wilhelm. 2002. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst., 24, 3 (2002), May, 217–298. issn:0164-0925
[62]
Kostya Serebryany. 2017. OSS-Fuzz - Google’ s continuous fuzzing service for open source software. USENIX Association, Vancouver, BC.
[63]
M Sharir and A Pnueli. 1978. Two approaches to interprocedural data flow analysis. New York Univ. Comput. Sci. Dept., New York, NY. https://cds.cern.ch/record/120118
[64]
Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, and Charles Zhang. 2018. Pinpoint: Fast and Precise Sparse Value Flow Analysis for Million Lines of Code. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). Association for Computing Machinery, New York, NY, USA. 693–706. isbn:9781450356985 https://doi.org/10.1145/3192366.3192418
[65]
Ziqi Shuai, Zhenbang Chen, Yufeng Zhang, Jun Sun, and Ji Wang. 2021. Type and Interval Aware Array Constraint Solving for Symbolic Execution. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021). Association for Computing Machinery, New York, NY, USA. 361–373. isbn:9781450384599 https://doi.org/10.1145/3460319.3464826
[66]
Yannis Smaragdakis and George Balatsouras. 2015. Pointer Analysis. Found. Trends Program. Lang., 2, 1 (2015), apr, 1–69. issn:2325-1107 https://doi.org/10.1561/2500000014
[67]
Manu Sridharan and Rastislav Bodík. 2006. Refinement-based context-sensitive points-to analysis for Java. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation. 387–400.
[68]
Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang, and Anders Møller. 2019. Static Analysis with Demand-Driven Value Refinement. Proc. ACM Program. Lang., 3, OOPSLA (2019), Article 140, oct, 29 pages. https://doi.org/10.1145/3360566
[69]
Yulei Sui, Ding Ye, and Jingling Xue. 2012. Static Memory Leak Detection Using Full-Sparse Value-Flow Analysis. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012). Association for Computing Machinery, New York, NY, USA. 254–264. isbn:9781450314541 https://doi.org/10.1145/2338965.2336784
[70]
Synopsys. 2020. The heartbleed bug. https://heartbleed.com/ Online; accessed 7-Nov-2022.
[71]
David A Wagner, Jeffrey S Foster, Eric A Brewer, and Alexander Aiken. 2000. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS. 20, 0.
[72]
Robert P. Wilson and Monica S. Lam. 1995. Efficient Context-Sensitive Pointer Analysis for C Programs. SIGPLAN Not., 30, 6 (1995), jun, 1–12. issn:0362-1340 https://doi.org/10.1145/223428.207111
[73]
Yichen Xie and Alex Aiken. 2005. Scalable Error Detection Using Boolean Satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’05). Association for Computing Machinery, New York, NY, USA. 351–363. isbn:158113830X https://doi.org/10.1145/1040305.1040334
[74]
Yichen Xie and Alex Aiken. 2005. Scalable Error Detection Using Boolean Satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’05). Association for Computing Machinery, New York, NY, USA. 351–363. isbn:158113830X https://doi.org/10.1145/1040305.1040334
[75]
Yichen Xie, Andy Chou, and Dawson Engler. 2003. ARCHER: Using Symbolic, Path-Sensitive Analysis to Detect Memory Access Errors. In Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE-11). Association for Computing Machinery, New York, NY, USA. 327–336. isbn:1581137435 https://doi.org/10.1145/940071.940115
[76]
Guoqing Xu and Atanas Rountev. 2008. Merging equivalent contexts for scalable heap-cloning-based context-sensitive points-to analysis. In Proceedings of the 2008 international symposium on Software testing and analysis. 225–236.
[77]
He Zhu, Stephen Magill, and Suresh Jagannathan. 2018. A Data-Driven CHC Solver. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). Association for Computing Machinery, New York, NY, USA. 707–721. isbn:9781450356985 https://doi.org/10.1145/3192366.3192416
Index Terms
- Precise Compositional Buffer Overflow Detection via Heap Disjointness
Recommendations
Filtering false alarms of buffer overflow analysis using SMT solvers
Buffer overflow detection using static analysis can provide a powerful tool for software programmers to find difficult bugs in C programs. Sound static analysis based on abstract interpretation, however, often suffers from false alarm problem. Although ...
Precise flow-insensitive may-alias analysis is NP-hard
Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...
Refining buffer overflow detection via demand-driven path-sensitive analysis
PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineeringAlthough static analysis is an important technique for detecting buffer overflow before software deployment, current static tools rely on considerable human effort for annotating code to help analysis, or for diagnosing warnings, many of which are false ...
Comments
Information & Contributors
Information
Published In
September 2024
1928 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 September 2024
Check for updates
Badges
Distinguished Paper
Author Tags
Qualifiers
- Research-article
Conference
ISSTA '24
Sponsor:
ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
September 16 - 20, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 122Total Downloads
- Downloads (Last 12 months)122
- Downloads (Last 6 weeks)18
Reflects downloads up to 31 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in