ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
CSSV: towards a realistic tool for statically detecting all buffer overflows in C
Full text PdfPdf (295 KB)
Source ACM SIGPLAN Notices archive
Volume 38 ,  Issue 5  (May 2003) table of contents
SESSION: Error detection and debugging I table of contents
Pages: 155 - 167  
Year of Publication: 2003
ISSN:0362-1340
Also published in ...
Authors
Nurit Dor  Tel-Aviv University
Michael Rodeh  IBM Research Lab in Haifa
Mooly Sagiv  Tel-Aviv University
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 75,   Citation Count: 41
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/780822.781149
What is a DOI?

ABSTRACT

Erroneous string manipulations are a major source of software defects in C programs yielding vulnerabilities which are exploited by software viruses. We present C String Static Verifyer (CSSV), a tool that statically uncovers all string manipulation errors. Being a conservative tool, it reports all such errors at the expense of sometimes generating false alarms. Fortunately, only a small number of false alarms are reported, thereby proving that statically reducing software vulnerability is achievable. CSSV handles large programs by analyzing each procedure separately. To this end procedure contracts are allowed which are verified by the tool.We implemented a CSSV prototype and used it to verify the absence of errors in real code from EADS Airbus. When applied to another commonly used string intensive application, CSSV uncovered real bugs with very few false alarms.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Todd M. Austin , Scott E. Breach , Gurindar S. Sohi, Efficient detection of all pointer and array access errors, Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, p.290-301, June 20-24, 1994, Orlando, Florida, United States
2
Rastislav Bodík , Rajiv Gupta , Vivek Sarkar, ABCD: eliminating array bounds checks on demand, Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation, p.321-333, June 18-21, 2000, Vancouver, British Columbia, Canada
3
David R. Chase , Mark Wegman , F. Kenneth Zadeck, Analysis of pointers and structures, Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation, p.296-310, June 1990, White Plains, New York, United States
 
4
Brian Chess, Improving Computer Security Using Extended Static Checking, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.160, May 12-15, 2002
5
Jong-Deok Choi , Manish Gupta , Mauricio Serrano , Vugranam C. Sreedhar , Sam Midkiff, Escape analysis for Java, Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.1-19, November 01-05, 1999, Denver, Colorado, United States
6
Patrick Cousot , Nicolas Halbwachs, Automatic discovery of linear restraints among variables of a program, Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, p.84-96, January 23-25, 1978, Tucson, Arizona  [doi>10.1145/512760.512770]
 
7
C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. In In Proc. of the DARPA Information Survivability Conference and Expo, 1999.
8
Manuvir Das, Unification-based pointer analysis with directional assignments, Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation, p.35-46, June 18-21, 2000, Vancouver, British Columbia, Canada
 
9
Manuvir Das , Ben Liblit , Manuel Fähndrich , Jakob Rehof, Estimating the Impact of Scalable Pointer Analysis on Optimization, Proceedings of the 8th International Symposium on Static Analysis, p.260-278, July 16-18, 2001
10
Alain Deutsch, Interprocedural may-alias analysis for pointers: beyond k-limiting, Proceedings of the ACM SIGPLAN 1994 conference on Programming language design and implementation, p.230-241, June 20-24, 1994, Orlando, Florida, United States
 
11
Edsger Wybe Dijkstra, A Discipline of Programming, Prentice Hall PTR, Upper Saddle River, NJ, 1997
 
12
N. Dor. Statically Detecting All Buffer Overflows in C. PhD thesis, Univ. of Tel-Aviv, Israel, 2003. In preparation.
 
13
Nurit Dor , Michael Rodeh , Shmuel Sagiv, Cleanness Checking of String Manipulations in C Programs via Integer Analysis, Proceedings of the 8th International Symposium on Static Analysis, p.194-212, July 16-18, 2001
 
14
Cormac Flanagan , K. Rustan M. Leino, Houdini, an Annotation Assistant for ESC/Java, Proceedings of the International Symposium of Formal Methods Europe on Formal Methods for Increasing Software Productivity, p.500-517, March 12-16, 2001
15
Rakesh Ghiya , Daniel Lavery , David Sehr, On the importance of points-to analysis and other memory disambiguation methods for C programs, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.47-58, June 2001, Snowbird, Utah, United States
 
16
N. Halbwachs. Static Analysis of Linear Properties Invariantly Satisfied by the Numeric Variables of a program. PhD thesis, Grenoble University, 1979.
 
17
Nicolas Halbwachs , Yann-Erick Proy , Patrick Roumanoff, Verification of Real-Time Systems using Linear Relation Analysis, Formal Methods in System Design, v.11 n.2, p.157-185, Aug. 1997  [doi>10.1023/A:1008678014487]
18
Nevin Heintze , Olivier Tardieu, Ultra-fast aliasing analysis using CLA: a million lines of C code in a second, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.254-263, June 2001, Snowbird, Utah, United States
 
19
B. Jeannet. New polka library. Available at "http://www.irisa.fr/prive/Bertrand.Jeannet/newpolka.html".
 
20
Brian W. Kernighan , Dennis M. Ritchie, The C programming language, Prentice Hall Press, Upper Saddle River, NJ, 1989
21
Priyadarshan Kolte , Michael Wolfe, Elimination of redundant array subscript range checks, ACM SIGPLAN Notices, v.30 n.6, p.270-278, June 1995
 
22
William Alexander Landi, Interprocedural aliasing in the presence of pointers, Rutgers University, New Brunswick, NJ, 1992
 
23
D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In 10th USENIX Security Symposium, 2001.
 
24
Gary T. Leavens , Albert L. Baker, Enhancing the Pre- and Postcondition Technique for More Expressive Specifications, Proceedings of the Wold Congress on Formal Methods in the Development of Computing Systems-Volume II, p.1087-1106, September 20-24, 1999
 
25
Donglin Liang , Mary Jean Harrold, Efficient Computation of Parameterized Pointer Information for Interprocedural Analyses, Proceedings of the 8th International Symposium on Static Analysis, p.279-298, July 16-18, 2001
 
26
Alexey Loginov , Suan Hsi Yong , Susan Horwitz , Thomas W. Reps, Debugging via Run-Time Type Checking, Proceedings of the 4th International Conference on Fundamental Approaches to Software Engineering, p.217-232, April 02-06, 2001
27
Thomas J. Marlowe , Barbara G. Ryder, An efficient hybrid algorithm for incremental data flow analysis, Proceedings of the 17th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.184-196, December 1989, San Francisco, California, United States  [doi>10.1145/96709.96728]
 
28
B. Miller, D. Koski, C. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of Unix utilities and services, 1995. Available at http://www.cs.wisc.edu/˜bart/fuzz/fuzz.html.
 
29
Carroll Morgan, Programming from specifications, Prentice-Hall, Inc., Upper Saddle River, NJ, 1990
30
Eugene M. Myers, A precise inter-procedural data flow algorithm, Proceedings of the 8th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.219-230, January 26-28, 1981, Williamsburg, Virginia  [doi>10.1145/567532.567556]
 
31
Inc. Rational. Purify software. Available at "http://www.rational.com", 1995.
 
32
Microsoft Research. AST-toolkit. 2002.
33
Radu Rugina , Martin Rinard, Symbolic bounds analysis of pointers, array indices, and accessed memory regions, Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation, p.182-195, June 18-21, 2000, Vancouver, British Columbia, Canada
34
Barbara G. Ryder , William A. Landi , Philip A. Stocks , Sean Zhang , Rita Altucher, A schema for interprocedural modification side-effect analysis with pointer aliasing, ACM Transactions on Programming Languages and Systems (TOPLAS), v.23 n.2, p.105-186, March 2001  [doi>10.1145/383043.381532]
 
35
A. Simon and A. King. Analyzing string buffers in c. In International Conference on Algebraic Methodology and Software Technology, 2000.
36
Bjarne Steensgaard, Points-to analysis in almost linear time, Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.32-41, January 21-24, 1996, St. Petersburg Beach, Florida, United States  [doi>10.1145/237721.237727]
 
37
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Symp. on Network and Distributed Systems Security, 2000.
 
38
G. Yorsh. CoreC: A Simplifier for C, 2002. http://www.cs.tau.ac.il/˜gretay/GFC.htm.

CITED BY  41
Yichen Xie , Andy Chou , Dawson Engler, ARCHER: using symbolic, path-sensitive analysis to detect memory access errors, ACM SIGSOFT Software Engineering Notes, v.28 n.5, September 2003
Divya Arora , Anand Raghunathan , Srivaths Ravi , Niraj K. Jha, Architectural support for safe software execution on embedded processors, Proceedings of the 4th international conference on Hardware/software codesign and system synthesis, October 22-25, 2006, Seoul, Korea
Wei Xu , Daniel C. DuVarney , R. Sekar, An efficient and backwards-compatible transformation to ensure memory safety of C programs, ACM SIGSOFT Software Engineering Notes, v.29 n.6, November 2004
Dinakar Dhurjati , Sumant Kowshik , Vikram Adve , Chris Lattner, Memory safety without garbage collection for embedded applications, ACM Transactions on Embedded Computing Systems (TECS), v.4 n.1, p.73-111, February 2005
Elena Gabriela Barrantes , David H. Ackley , Stephanie Forrest , Darko Stefanović, Randomized instruction set emulation, ACM Transactions on Information and System Security (TISSEC), v.8 n.1, p.3-40, February 2005
Andrew Ayers , Richard Schooler , Chris Metcalf , Anant Agarwal , Junghwan Rhee , Emmett Witchel, TraceBack: first fault diagnosis by reconstruction of distributed control flow, ACM SIGPLAN Notices, v.40 n.6, June 2005
Milena Milenković , Aleksandar Milenković , Emil Jovanov, Using instruction block signatures to counter code injection attacks, ACM SIGARCH Computer Architecture News, v.33 n.1, March 2005
Dan Hao , Ying Pan , Lu Zhang , Wei Zhao , Hong Mei , Jiasu Sun, A similarity-aware approach to testing based fault localization, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA
Milena Milenković , Aleksandar Milenković , Emil Jovanov, Hardware support for code integrity in embedded processors, Proceedings of the 2005 international conference on Compilers, architectures and synthesis for embedded systems, September 24-27, 2005, San Francisco, California, USA
Mihai Christodorescu , Nicholas Kidd , Wen-Han Goh, String analysis for x86 binaries, ACM SIGSOFT Software Engineering Notes, v.31 n.1, January 2006
Dinakar Dhurjati , Vikram Adve, Backwards-compatible array bounds checking for C with very low overhead, Proceeding of the 28th international conference on Software engineering, May 20-28, 2006, Shanghai, China
Dinakar Dhurjati , Sumant Kowshik , Vikram Adve, SAFECode: enforcing alias analysis for weakly typed languages, ACM SIGPLAN Notices, v.41 n.6, June 2006
Brian Demsky , Michael D. Ernst , Philip J. Guo , Stephen McCamant , Jeff H. Perkins , Martin Rinard, Inference and enforcement of data structure consistency specifications, Proceedings of the 2006 international symposium on Software testing and analysis, July 17-20, 2006, Portland, Maine, USA
Vinod Ganapathy , Somesh Jha , David Chandler , David Melski , David Vitek, Buffer overrun detection using linear programming and static analysis, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Rupak Majumdar , Ru-Gang Xu, Directed test generation using symbolic grammars, Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, November 05-09, 2007, Atlanta, Georgia, USA
Zachary Anderson , Eric Brewer , Jeremy Condit , Robert Ennals , David Gay , Matthew Harren , George C. Necula , Feng Zhou, Beyond bug-finding: sound program analysis for Linux, Proceedings of the 11th USENIX workshop on Hot topics in operating systems, p.1-6, May 07-09, 2007, San Diego, CA
Robert Clarisó , Jordi Cortadella, The octahedron abstract domain, Science of Computer Programming, v.64 n.1, p.115-139, January, 2007
Brian Hackett , Manuvir Das , Daniel Wang , Zhe Yang, Modular checking for buffer overflows in the large, Proceeding of the 28th international conference on Software engineering, May 20-28, 2006, Shanghai, China
Kumar Avijit , Prateek Gupta , Deepak Gupta, TIED, LibsafePlus: tools for runtime buffer overflow protection, Proceedings of the 13th conference on USENIX Security Symposium, p.4-4, August 09-13, 2004, San Diego, CA
Krutartha Patel , Sridevan Parameswaran , Seng Lin Shee, Ensuring secure program execution in multiprocessor embedded systems: a case study, Proceedings of the 5th IEEE/ACM international conference on Hardware/software codesign and system synthesis, September 30-October 03, 2007, Salzburg, Austria
Qi Gao , Feng Qin , Dhabaleswar K. Panda, DMTracker: finding bugs in large-scale parallel programs by detecting anomaly in data movements, Proceedings of the 2007 ACM/IEEE conference on Supercomputing, November 10-16, 2007, Reno, Nevada
David J. Pearce , Paul H. J. Kelly , Chris Hankin, Online Cycle Detection and Difference Propagation: Applications to Pointer Analysis, Software Quality Control, v.12 n.4, p.311-337, December 2004
Corneliu Popeea , Dana N. Xu , Wei-Ngan Chin, A practical and precise inference and specializer for array bound checks elimination, Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, January 07-08, 2008, San Francisco, California, USA
Ru-Gang Xu , Patrice Godefroid , Rupak Majumdar, Testing for buffer overflows with length abstraction, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
Hilmi Ozdoganoglu , T. N. Vijaykumar , Carla E. Brodley , Benjamin A. Kuperman , Ankit Jalote, SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address, IEEE Transactions on Computers, v.55 n.10, p.1271-1285, October 2006
Pietro Ferrara , Francesco Logozzo , Manuel Fähndrich, Safer unsafe code for .NET, ACM SIGPLAN Notices, v.43 n.10, September 2008
Krutartha Patel , Sri Parameswaran, SHIELD: a software hardware design methodology for security and reliability of MPSoCs, Proceedings of the 45th annual conference on Design automation, June 08-13, 2008, Anaheim, California
Thomas E. Hart , Marsha Chechik , David Lie, Security benchmarking using partial verification, Proceedings of the 3rd conference on Hot topics in security, p.1-6, July 29, 2008, San Jose, CA
Sumit Gulwani , Krishna K. Mehra , Trishul Chilimbi, SPEED: precise and efficient static estimation of program computational complexity, Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 21-23, 2009, Savannah, GA, USA
Sumit Gulwani , Tal Lev-Ami , Mooly Sagiv, A combination framework for tracking partition sizes, Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 21-23, 2009, Savannah, GA, USA
David J. Pearce , Paul H.J. Kelly , Chris Hankin, Efficient field-sensitive pointer analysis of C, ACM Transactions on Programming Languages and Systems (TOPLAS), v.30 n.1, p.4-es, November 2007
James Clause , Ioannis Doudalis , Alessandro Orso , Milos Prvulovic, Effective memory protection using dynamic tainting, Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, November 05-09, 2007, Atlanta, Georgia, USA
Franjo Ivani , Zijiang Yang , Malay K. Ganai , Aarti Gupta , Pranav Ashar, Efficient SAT-based bounded model checking for software verification, Theoretical Computer Science, v.404 n.3, p.256-274, September, 2008
Aleksandar Milenkovic , Milena Milenkovic , Emil Jovanov, An efficient runtime instruction block verification for secure embedded systems, Journal of Embedded Computing, v.2 n.1, p.57-76, January 2006
Dan Hao , Lu Zhang , Ying Pan , Hong Mei , Jiasu Sun, On similarity-awareness in testing-based fault localization, Automated Software Engineering, v.15 n.2, p.207-249, June 2008
Krutartha Patel , Sri Parameswaran, LOCS: a low overhead profiler-driven design flow for security of MPSoCs, Proceedings of the 6th IEEE/ACM/IFIP international conference on Hardware/Software codesign and system synthesis, October 19-24, 2008, Atlanta, GA, USA
Cristiano Calcagno , Dino Distefano , Peter O'Hearn , Hongseok Yang, Compositional shape analysis by means of bi-abduction, Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 21-23, 2009, Savannah, GA, USA
Divya Arora , Srivaths Ravi , Anand Raghunathan , Niraj K. Jha, Hardware-assisted run-time monitoring for secure program execution on embedded processors, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, v.14 n.12, p.1295-1308, December 2006
Santosh Nagarakatte , Jianzhou Zhao , Milo M.K. Martin , Steve Zdancewic, SoftBound: highly compatible and complete spatial memory safety for c, ACM SIGPLAN Notices, v.44 n.6, June 2009
Prateek Saxena , Pongsin Poosankam , Stephen McCamant , Dawn Song, Loop-extended symbolic execution on binary programs, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Danny Nebenzahl , Mooly Sagiv , Avishai Wool, Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks, IEEE Transactions on Dependable and Secure Computing, v.3 n.1, p.78, January 2006

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Assertion checkers

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Reliability; Validation

  F. Theory of Computation
  F.3 LOGICS AND MEANINGS OF PROGRAMS
      F.3.1 Specifying and Verifying and Reasoning about Programs
          Subjects: Pre- and post-conditions; Assertions
      F.3.2 Semantics of Programming Languages
          Subjects: Program analysis; Operational semantics


General Terms:
Algorithms, Experimentation, Languages, Reliability, Security, Verification


Keywords:
abstract interpretation, buffer overflow, contracts, error detection, static analysis

Collaborative Colleagues:
Nurit Dor: colleagues
Michael Rodeh: colleagues
Mooly Sagiv: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player