Article

Buffer overrun detection using linear programming and static analysis

Authors:

Vinod Ganapathy,

David Chandler,

David VitekAuthors Info & Claims

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 345 - 354

https://doi.org/10.1145/948109.948155

Published: 27 October 2003 Publication History

Abstract

This paper addresses the issue of identifying buffer overrun vulnerabilities by statically analyzing C source code. We demonstrate a light-weight analysis based on modeling C string manipulations as a linear program. We also present fast, scalable solvers based on linear programming, and demonstrate techniques to make the program analysis context sensitive. Based on these techniques, we built a prototype and used it to identify several vulnerabilities in popular security critical applications.

References

[1]

bugtraq. www.securityfocus.com.

[2]

CERT/CC advisories. www.cert.org/advisories.

[3]

The twenty most critical internet security vulnerabilities. www.sans.org/top20.

[4]

Aleph-one. Smashing the stack for fun and profit. Nov 1996. Phrack Magazine.

[5]

Technical analysis of remote sendmail vulnerability. www.securityfocus.com/archive/1/313757.

[6]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, DIKU, Univ. of Copenhagen, 1994. (DIKU report 94/19).

[7]

E. D. Anderson and K. D. Anderson. Presolving in linear programming. Mathematical Prog., 71(2):221--245, 1995.

Digital Library

[8]

R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminating array-bounds checks on demand. In ACM Conf. on Prog. Lang. Design and Impl. (PLDI), 2000.

Digital Library

[9]

J. W. Chinnek and E. W. Dravinieks. Locating minimal infeasible constraint sets in linear programs. ORSA Journal on Computing, 3(2):157--168, 1991.

[10]

T-C. Chiueh and F-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In 21st Intl. Conf. on Distributed Computing Systems (ICDCS), 2001.

Digital Library

[11]

J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. CCured in the Real World. In ACM Conf. on Prog. Lang. Design and Impl. (PLDI), 2003.

Digital Library

[12]

T. H. Cormen, C. E. Lieserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. MIT Press, 2001.

Digital Library

[13]

C. Cowan, S. Beattie, R-F Day., C. Pu, P. Wagle, and E. Walthinsen. Automatic detection and prevention of buffer overflow attacks. In 7th USENIX Sec. Symp., 1998.

Digital Library

[14]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. In 12th USENIX Sec. Symp., 2003.

Digital Library

[15]

R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck. Efficiently computing static single assignment form and the control dependence graph. ACM Trans. on Prog. Lang. and Systems (TOPLAS), 13(4):452--490, 1991.

Digital Library

[16]

G. B. Dantzig and B. Curtis Eaves. Fourier-Motzkin elimination and its dual. Journal of Combinatorial Theory (A), 14:288--297, 1973.

[17]

N. Dor, M. Rodeh, and M. Sagiv. CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In ACM Conf. on Prog. Lang. Design and Impl. (PLDI), 2003.

Digital Library

[18]

H. Etoh and K. Yoda. Protecting from stack-smashing attacks. 2000. www.trl.ibm.com/projects/security/ssp/main.html.

[19]

V. Ganapathy, S. Jha, D. Chandler, D. Melski, and D. Vitek. Buffer overrun detection using linear programming and static analysis. 2003. UW-Madison Comp. Sci. Tech. Report 1488. ftp://ftp.cs.wisc.edu/pub/tech-reports/reports/2003/tr1488.ps.Z

Digital Library

[20]

S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Transactions on Prog. Lang.s and Systems (TOPLAS), 12(1):26--60, 1990.

Digital Library

[21]

S. Horwitz, T. Reps, M. Sagiv, and G. Rosay. Speeding up slicing. In 2nd ACM Symp. on Foundations of Soft. Engg. (FSE), pages 11--20, New York, 1994.

Digital Library

[22]

D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In 10th USENIX Sec. Symp., 2001.

Digital Library

[23]

E. Larson and T. Austin. High coverage detection of input related security faults. In 12th USENIX Sec. Symp., 2003.

Digital Library

[24]

G. C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In ACM Conf. on the Principles of Prog. Lang. (POPL), 2002.

Digital Library

[25]

CPLEX Optimizer. www.cplex.com/.

[26]

R. Rugina and M. C. Rinard. Symbolic bounds analysis of pointers, array indices and accessed memory regions. In ACM Conf. on Prog. Lang. Design and Impl. (PLDI), 2000.

Digital Library

[27]

A. Schrijver. Theory of Linear and Integer Programming. Wiley, N.Y., 1986.

Digital Library

[28]

M. Sharir and A. Pnueli. Two Approaches to Interprocedural Dataflow Analysis. Prentice Hall Inc., 1981.

[29]

D. Wagner. Static Analysis and Computer Security: New techniques for software assurance. PhD thesis, UC Berkeley, Dec 2000.

Digital Library

[30]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security (NDSS), 2000.

[31]

S. J. Wright. Primal-Dual Interior-Point Methods. SIAM Philadelphia, 1997.

Digital Library

[32]

R. Wunderling. Paralleler und Objektorientierter Simplex-Algorithmus. PhD thesis, Konrad-Zuse-Zentrum fur Informationstechnik Berlin, TR 1996-09. www.zib.de/PaperWeb/abstracts/TR-96-09/.

[33]

Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In 9th European Soft. Engg. Conf. and 11th ACM Symp. on Foundation of Soft. Engg. (ESEC/FSE), 2003.

Digital Library

[34]

S. Yong, S. Horwitz, and T. Reps. Pointer analysis for programs with structures and casting. In ACM Conf. on Prog. Lang. Design and Impl. (PLDI), 1999.

Digital Library

Cited By

Aanjaneya MNagarakatte S(2024)Maximum Consensus Floating Point Solutions for Infeasible Low-Dimensional Linear Programs with Convex Hull as the Intermediate RepresentationProceedings of the ACM on Programming Languages10.1145/36564278:PLDI(1239-1263)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656427
Guo YYao PZhang CChristakis MPradel M(2024)Precise Compositional Buffer Overflow Detection via Heap DisjointnessProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652110(63-75)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652110
Das DBose PMachiry AMariani SShoshitaishvili YVigna GKruegel C(2022)Hybrid Pruning: Towards Precise Pointer and Taint AnalysisDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_1(1-22)Online publication date: 24-Jun-2022
https://doi.org/10.1007/978-3-031-09484-2_1
Show More Cited By

Index Terms

Buffer overrun detection using linear programming and static analysis

Recommendations

Tracking pointers with path and context sensitivity for bug detection in C programs

This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Machine-learning-guided selectively unsound static analysis
ICSE '17: Proceedings of the 39th International Conference on Software Engineering

We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

374 pages

ISBN:1581137389

DOI:10.1145/948109

General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27 - 30, 2003

Washington D.C., USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

60
Total Citations
View Citations
1,662
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)3

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Aanjaneya MNagarakatte S(2024)Maximum Consensus Floating Point Solutions for Infeasible Low-Dimensional Linear Programs with Convex Hull as the Intermediate RepresentationProceedings of the ACM on Programming Languages10.1145/36564278:PLDI(1239-1263)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656427
Guo YYao PZhang CChristakis MPradel M(2024)Precise Compositional Buffer Overflow Detection via Heap DisjointnessProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652110(63-75)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652110
Das DBose PMachiry AMariani SShoshitaishvili YVigna GKruegel C(2022)Hybrid Pruning: Towards Precise Pointer and Taint AnalysisDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_1(1-22)Online publication date: 24-Jun-2022
https://doi.org/10.1007/978-3-031-09484-2_1
Gu TLu MLi LLi Q(2020)An Approach to Analyze Vulnerability of Information Flow in Software ArchitectureApplied Sciences10.3390/app1001039310:1(393)Online publication date: 4-Jan-2020
https://doi.org/10.3390/app10010393
Chaim MSantos DCruzes D(2018)What Do We Know About Buffer Overflow Detection?International Journal of Systems and Software Security and Protection10.4018/IJSSSP.20180701019:3(1-33)Online publication date: 1-Jul-2018
https://doi.org/10.4018/IJSSSP.2018070101
van Tonder RKotheimer JLe Goues CHuchard MKästner CFraser G(2018)Semantic crash bucketingProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238200(612-622)Online publication date: 3-Sep-2018
https://dl.acm.org/doi/10.1145/3238147.3238200
Jinan SKefeng PXuefeng CJunfu Z(2017)Security Patterns from Intelligent Data: A Map of Software Vulnerability Analysis2017 IEEE 3rd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing, (HPSC) and IEEE International Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity.2017.9(18-25)Online publication date: May-2017
https://doi.org/10.1109/BigDataSecurity.2017.9
Bultan TYu FAlkhalaf MAydin ABultan TYu FAlkhalaf MAydin A(2017)A Brief Survey of Related WorkString Analysis for Software Verification and Security10.1007/978-3-319-68670-7_11(155-164)Online publication date: 13-Dec-2017
https://doi.org/10.1007/978-3-319-68670-7_11
Sui YYe DSu YXue J(2016)Eliminating Redundant Bounds Checks in Dynamic Buffer Overflow Detection Using Weakest PreconditionsIEEE Transactions on Reliability10.1109/TR.2016.257053865:4(1682-1699)Online publication date: Dec-2016
https://doi.org/10.1109/TR.2016.2570538
Mouzarani MSadeghiyan BZolfaghari M(2016)A smart fuzzing method for detecting heap‐based vulnerabilities in executable codesSecurity and Communication Networks10.1002/sec.16819:18(5098-5115)Online publication date: 16-Nov-2016
https://doi.org/10.1002/sec.1681
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents