Statically detecting likely buffer overflow vulnerabilities
作者: David Larochelle , David Evans
DOI:
关键词: Static checking 、 Stack buffer overflow 、 Computer science 、 Static analysis 、 Distributed computing 、 Embedded system 、 Exploit 、 Compiler 、 Source code 、 Buffer overflow
摘要: Buffer overflow attacks may be today's single most important security threat. This paper presents a new approach to mitigating buffer vulnerabilities by detecting likely through an analysis of the program source code. Our exploits information provided in semantic comments and uses lightweight efficient static analyses. describes implementation our that extends LCLint annotation-assisted checking tool. tool is as fast compiler nearly easy use. We present experience using detect two security-sensitive programs.
index-of.es
harvard.edu
acm.org 参考文章(36)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
Perry Wagle, Calton Pu, Steve Beattie, Crispin Cowan, Ryan Finnin Day, Erik Walthinsen, Protecting Systems from Stack Smashing Attacks with StackGuard ,(1999)
John Mchugh, Towards the Generation of Efficient Code from Verified Programs The University of Texas at Austin. ,(1983)
Jamie Stark, Andrew Ireland, Invariant Discovery via Failed Proof Attempts logic-based program synthesis and transformation. pp. 271- 288 ,(1998) , 10.1007/3-540-48958-4_15
Navjot Singh, Arash Baratloo, Timothy Tsai, Transparent run-time defense against stack smashing attacks usenix annual technical conference. pp. 21- 21 ,(2000)
Nurit Dor, Michael Rodeh, Mooly Sagiv, Cleanness Checking of String Manipulations in C Programs via Integer Analysis static analysis symposium. pp. 194- 212 ,(2001) , 10.1007/3-540-47764-0_12
John V. Guttag, David E. Evans, Policy-directed code safety Massachusetts Institute of Technology. ,(2000)
Eric A. Brewer, Alexander Aiken, David A. Wagner, Jeffrey S. Foster, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. network and distributed system security symposium. ,(2000)
John V. Guttag, James J. Horning, Larch: Languages and Tools for Formal Specification ,(1993)
David Santo Orcero, The Code Analyser LCLint Linux Journal. ,vol. 2000, pp. 2- ,(2000)