Skip to main content
SpringerLink
Log in

Static analysis by abstract interpretation: application to the detection of heap overflows

  • SSTIC 2007 Best Academic Papers
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Several security flaws are the consequence of the presence of programming errors or bugs in software. Heap overflow is the typical example of such errors that allows an attacker to take control of a machine. But considering the growing size and complexity of present software, implementing programs without any error is not an easy task. In this paper, we present a static analysis by abstract interpretation that is focused on security properties: without executing the program, it ensures the absence of any heap overflows.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Allamigeon, X., Godard, W., Hymans, C.: Static analysis of string manipulations in critical embedded C programs. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 35–51, Seoul, Korea, August 2006. Springer, Heidelberg (2006)

  2. Ball, T., Cook, B., Das, S., Rajamani, S.: Refining approximations in software predicate abstraction. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 388–403. Springer, Heidelberg, March 2004

  3. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: ACM SIGPLAN PLDI’03, Volume 548030, pp. 196–207. ACM, New York, June 2003

  4. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society (2001)

  5. Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, pp. 140–154, Oakland, CA, May 2006

  6. C Code Analyzer. http://www.drugphish.ch/~jonny/cca.html

  7. Chess, B.: Improving computer security using extended static checking. In: SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 160, Washington, DC, USA, 2002. IEEE Computer Society (2002)

  8. Clarke E.M., Emerson E.A. and Sistla A.P. (1986). Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2): 244–263

    Article  MATH  Google Scholar 

  9. Clarke E.M., Grumberg O. and Long D.E. (1994). Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16(5): 1512–1542

    Article  Google Scholar 

  10. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238–252, Los Angeles, CA. ACM, New York (1977)

  11. Cousot P. and Cousot R. (1979). Constructive versions of Tarski’s fixed point theorems. Pac. J. Math. 82(1): 43–57

    MATH  MathSciNet  Google Scholar 

  12. Cousot P. and Cousot R. (1992). Abstract interpretation frameworks. J. Log. Comput. 2(4): 511–547

    Article  MATH  MathSciNet  Google Scholar 

  13. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Conference Record of the Fifth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 84–97, Tucson, Arizona, 1978. ACM, New York

  14. Coverity. http://www.coverity.com

  15. Das, S., Dill, D.L.: Counter-example based predicate discovery in predicate abstraction. In: Formal Methods in Computer-Aided Design. Springer, Heidelberg, November 2002

  16. Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, 12th International Conference, TACAS 2006, Volume 3920 of Lecture Notes in Computer Science, pp. 287–302. Springer, Heidelberg, March 2006

  17. Dor, N., Rodeh, M., Sagiv, M.: Cssv: towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI ’03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pp. 155–167, New York, NY, USA. ACM, New York (2003)

  18. Jr. Clarke E.M., Grumberg O. and Peled D.A. (1999). Model Checking. MIT, Cambridge

    Google Scholar 

  19. Evans D. and Larochelle D. (2002). Improving security using extensible lightweight static analysis. IEEE Softw. 19(1): 42–51

    Article  Google Scholar 

  20. Filliâtre J.-C. (2003). Verification of non-functional programs using interpretations in type theory. J. Funct. Program. 13(4): 709–745

    Article  MATH  Google Scholar 

  21. Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Formal Methods and Software Engineering, 6th International Conference on Formal Engineering Methods, ICFEM 2004. Volume 3308 of Lecture Notes in Computer Science, pp. 15–29. Springer, Heideleberg (2004)

  22. Flawfinder. http://www.dwheeler.com/flawfinder/

  23. International Organization for Standardization. ISO/IEC 9899:1999: Programming Languages—C. International Organization for Standardization, Geneva, Switzerland, December 1999

  24. Ganssle, J.: Big Code. http://www.embedded.com/columns/embeddedpulse/171203287?_requestid=1130518

  25. Goubault, E., Putot, S.: Static analysis of numerical algorithms. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 18–5134, Seoul, Korea, August 2006. Springer Verlag (2006)

  26. Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) Proceedings of the 9th International Conference on Computer Aided Verification (CAV’97), Vol. 1254, pp. 72–83. Springer Verlag (1997)

  27. GNU grep. http://www.gnu.org/software/grep/

  28. Holzmann, G.J.: Static source code checking for user-defined properties. In: Proceedings IDPT 2002, Pasadena, CA, USA (2002)

  29. Hymans, C., Levillain, O.: Newspeak: Big Brother is compiling your code. Technical report, EADS France (2007). http://www.penjili.org/newspeak.html

  30. Ghidella, J.R., Friedman, J.: Streamlined development of body electronics systems using model-based design. http://www.mathworks.com/company/pressroom/newsletter/sept06/body_electronics.html

  31. Jung, Y., Kim, J., Shin, J., Yi, K.: Taming false alarms from a domain-unaware C analyzer by a bayesian statistical post analysis. In: Siveroni, I., Hankin, C. (eds.) Static Analysis: 12th International Symposium, SAS 2005, London, UK, September 7–9, 2005. Proceedings, Lecture Notes in Computer Science, pp. 203–217. Springer Verlag (2005)

  32. Karr M. (1976). Affine relationships among variables of a program. Acta Inf. 6: 133–151

    Article  MATH  MathSciNet  Google Scholar 

  33. Logozzo, F.: Automatic inference of class invariants. In: Proceedings of the 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI ’04), Volume 2937 of Lectures Notes in Computer Science, January 2004. Springer Verlag (2004)

  34. Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: PADO II, Volume 2053 of LNCS, pp. 155–172, May 2001. Springer Verlag. http://www.di.ens.fr/~mine/publi/article-mine-padoII.pdf

  35. Miné, A.: The octagon abstract domain. In: AST 2001 in WCRE 2001, IEEE, pp. 310–319. IEEE CS Press, October 2001. http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf

  36. Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: ACM SIGPLAN LCTES’06, pp. 54–63. ACM, New York, June 2006. http://www.di.ens.fr/~mine/publi/article-mine-lctes06.pdf

  37. Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC ’02: Proceedings of the 11th International Conference on Compiler Construction, pp. 213–228, London, UK. Springer Verlag (2002)

  38. Polyspace. http://www.polyspace.com

  39. Rice H.G. (1956). On completely recursively enumerable classes and their key arrays. J. Symb. Log. 21(3): 304–308

    Article  MATH  MathSciNet  Google Scholar 

  40. Pehrson, R.J.: Software development for the Boeing 777. http://www.stsc.hill.af.mil/crosstalk/1996/01/Boein777.asp

  41. Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: Symposium on Principles of Programming Languages, pp. 105–118 (1999)

  42. Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings of the 6th International Conference (VMCAI 2005), Volume 3385 of Lecture Notes in Computer Science, pp. 25–41, Paris, France, 2005. Springer, Berlin (2005)

  43. Tarski A. (1955). A lattice-theoretical fixpoint theorem and its applications. Pac. J. Math. 5: 285–309

    MATH  MathSciNet  Google Scholar 

  44. Venet, A., Brat, G.: Precise and efficient static array bound checking for large embedded C programs. In: PLDI ’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pp. 231–242, New York, NY, USA. ACM, New York (2004)

  45. Viega, J., Bloch, J.T., Kohno, Y., McGraw, G.: Its4: A static vulnerability scanner for C and C++ code. In: ACSAC ’00: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 257, Washington, DC, USA. IEEE Computer Society (2000)

  46. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17, San Diego, CA, February 2000

  47. Wikipedia. Source lines of code—Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Lines_of_code

Download references

Author information

Authors and Affiliations

  1. EADS Innovation Works, SE/CS–Suresnes, France

    Xavier Allamigeon & Charles Hymans

  2. CEA, LIST MeASI, Gif-sur-Yvette, France

    Xavier Allamigeon

Authors
  1. Xavier Allamigeon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Charles Hymans
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xavier Allamigeon.

Additional information

This work have been partly supported by the project “Usine Logicielle du pôle System@tic Paris-Région.” This paper has won the SSTIC 2007 Best Technical Paper Prize.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Allamigeon, X., Hymans, C. Static analysis by abstract interpretation: application to the detection of heap overflows. J Comput Virol 4, 5–23 (2008). https://doi.org/10.1007/s11416-007-0063-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0063-z

Keywords

Search

Navigation