Advertisement

Journal in Computer Virology

, Volume 4, Issue 1, pp 5–23 | Cite as

Static analysis by abstract interpretation: application to the detection of heap overflows

  • Xavier Allamigeon
  • Charles Hymans
SSTIC 2007 Best Academic Papers

Abstract

Several security flaws are the consequence of the presence of programming errors or bugs in software. Heap overflow is the typical example of such errors that allows an attacker to take control of a machine. But considering the growing size and complexity of present software, implementing programs without any error is not an easy task. In this paper, we present a static analysis by abstract interpretation that is focused on security properties: without executing the program, it ensures the absence of any heap overflows.

Keywords

Control Point Model Check Memory State Convex Polyhedron Abstract Interpretation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Allamigeon, X., Godard, W., Hymans, C.: Static analysis of string manipulations in critical embedded C programs. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 35–51, Seoul, Korea, August 2006. Springer, Heidelberg (2006)Google Scholar
  2. 2.
    Ball, T., Cook, B., Das, S., Rajamani, S.: Refining approximations in software predicate abstraction. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 388–403. Springer, Heidelberg, March 2004Google Scholar
  3. 3.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: ACM SIGPLAN PLDI’03, Volume 548030, pp. 196–207. ACM, New York, June 2003Google Scholar
  4. 4.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society (2001)Google Scholar
  5. 5.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, pp. 140–154, Oakland, CA, May 2006Google Scholar
  6. 6.
  7. 7.
    Chess, B.: Improving computer security using extended static checking. In: SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 160, Washington, DC, USA, 2002. IEEE Computer Society (2002)Google Scholar
  8. 8.
    Clarke E.M., Emerson E.A. and Sistla A.P. (1986). Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2): 244–263 zbMATHCrossRefGoogle Scholar
  9. 9.
    Clarke E.M., Grumberg O. and Long D.E. (1994). Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16(5): 1512–1542 CrossRefGoogle Scholar
  10. 10.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238–252, Los Angeles, CA. ACM, New York (1977)Google Scholar
  11. 11.
    Cousot P. and Cousot R. (1979). Constructive versions of Tarski’s fixed point theorems. Pac. J. Math. 82(1): 43–57 zbMATHMathSciNetGoogle Scholar
  12. 12.
    Cousot P. and Cousot R. (1992). Abstract interpretation frameworks. J. Log. Comput. 2(4): 511–547 zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Conference Record of the Fifth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 84–97, Tucson, Arizona, 1978. ACM, New YorkGoogle Scholar
  14. 14.
  15. 15.
    Das, S., Dill, D.L.: Counter-example based predicate discovery in predicate abstraction. In: Formal Methods in Computer-Aided Design. Springer, Heidelberg, November 2002Google Scholar
  16. 16.
    Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, 12th International Conference, TACAS 2006, Volume 3920 of Lecture Notes in Computer Science, pp. 287–302. Springer, Heidelberg, March 2006Google Scholar
  17. 17.
    Dor, N., Rodeh, M., Sagiv, M.: Cssv: towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI ’03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pp. 155–167, New York, NY, USA. ACM, New York (2003)Google Scholar
  18. 18.
    Jr. Clarke E.M., Grumberg O. and Peled D.A. (1999). Model Checking. MIT, Cambridge Google Scholar
  19. 19.
    Evans D. and Larochelle D. (2002). Improving security using extensible lightweight static analysis. IEEE Softw. 19(1): 42–51 CrossRefGoogle Scholar
  20. 20.
    Filliâtre J.-C. (2003). Verification of non-functional programs using interpretations in type theory. J. Funct. Program. 13(4): 709–745 zbMATHCrossRefGoogle Scholar
  21. 21.
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Formal Methods and Software Engineering, 6th International Conference on Formal Engineering Methods, ICFEM 2004. Volume 3308 of Lecture Notes in Computer Science, pp. 15–29. Springer, Heideleberg (2004)Google Scholar
  22. 22.
  23. 23.
    International Organization for Standardization. ISO/IEC 9899:1999: Programming Languages—C. International Organization for Standardization, Geneva, Switzerland, December 1999Google Scholar
  24. 24.
  25. 25.
    Goubault, E., Putot, S.: Static analysis of numerical algorithms. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 18–5134, Seoul, Korea, August 2006. Springer Verlag (2006)Google Scholar
  26. 26.
    Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) Proceedings of the 9th International Conference on Computer Aided Verification (CAV’97), Vol. 1254, pp. 72–83. Springer Verlag (1997)Google Scholar
  27. 27.
  28. 28.
    Holzmann, G.J.: Static source code checking for user-defined properties. In: Proceedings IDPT 2002, Pasadena, CA, USA (2002)Google Scholar
  29. 29.
    Hymans, C., Levillain, O.: Newspeak: Big Brother is compiling your code. Technical report, EADS France (2007). http://www.penjili.org/newspeak.html
  30. 30.
    Ghidella, J.R., Friedman, J.: Streamlined development of body electronics systems using model-based design. http://www.mathworks.com/company/pressroom/newsletter/sept06/body_electronics.html
  31. 31.
    Jung, Y., Kim, J., Shin, J., Yi, K.: Taming false alarms from a domain-unaware C analyzer by a bayesian statistical post analysis. In: Siveroni, I., Hankin, C. (eds.) Static Analysis: 12th International Symposium, SAS 2005, London, UK, September 7–9, 2005. Proceedings, Lecture Notes in Computer Science, pp. 203–217. Springer Verlag (2005)Google Scholar
  32. 32.
    Karr M. (1976). Affine relationships among variables of a program. Acta Inf. 6: 133–151 zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    Logozzo, F.: Automatic inference of class invariants. In: Proceedings of the 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI ’04), Volume 2937 of Lectures Notes in Computer Science, January 2004. Springer Verlag (2004)Google Scholar
  34. 34.
    Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: PADO II, Volume 2053 of LNCS, pp. 155–172, May 2001. Springer Verlag. http://www.di.ens.fr/~mine/publi/article-mine-padoII.pdf
  35. 35.
    Miné, A.: The octagon abstract domain. In: AST 2001 in WCRE 2001, IEEE, pp. 310–319. IEEE CS Press, October 2001. http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf
  36. 36.
    Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: ACM SIGPLAN LCTES’06, pp. 54–63. ACM, New York, June 2006. http://www.di.ens.fr/~mine/publi/article-mine-lctes06.pdf
  37. 37.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC ’02: Proceedings of the 11th International Conference on Compiler Construction, pp. 213–228, London, UK. Springer Verlag (2002)Google Scholar
  38. 38.
  39. 39.
    Rice H.G. (1956). On completely recursively enumerable classes and their key arrays. J. Symb. Log. 21(3): 304–308 zbMATHCrossRefMathSciNetGoogle Scholar
  40. 40.
    Pehrson, R.J.: Software development for the Boeing 777. http://www.stsc.hill.af.mil/crosstalk/1996/01/Boein777.asp
  41. 41.
    Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: Symposium on Principles of Programming Languages, pp. 105–118 (1999)Google Scholar
  42. 42.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings of the 6th International Conference (VMCAI 2005), Volume 3385 of Lecture Notes in Computer Science, pp. 25–41, Paris, France, 2005. Springer, Berlin (2005)Google Scholar
  43. 43.
    Tarski A. (1955). A lattice-theoretical fixpoint theorem and its applications. Pac. J. Math. 5: 285–309 zbMATHMathSciNetGoogle Scholar
  44. 44.
    Venet, A., Brat, G.: Precise and efficient static array bound checking for large embedded C programs. In: PLDI ’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pp. 231–242, New York, NY, USA. ACM, New York (2004)Google Scholar
  45. 45.
    Viega, J., Bloch, J.T., Kohno, Y., McGraw, G.: Its4: A static vulnerability scanner for C and C++ code. In: ACSAC ’00: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 257, Washington, DC, USA. IEEE Computer Society (2000)Google Scholar
  46. 46.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17, San Diego, CA, February 2000Google Scholar
  47. 47.
    Wikipedia. Source lines of code—Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Lines_of_code

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  1. 1.EADS Innovation WorksSE/CS–SuresnesFrance
  2. 2.CEA, LIST MeASIGif-sur-YvetteFrance

Personalised recommendations