Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities Using Pointer Taintedness Semantics

  • Shuo Chen
  • Karthik Pattabiraman
  • Zbigniew Kalbarczyk
  • Ravi K. Iyer
Conference paper
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 147)


This paper is motivated by a low level analysis of various categories of severe security vulnerabilities, which indicates that a common characteristic of many classes of vulnerabilities is pointer taintedness. A pointer is said to be tainted if a user input can directly or indirectly be used as a pointer value. In order to reason about pointer taintedness, a memory model is needed. The main contribution of this paper is the formal definition of a memory model using equational logic, which is used to reason about pointer taintedness. The reasoning is applied to several library functions to extract security preconditions, which must be satisfied to eliminate the possibility of pointer taintedness. The results show that pointer taintedness analysis can expose different classes of security vulnerabilities, such as format string, heap corruption and buffer overflow vulnerabilities, leading us to believe that pointer taintedness provides a unifying perspective for reasoning about security vulnerabilities.

Key words

Security Vulnerability Static Analysis Program Semantics Equational Logic Pointer Taintedness 


  1. [1]
    D. Evans and D. Larochelle. Improving Security Using Extensible Lightweight Static Analysis. In IEEE Software, Jan/Feb 2002Google Scholar
  2. [2]
    B. Chess. Improving Computer Security Using Extended Static Checking. IEEE Symposium on Security and Privacy 2002CrossRefGoogle Scholar
  3. [3]
    J. A. Goguen and G. Malcolm. Algebraic Semantics of Imperative Programs. MIT Press, 1996, ISBN 0–262-07172-XMATHGoogle Scholar
  4. [4]
    M. Clavel, F. Durán, S. Eker, P. Lincoln, N. Marti-Oliet, J. Meseguer and C. Talcott The Maude 2.0 System. In Proc. Rewriting Techniques and Applications, 2003, 2003.Google Scholar
  5. [5]
    J. Xu, Z. Kalbarczyk and R. K. Iyer. Transparent Runtime Randomization for Security. To appear in Proc. Symposium on Reliable and Distributed Systems, 2003.Google Scholar
  6. [6]
    D. Wagner, J. Foster, E. Brewer, and A. Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. Network and Distributed System Security Symposium (NDSS 2000).Google Scholar
  7. [7]
    U. Shankar, K. Talwar, J. Foster, and D. Wagner. Detecting Format String Vulnerabilities With Type Qualifiers. 10th USENIX Security Symposium, 2001.Google Scholar
  8. [8]
    C. Cowan, C. Pu, D. Maier, et al. Automatic Detection and Prevention of Buffer-Overflow Attacks. 7th USENIX Security Symposium, San Antonio, TX, January 1998.Google Scholar
  9. [9]
    A. Baratloo, T. Tsai, N. Singh, Transparent Run-Time Defense Against Stack Smashing Attacks, Proc. USENIX Annual Technical Conference, June 2000.Google Scholar
  10. [10]
    S. Chen, Z. Kalbarczyk, J. Xu, R. K. Iyer. “A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities”. in IEEE International Conf. on Dependable Systems and Networks, 2003.Google Scholar
  11. [11]
    Introduction to equational logic.
  12. [12]
    S. Chen, K. Pattabiraman, Z. Kalbarczyk, R. K. Iyer. Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities By Pointer Taintedness Semantics (Full Version).

Copyright information

© IFIP International Federation for Information Processing 2004

Authors and Affiliations

  • Shuo Chen
    • 1
  • Karthik Pattabiraman
    • 1
  • Zbigniew Kalbarczyk
    • 1
  • Ravi K. Iyer
    • 1
  1. 1.Center for Reliable and High-Performance Computing, Coordinated Science LaboratoryUniversity of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations