Analyzing String Buffers in C

  • Axel Simon
  • Andy King
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2422)


A buffer overrun occurs in a C program when input is read into a buffer whose length exceeds that of the buffer. Overruns often lead to crashes and are a widespread form of security vulnerability. This paper describes an analysis for detecting overruns before deployment which is conservative in the sense that it locates every possible buffer overrun. The paper details the subtle relationship between overrun analysis and pointer analysis and explains how buffers can be modeled with a linear number of variables. As far as we know, the paper gives the first formal account of how this software and security problem can be tackled with abstract interpretation, setting it on a firm, mathematical basis.


Abstract Interpretation Galois Connection Security Vulnerability Abstract Semantic Analyze String 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    L. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, Datalogisk Institut Kobenhavns Universitet, 1994.Google Scholar
  2. 2.
    A. Baratloo, N. Singh, and T. Tsai. Transparent Run-Time Defense Against Stack-Smashing Attacks. In Ninth USENIX Security Symposium, 2000.Google Scholar
  3. 3.
    V. Chandru and M. R. Rao. Linear programming. In Algorithms and Theory of Computation Handbook. CRC Press, 1999.Google Scholar
  4. 4.
    P. Cousot and N. Halbwachs. Automatic Discovery of Linear Constraints among Variables of a Program. In Proceedings of Principles of Programming Languages, pages 84–97. ACM Press, 1978.Google Scholar
  5. 5.
    C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. In Information Survivability Conference and Exposition, volume II, pages 154–163. IEEE Press, 1998.Google Scholar
  6. 6.
    R. Crew. ASTLOG: A Language for Examining Abstract Syntax Trees. In Conference on Domain-Specific Languages, pages 229–242. USENIX Association, 1997.Google Scholar
  7. 7.
    B. De Backer and H. Beringer. A CLP language handling disjunctions of linear constraints. In International Conference on Logic Programming, pages 550–563. MIT Press, 1993.Google Scholar
  8. 8.
    N. Dor, M. Rodeh, and M. Sagiv. Cleanness Checking of String Manipulations in C Programs via Integer Analysis. In Static Analysis Symposium, volume 2126 of LNCS, pages 194–212. Springer-Verlag, 2001.Google Scholar
  9. 9.
    M. Emami, R. Ghiya, and L. Hendren. Context-sensitive interprocedural analysis in the presence of function pointers. In Programming Language Design and Implementation, pages 242–256, June 1994.Google Scholar
  10. 10.
    C. Cowan et al. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In USENIX Security Symposium, pages 63–78, 1998.Google Scholar
  11. 11.
    A. Ghosh, T. O’Connor, and G. McGraw. An Automated Approach for Identifying Potential Vulnerabilities in Software. In IEEE Symposium on Security and Privacy, pages 104–114. IEEE Computer Society, 1998.Google Scholar
  12. 12.
    D. Larochelle and D. Evans. Statically Detecting likely Buffer Overflow Vulnerabilities. In Tenth USENIX Security Symposium. USENIX Association, 2001.Google Scholar
  13. 13.
    D. Larochelle and D. Evans. Improving Security Using Extensible Lightweight Static Analysis. IEEE Software, 19(1):42–51, 2002.CrossRefGoogle Scholar
  14. 14.
    B. Miller, L. Fredrikson, and B. So. An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM, 33(12):32–44, 1990.CrossRefGoogle Scholar
  15. 15.
    T. C. Miller and T. de Raadt. strlcpy and strlcat—Consistent, Safe, String Copy and Concatenation. In USENIX Annual Technical Conference, 1999.Google Scholar
  16. 16.
    A. Miné. A New Numerical Abstract Domain Based on Difference-Bound Matrices. In Programs as Data Objects, volume 2053 of LNCS, pages 155–172, 2001.CrossRefGoogle Scholar
  17. 17.
    A. One. Smashing the Stack for Fun and Profit. Phrack Magazine, 7(49).Google Scholar
  18. 18.
    N. Papaspyrou. A Formal Semantics for the C Programming Language. PhD thesis, National Technical University of Athens, 1998.Google Scholar
  19. 19.
    R. T. Rockafellar. Convex Analysis. Princeton University Press, 1970.Google Scholar
  20. 20.
    B. Snow. Panel Discussion on the Future of Security. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 1999.Google Scholar
  21. 21.
    B. Steensgaard. Points-to Analysis in Almost Linear Time. In Principles of Programming Languages, pages 32–41. ACM Press, 1996.Google Scholar
  22. 22.
    J. Viega, J. T. Bloch, T. Kohno, and G. McGraw. ITS4: A Static Vulnumerability Scanner for C and C++ Code. In Sixteenth Annual Computer Security Applications Conference, 2000.Google Scholar
  23. 23.
    D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A First Step Towards Detection of Buffer Overrun Vulnerabilities. In Network and Distributed System Security Symposium. Internet Society, 2000.Google Scholar
  24. 24.
    D. Weise. Static Analysis of Mega-Programs. In Static Analysis Symposium, volume 1694 of LNCS, pages 300–302. Springer-Verlag, 1999.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Axel Simon
    • 1
  • Andy King
    • 1
  1. 1.Computing LaboratoryUniversity of KentCanterburyUK

Personalised recommendations