Modeling and Analyzing the Interaction of C and C++ Strings

  • Gogul Balakrishnan
  • Naoto Maeda
  • Sriram Sankaranarayanan
  • Franjo Ivančić
  • Aarti Gupta
  • Rakesh Pothengil
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7421)


Strings are commonly used in a large variety of software. And yet, they are a common source of bugs involving invalid memory accesses arising due to the misuse of the string manipulation API. Such bugs are often remotely exploitable, leading to severe consequences. Therefore, static detection of invalid memory accesses due to string operations has received much attention, especially for C programs that use the standard C library functions. More recently, software is increasingly being developed in object-oriented languages such as C++ and Java. However, the need to interact with legacy C code and C-based system-level APIs often necessitates the use of a mixed programming paradigm that combines features of high-level object-oriented constructs with calls to standard C library functions. While such programs are commonplace, there has been little research on static analysis of such programs. In this paper, we present memory models for C++ programs that are heap-aware, with an emphasis on modeling dynamically allocated memory, use of null-terminated string buffers, C++ Standard Template Library (STL) classes, and the interactions among these features. We use standard verification techinques such as abstract interpretation and model checking to verify properties over these models to find potential bugs. Our tool can find several previously unknown bugs in open-source projects. These bugs are primarily due to the subtle interactions of the intricate C++ programming model with legacy C string API.


Model Check Abstract Interpretation String Length Bound Model Check Memory Region 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Coverity Inc. program verifier,
  2. 2.
  3. 3.
    PolySpace program analysis tool,
  4. 4.
    Allamigeon, X., Godard, W., Hymans, C.: Static Analysis of String Manipulations in Critical Embedded C Programs. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 35–51. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Babić, D., Hu, A.J.: Structural Abstraction of Software Verification Conditions. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 366–378. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Ball, T., Majumdar, R., Millstein, T., Rajamani, S.: Automatic predicate abstraction of C programs. In: PLDI 2001, pp. 203–213. ACM Press (2001)Google Scholar
  7. 7.
    Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic Model Checking without BDDs. In: Cleaveland, W.R. (ed.) TACAS 1999. LNCS, vol. 1579, pp. 193–207. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: PLDI, vol. 548030, pp. 196–207. ACM Press (June 2003)Google Scholar
  9. 9.
    Boyapati, C., Lee, R., Rinard, M.C.: Ownership types for safe programming: preventing data races and deadlocks. In: OOPSLA, pp. 211–230 (2002)Google Scholar
  10. 10.
    Chatterjee, S., Lahiri, S.K., Qadeer, S., Rakamarić, Z.: A Reachability Predicate for Analyzing Low-Level Software. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 19–33. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Christensen, A., Møller, A., Schwartzbach, M.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Clarke, D.G., Potter, J., Noble, J.: Ownership types for flexible alias protection. In: OOPSLA, pp. 48–64 (1998)Google Scholar
  13. 13.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-Guided Abstraction Refinement. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 154–169. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Clarke, E., Kroning, D., Lerda, F.: A Tool for Checking ANSI-C Programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: 2nd Intl. Symp. on Programming, Dunod, France, pp. 106–130 (1976)Google Scholar
  16. 16.
    Cousot, P., Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252. ACM (1977)Google Scholar
  17. 17.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among the variables of a program. In: POPL, pp. 84–97. ACM (January 1978)Google Scholar
  18. 18.
    Cowan, C., Wagle, P., Pu, C., Beattie, S., Walpole, J.: Buffer overflows: Attacks and defenses for the vulnerability of the decade. In: Proc. DARPA Information Survivability Conference and Expo. (DISCEX). IEEE (1999)Google Scholar
  19. 19.
    Das, M.: Unleashing the Power of Static Analysis. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 1–2. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: PLDI, pp. 57–68. ACM Press (2002)Google Scholar
  21. 21.
    Dillig, I., Dillig, T., Aiken, A.: Precise reasoning for programs using containers. In: POPL, pp. 187–200. ACM (2011)Google Scholar
  22. 22.
    Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In: Proc. PLDI. ACM Press (2003)Google Scholar
  23. 23.
    Heine, D.L., Lam, M.S.: A practical flow-sensitive and context-sensitive C and C++ memory leak detector. In: PLDI, pp. 168–181. ACM (2003)Google Scholar
  24. 24.
    Henzinger, T., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL, pp. 58–70. ACM (2002)Google Scholar
  25. 25.
    Ivančić, F., Balakrishnan, G., Gupta, A., Sankaranarayanan, S., Maeda, N., Tokuoka, H., Imoto, T., Miyazaki, Y.: DC2: A framework for scalable, scope-bounded software verification. In: ASE (2011)Google Scholar
  26. 26.
    Ivančić, F., Shlyakhter, I., Gupta, A., Ganai, M., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: ICCD, pp. 297–308. IEEE (2005)Google Scholar
  27. 27.
    Kurshan, R.: Computer-aided Verification of Coordinating Processes: the automata-theoretic approach. Princeton University Press (1994)Google Scholar
  28. 28.
    Miné, A.: A New Numerical Abstract Domain Based on Difference-Bound Matrices. In: Danvy, O., Filinski, A. (eds.) PADO II. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Miné, A.: The octagon abstract domain. In: AST 2001 in WCRE 2001, IEEE, pp. 310–319. IEEE CS Press (October 2001)Google Scholar
  30. 30.
    Moy, Y.: Automatic Modular Static Safety Checking for C Programs. PhD thesis, Université Paris-Sud (January 2009)Google Scholar
  31. 31.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs. In: CC 2002. LNCS, vol. 2304, pp. 213–228. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  32. 32.
    Prabhu, P., Maeda, N., Balakrishnan, G., Ivančić, F., Gupta, A.: Interprocedural Exception Analysis for C++. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 583–608. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In: PLDI, pp. 182–195. ACM (2000)Google Scholar
  34. 34.
    Shao, D., Khurshid, S., Perry, D.E.: An Incremental Approach to Scope-Bounded Checking Using a Lightweight Formal Method. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 757–772. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  35. 35.
    Simon, A., King, A.: Analyzing String Buffers in C. In: Kirchner, H., Ringeissen, C. (eds.) AMAST 2002. LNCS, vol. 2422, pp. 365–379. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  36. 36.
    Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proc. Network and Distributed Systems Security Conference, pp. 3–17. ACM Press (2000)Google Scholar
  37. 37.
    Yang, J., Balakrishnan, G., Maeda, N., Ivančić, F., Gupta, A., Sinha, N., Sankaranarayanan, S., Sharma, N.: Object Model Construction for Inheritance in C++ and Its Applications to Program Analysis. In: O’Boyle, M. (ed.) CC 2012. LNCS, vol. 7210, pp. 144–164. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  38. 38.
    Yu, F., Alkhalaf, M., Bultan, T.: Stranger: An Automata-Based String Analysis Tool for PHP. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 154–157. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Gogul Balakrishnan
    • 1
  • Naoto Maeda
    • 2
  • Sriram Sankaranarayanan
    • 3
  • Franjo Ivančić
    • 1
  • Aarti Gupta
    • 1
  • Rakesh Pothengil
    • 4
  1. 1.NEC Laboratories AmericaPrincetonUSA
  2. 2.NEC CorporationKanagawaJapan
  3. 3.University of ColoradoBoulderUSA
  4. 4.NEC HCL STNoidaIndia

Personalised recommendations