Abstract
Several security flaws are the consequence of the presence of programming errors or bugs in software. Heap overflow is the typical example of such errors that allows an attacker to take control of a machine. But considering the growing size and complexity of present software, implementing programs without any error is not an easy task. In this paper, we present a static analysis by abstract interpretation that is focused on security properties: without executing the program, it ensures the absence of any heap overflows.
Similar content being viewed by others
References
Allamigeon, X., Godard, W., Hymans, C.: Static analysis of string manipulations in critical embedded C programs. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 35–51, Seoul, Korea, August 2006. Springer, Heidelberg (2006)
Ball, T., Cook, B., Das, S., Rajamani, S.: Refining approximations in software predicate abstraction. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 388–403. Springer, Heidelberg, March 2004
Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: ACM SIGPLAN PLDI’03, Volume 548030, pp. 196–207. ACM, New York, June 2003
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96, Cape Breton, Nova Scotia, Canada, June 2001. IEEE Computer Society (2001)
Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, pp. 140–154, Oakland, CA, May 2006
C Code Analyzer. http://www.drugphish.ch/~jonny/cca.html
Chess, B.: Improving computer security using extended static checking. In: SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 160, Washington, DC, USA, 2002. IEEE Computer Society (2002)
Clarke E.M., Emerson E.A. and Sistla A.P. (1986). Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2): 244–263
Clarke E.M., Grumberg O. and Long D.E. (1994). Model checking and abstraction. ACM Trans. Program. Lang. Syst. 16(5): 1512–1542
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Conference Record of the Fourth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 238–252, Los Angeles, CA. ACM, New York (1977)
Cousot P. and Cousot R. (1979). Constructive versions of Tarski’s fixed point theorems. Pac. J. Math. 82(1): 43–57
Cousot P. and Cousot R. (1992). Abstract interpretation frameworks. J. Log. Comput. 2(4): 511–547
Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Conference Record of the Fifth Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 84–97, Tucson, Arizona, 1978. ACM, New York
Coverity. http://www.coverity.com
Das, S., Dill, D.L.: Counter-example based predicate discovery in predicate abstraction. In: Formal Methods in Computer-Aided Design. Springer, Heidelberg, November 2002
Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, 12th International Conference, TACAS 2006, Volume 3920 of Lecture Notes in Computer Science, pp. 287–302. Springer, Heidelberg, March 2006
Dor, N., Rodeh, M., Sagiv, M.: Cssv: towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI ’03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pp. 155–167, New York, NY, USA. ACM, New York (2003)
Jr. Clarke E.M., Grumberg O. and Peled D.A. (1999). Model Checking. MIT, Cambridge
Evans D. and Larochelle D. (2002). Improving security using extensible lightweight static analysis. IEEE Softw. 19(1): 42–51
Filliâtre J.-C. (2003). Verification of non-functional programs using interpretations in type theory. J. Funct. Program. 13(4): 709–745
Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Formal Methods and Software Engineering, 6th International Conference on Formal Engineering Methods, ICFEM 2004. Volume 3308 of Lecture Notes in Computer Science, pp. 15–29. Springer, Heideleberg (2004)
Flawfinder. http://www.dwheeler.com/flawfinder/
International Organization for Standardization. ISO/IEC 9899:1999: Programming Languages—C. International Organization for Standardization, Geneva, Switzerland, December 1999
Ganssle, J.: Big Code. http://www.embedded.com/columns/embeddedpulse/171203287?_requestid=1130518
Goubault, E., Putot, S.: Static analysis of numerical algorithms. In: Yi, K. (ed.) Static Analysis, 13th International Symposium (SAS’06), Volume 4134 of Lecture Notes in Computer Science, pp. 18–5134, Seoul, Korea, August 2006. Springer Verlag (2006)
Graf, S., Saidi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) Proceedings of the 9th International Conference on Computer Aided Verification (CAV’97), Vol. 1254, pp. 72–83. Springer Verlag (1997)
GNU grep. http://www.gnu.org/software/grep/
Holzmann, G.J.: Static source code checking for user-defined properties. In: Proceedings IDPT 2002, Pasadena, CA, USA (2002)
Hymans, C., Levillain, O.: Newspeak: Big Brother is compiling your code. Technical report, EADS France (2007). http://www.penjili.org/newspeak.html
Ghidella, J.R., Friedman, J.: Streamlined development of body electronics systems using model-based design. http://www.mathworks.com/company/pressroom/newsletter/sept06/body_electronics.html
Jung, Y., Kim, J., Shin, J., Yi, K.: Taming false alarms from a domain-unaware C analyzer by a bayesian statistical post analysis. In: Siveroni, I., Hankin, C. (eds.) Static Analysis: 12th International Symposium, SAS 2005, London, UK, September 7–9, 2005. Proceedings, Lecture Notes in Computer Science, pp. 203–217. Springer Verlag (2005)
Karr M. (1976). Affine relationships among variables of a program. Acta Inf. 6: 133–151
Logozzo, F.: Automatic inference of class invariants. In: Proceedings of the 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI ’04), Volume 2937 of Lectures Notes in Computer Science, January 2004. Springer Verlag (2004)
Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: PADO II, Volume 2053 of LNCS, pp. 155–172, May 2001. Springer Verlag. http://www.di.ens.fr/~mine/publi/article-mine-padoII.pdf
Miné, A.: The octagon abstract domain. In: AST 2001 in WCRE 2001, IEEE, pp. 310–319. IEEE CS Press, October 2001. http://www.di.ens.fr/~mine/publi/article-mine-ast01.pdf
Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: ACM SIGPLAN LCTES’06, pp. 54–63. ACM, New York, June 2006. http://www.di.ens.fr/~mine/publi/article-mine-lctes06.pdf
Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC ’02: Proceedings of the 11th International Conference on Compiler Construction, pp. 213–228, London, UK. Springer Verlag (2002)
Polyspace. http://www.polyspace.com
Rice H.G. (1956). On completely recursively enumerable classes and their key arrays. J. Symb. Log. 21(3): 304–308
Pehrson, R.J.: Software development for the Boeing 777. http://www.stsc.hill.af.mil/crosstalk/1996/01/Boein777.asp
Sagiv, S., Reps, T.W., Wilhelm, R.: Parametric shape analysis via 3-valued logic. In: Symposium on Principles of Programming Languages, pp. 105–118 (1999)
Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) Verification, Model Checking and Abstract Interpretation: Proceedings of the 6th International Conference (VMCAI 2005), Volume 3385 of Lecture Notes in Computer Science, pp. 25–41, Paris, France, 2005. Springer, Berlin (2005)
Tarski A. (1955). A lattice-theoretical fixpoint theorem and its applications. Pac. J. Math. 5: 285–309
Venet, A., Brat, G.: Precise and efficient static array bound checking for large embedded C programs. In: PLDI ’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pp. 231–242, New York, NY, USA. ACM, New York (2004)
Viega, J., Bloch, J.T., Kohno, Y., McGraw, G.: Its4: A static vulnerability scanner for C and C++ code. In: ACSAC ’00: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 257, Washington, DC, USA. IEEE Computer Society (2000)
Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17, San Diego, CA, February 2000
Wikipedia. Source lines of code—Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Lines_of_code
Author information
Authors and Affiliations
Corresponding author
Additional information
This work have been partly supported by the project “Usine Logicielle du pôle System@tic Paris-Région.” This paper has won the SSTIC 2007 Best Technical Paper Prize.
Rights and permissions
About this article
Cite this article
Allamigeon, X., Hymans, C. Static analysis by abstract interpretation: application to the detection of heap overflows. J Comput Virol 4, 5–23 (2008). https://doi.org/10.1007/s11416-007-0063-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0063-z