Detecting Leaks of Sensitive Data Due to Stale Reads

Abstract

Overview. Problem addressed: Leaks of sensitive stale data from a re-used buffer. Approach: Heuristic-driven dynamic analysis for detecting reads that may be accessing stale sensitive data. Results: Our dynamic analyses for C and Java can detect and stop Heartbleed (OpenSSL) and JetLeak (Jetty). Evidence for attaining reasonably low false-positive rate (currently 0.2 alarms / kLOC for GNU Coreutils on its test suite). Staleness (unlike out-of-bounds access) is not a mechanically defined property; it refers on developer intent.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2018
Accession Number
AD1084333

Entities

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Application Software
  • Compilers
  • Computer Programming
  • Computer Programs
  • Copyrights
  • Demographic Cohorts
  • Department Of Defense
  • Engineering
  • Governments
  • Guarantees
  • Instrumentation
  • Language
  • Materials
  • Metadata
  • Object Code
  • Production
  • Software Development
  • Transient Response Analysis
  • Trees (Data Structures)
  • Universities

Readers

  • Inertial Navigation Systems.
  • Parallel and Distributed Computing.
  • Regression Analysis.