Certifying the Absence of Buffer Overflows

Abstract

Despite increased awareness and efforts to reduce buffer overflows, they continue to be the cause of most software vulnerabilities. In large part, these problems are due to the widespread use of unsafe library routines among programmers. For reasons of efficiency, such routines will continue to be used, even during the development of mission-critical and safety-critical software systems. Effective certification techniques are needed to ascertain whether unsafe routines are used in a safe manner. This report presents a technique for certifying the safety of buffer manipulations in C programs. The approach is based on two key ideas: (1) using a certifying model checker to automatically verify that a buffer manipulation is safe, and (2) validating the resulting invariant and proving it with a decision procedure based on Boolean satisfiability. The report also discusses the advantages and limitations of the approach with respect to today's existing solutions for buffer-overflow detection. Experimental results are presented that position the technique favorably against other static overflow-detection tools and indicate that the procedure can complement and augment these tools from a purely verification perspective.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2006
Accession Number
ADA456867

Entities

People

  • Sagar Chaki
  • Scott A. Hissam

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Abstracts
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computers
  • Construction
  • Debugging
  • Detection
  • Engineering
  • False Alarms
  • Information Science
  • Language
  • New York
  • Programming Languages
  • Software Development
  • Software Testing
  • Standards

Fields of Study

  • Computer science
  • Engineering

Readers

  • Cybersecurity.
  • Mathematical Modeling and Probability Theory.
  • Systems Analysis and Design