Author:
Milena Vujosevic-Janicic
Affiliation:
Faculty of Mathematics, University of Belgrade, Serbia
Keyword(s):
C programming language, buffer overflow, static analysis, automated bug detection.
Related
Ontology
Subjects/Areas/Topics:
Languages and Compilers
;
Programming Languages
;
Software Engineering
Abstract:
We consider the problem of buffer overflows in C programs. This problem is very important because buffer overflows are suitable targets for security attacks and sources of serious programs’ misbehavior. Buffer overflow bugs can be detected at run-time by dynamic analysis, and before run-time by static analysis. In this paper we present a new static, modular approach for automated detection of buffer overflows. Our approach is flow-sensitive and
inter-procedural, and it deals with both statically and dynamically allocated buffers. Its architecture is flexible and pluggable — for instance, for checking generated correctness and incorrectness conditions, it can use any external automated theorem prover that follows SMT-LIB standards. The system uses an external and easily extendable knowledge database that stores all the reasoning rules so they are not hard-coded within the system. We also report on our prototype implementation, the FA D O tool, and on its experimental results.