archer: using symbolic, pathsensitive analysis to detect memory access errors
DESCRIPTION
ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors Yichen Xie, Andy Chou, and Dawson Engler Computer Systems Laboratory Stanford University Stanford, CA 94305, U.S.A. Wei Tao 5070379106. Authors. Yichen Xie. Stanford University. Authors. Andy Chou. Authors. - PowerPoint PPT PresentationTRANSCRIPT
ARCHER: Using Symbolic, Pathsensitive Analysis toDetect Memory Access Errors
Yichen Xie, Andy Chou, and Dawson EnglerComputer Systems Laboratory
Stanford UniversityStanford, CA 94305, U.S.A.
Wei Tao5070379106
Authors
Yichen Xie
Stanford University
Authors
Andy Chou
Authors
Dawson Engler
Associate Professor Computer Science and Electrical Engineering Gates Building 3A-314 353 Serra Mall Stanford University
Authors
Problem
Memory Access Errors
Introduction
ARCHER (ARray CHeckER):
No annotations needed.
Speed.
Few false positives.
Drawbacks.
Introduction
Key features:
Interprocedural
Fully symbolic
Path sensitive
Context sensitive
Aware of pointer aliases for buffers
Overview
The core of ARCHER consists of three pieces:
a translator
a traversal module
a solver
Overview
Implementation
Implementation
Results
References[1] K. Ashcraft and D.R. Engler. Using programmer-writtencompiler extensions to catch security holes. In IEEESymposium on Security and Privacy, Oakland, California,May 2002.[2] R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminatingarray bounds checks on demand. In SIGPLAN Conferenceon Programming Language Design and Implementation,pages 321–333, June 2000.[3] W.R. Bush, J.D. Pincus, and D.J. Sielaff. A static analyzerfor finding dynamic programming errors. Software:Practice and Experience, 30(7):775–802, June 2000.[4] B. Chess. Improving computer security using extendedstatic checking. In IEEE Symposium on Security andPrivacy, Oakland, California, May 2002.
[5] Microsoft Corporation. AST Toolkit.http://research.microsoft.com/sbt/.[6] N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistictool for statically detecting all buffer overflows in c. InProceedings of the ACM SIGPLAN 2003 Conference onProgramming Language Design and Implementation, pages155–167. ACM Press, June 2003.[7] D.R. Engler, B. Chelf, A. Chou, and S. Hallem. Checkingsystem rules using system-specific, programmer-writtencompiler extensions. In Proceedings of Operating SystemsDesign and Implementation (OSDI), September 2000.[8] D.R. Engler, D.Y. Chen, S. Hallem, A. Chou, and B. Chelf.Bugs as deviant behavior: A general approach to inferringerrors in systems code. In Proceedings of the EighteenthACM Symposium on Operating Systems Principles, 2001.
References
[9] C. Flanagan and K.R.M. Leino. Houdini, an annotationassistant for ESC/Java. In Symposium of Formal MethodsEurope, pages 500–517, March 2001.[10] C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B.Saxe, and R. Stata. Extended static checking for Java. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation, pages234–245. ACM Press, 2002.[11] C. Flanagan and S. Qadeer. Predicate abstraction forsoftware verification. In Proceedings of the 29th AnnualSymposium on Principles of Programming Languages, June2002.
[12] D. Freedman, R. Pisani, and R. Purves. Statistics. W WNorton & Co., third edition, September 1997.[13] S. Hallem, B. Chelf, Y. Xie, and D.R. Engler. A system andlanguage for building system-specific, static analyses. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation,Berlin, Germany, June 2002.[14] R. Hastings and B. Joyce. Purify: Fast detection ofmemory leaks and access errors. In Proceedings of theWinter USENIX Conference, December 1992.[15] Intrinsa. A technical introduction to PREfix/Enterprise.Technical report, Intrinsa Corporation, 1998.[16] R.W.M. Jones and P.H.J. Kelly. Backwards-compatiblebounds checking for arrays and pointers in C programs. InAutomated and Algorithmic Debugging, pages 13–26, May1997.
References
[17] W. Landi, B. G. Ryder, and S. Zhang. Interproceduralmodification side effect analysis with pointer aliasing. InProceedings of the ACM SIGPLAN 1993 Conference onProgramming Language Design and Implementation, pages56–67. ACM Press, 1993.[18] D. Larochelle and D. Evans. Statically detecting likelybuffer overflow vulnerabilities. In 10th USENIX SecuritySymposium, August 2001.[19] G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL:Intermediate language and tools for analysis andtransformation of c programs. In International Conferenceon Compiler Construction, March 2002.
[20] G.C. Necula, S. McPeak, and W. Weimer. CCured:type-safe retrofitting of legacy code. In Symposium onPrinciples of Programming Languages, pages 128–139,January 2002.[21] W. Pugh. The omega test: a fast and practical integerprogramming algorithm for dependence analysis. InSupercomputing, pages 4–13, November 1991.[22] B. Schneier. Risks to cybersecurity. CongressionalTestimony by Federal Document Clearing House, June2003.
References
[23] M.N. Velev and R.E. Bryant. Effective use of booleansatisfiability procedures in the formal verification ofsuperscalar and VLIW microprocessors. Journal ofSymbolic Computation, special issue on Integration ofAutomated Reasoning and Computer Algebra Systems,2002.[24] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first steptowards automated detection of buffer overrunvulnerabilities. In The 2000 Network and DistributedSystems Security Conference. San Diego, CA, February2000.
Thank you!