ARCHER: Using Symbolic, Pathsensitive Analysis toDetect Memory Access Errors

Yichen Xie, Andy Chou, and Dawson EnglerComputer Systems Laboratory

Stanford UniversityStanford, CA 94305, U.S.A.

Wei Tao5070379106

Authors

Yichen Xie

Stanford University

Authors

Andy Chou

Authors

Dawson Engler

Associate Professor Computer Science and Electrical Engineering Gates Building 3A-314 353 Serra Mall Stanford University

Authors

Problem

Memory Access Errors

Introduction

ARCHER (ARray CHeckER):

No annotations needed.

Speed.

Few false positives.

Drawbacks.

Introduction

Key features:

Interprocedural

Fully symbolic

Path sensitive

Context sensitive

Aware of pointer aliases for buffers

Overview

The core of ARCHER consists of three pieces:

a translator

a traversal module

a solver

Overview

Implementation

Implementation

Results

References[1] K. Ashcraft and D.R. Engler. Using programmer-writtencompiler extensions to catch security holes. In IEEESymposium on Security and Privacy, Oakland, California,May 2002.[2] R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminatingarray bounds checks on demand. In SIGPLAN Conferenceon Programming Language Design and Implementation,pages 321–333, June 2000.[3] W.R. Bush, J.D. Pincus, and D.J. Sielaff. A static analyzerfor finding dynamic programming errors. Software:Practice and Experience, 30(7):775–802, June 2000.[4] B. Chess. Improving computer security using extendedstatic checking. In IEEE Symposium on Security andPrivacy, Oakland, California, May 2002.

[5] Microsoft Corporation. AST Toolkit.http://research.microsoft.com/sbt/.[6] N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistictool for statically detecting all buffer overflows in c. InProceedings of the ACM SIGPLAN 2003 Conference onProgramming Language Design and Implementation, pages155–167. ACM Press, June 2003.[7] D.R. Engler, B. Chelf, A. Chou, and S. Hallem. Checkingsystem rules using system-specific, programmer-writtencompiler extensions. In Proceedings of Operating SystemsDesign and Implementation (OSDI), September 2000.[8] D.R. Engler, D.Y. Chen, S. Hallem, A. Chou, and B. Chelf.Bugs as deviant behavior: A general approach to inferringerrors in systems code. In Proceedings of the EighteenthACM Symposium on Operating Systems Principles, 2001.

References

[9] C. Flanagan and K.R.M. Leino. Houdini, an annotationassistant for ESC/Java. In Symposium of Formal MethodsEurope, pages 500–517, March 2001.[10] C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B.Saxe, and R. Stata. Extended static checking for Java. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation, pages234–245. ACM Press, 2002.[11] C. Flanagan and S. Qadeer. Predicate abstraction forsoftware verification. In Proceedings of the 29th AnnualSymposium on Principles of Programming Languages, June2002.

[12] D. Freedman, R. Pisani, and R. Purves. Statistics. W WNorton & Co., third edition, September 1997.[13] S. Hallem, B. Chelf, Y. Xie, and D.R. Engler. A system andlanguage for building system-specific, static analyses. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation,Berlin, Germany, June 2002.[14] R. Hastings and B. Joyce. Purify: Fast detection ofmemory leaks and access errors. In Proceedings of theWinter USENIX Conference, December 1992.[15] Intrinsa. A technical introduction to PREfix/Enterprise.Technical report, Intrinsa Corporation, 1998.[16] R.W.M. Jones and P.H.J. Kelly. Backwards-compatiblebounds checking for arrays and pointers in C programs. InAutomated and Algorithmic Debugging, pages 13–26, May1997.

References

[17] W. Landi, B. G. Ryder, and S. Zhang. Interproceduralmodification side effect analysis with pointer aliasing. InProceedings of the ACM SIGPLAN 1993 Conference onProgramming Language Design and Implementation, pages56–67. ACM Press, 1993.[18] D. Larochelle and D. Evans. Statically detecting likelybuffer overflow vulnerabilities. In 10th USENIX SecuritySymposium, August 2001.[19] G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL:Intermediate language and tools for analysis andtransformation of c programs. In International Conferenceon Compiler Construction, March 2002.

[20] G.C. Necula, S. McPeak, and W. Weimer. CCured:type-safe retrofitting of legacy code. In Symposium onPrinciples of Programming Languages, pages 128–139,January 2002.[21] W. Pugh. The omega test: a fast and practical integerprogramming algorithm for dependence analysis. InSupercomputing, pages 4–13, November 1991.[22] B. Schneier. Risks to cybersecurity. CongressionalTestimony by Federal Document Clearing House, June2003.

References

[23] M.N. Velev and R.E. Bryant. Effective use of booleansatisfiability procedures in the formal verification ofsuperscalar and VLIW microprocessors. Journal ofSymbolic Computation, special issue on Integration ofAutomated Reasoning and Computer Algebra Systems,2002.[24] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first steptowards automated detection of buffer overrunvulnerabilities. In The 2000 Network and DistributedSystems Security Conference. San Diego, CA, February2000.

Thank you!