Abstract

A method and system of detecting vulnerabilities in source code. Source code is parsed into an intermediate representation. Models (e.g., in the form of lattices) are derived for the variables in the code and for the variables and/or expressions used in conjunction with routine calls. The models are then analyzed in conjunction with pre-specified rules about the routines to determine if the routine call posses one or more of pre-selected vulnerabilities.

Other References

• Brian V. Chess, “Improving Computer Security Using Extended Static Checking,” Proceedings of the IEEE Symposium on Security and Privacy, May 2002, (14 pages).
• Eric Haugh and Matt Bishop, “Testing C Programs for Buffer Overflow Vulverabilities,” Proceedings of the 2003 Symposium on Networked and Distributed System Security (SNDSS 2003), Feb. 2003, (8 pages).
• David Larochelle and David Evans, “Statically Detecting Likely Buffer Overflow Vulnerabilites,” Proceedings of the 2001 USENIX Security Symposium, Aug. 2001, (13 pages).
• Umesh Shankar, et al., “Detecting Format String Vulnerabilities with Type Qualifiers,” Proceedings of the 10^th USENIX Security Symposium, Aug. 2001, (16 pages).
• John Viega, et al., “ITS4: A Static Vulnerability Scanner for C and C++ Code,” 16^th Annual Computer Security Applications Conference, 2000, (11 pages).
• David Wagner, et al., “A First Step Towards Automated Detection of Buffer Overrun Vulnerabilites,” Proceedings of the Network and Distributed System Security Symposium, Feb. 2000, (15 pages).
• David Evans and David Larochelle, “Improving Security Using Extensible Lighweight Static Analysis,” IEEE Software, vol. 19, issue 1, Jan.-Feb. 2002, pp. 42-51.
• “Splint Manual,” Version 3.0.6, Feb. 11, 2002, University of Virginia, pp. 1-119.
• Ashcraft, et al., “Using Programmer-Written Compiler Extensions to Catch Security Holes”, IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
• Bush, et al., “A Static Analyzer for Finding Dynamic Programming Errors”, Software—Practice and Experience, vol. 30, No. 7, 2000.
• Dor, et al., “Cleanness Checking of String Manipulations in C Programs via Integer Analysis”, 8th International Symposium on Static Analysis (SAS), pp. 194-212, Jul. 2001.
• Dor, et al., “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C”, PLDI '03, Jun. 9-11, 2003, San Diego, California.
• Foster, et al., “A Theory of Type Qualifiers”, Programming Language Design and Implementation (PLDI'99), pp. 192-203, Atlanta, GA, May 1999.
• Ganapathy, et al., “Buffer Overrun Detection Using Linear Programming and Static Analysis”, CCS '03, Oct. 27-30, 2003, Washington, DC.
• Larus, et al., “Righting Software”, IEEE Software, May/Jun. 2004, pp. 92-100.
• Lhee, et al., “Type-Assisted Dynamic Buffer Overflow Detection”, 11th USENIX Security Symposium, pp. 81-88, Aug. 2002.
• Simon, et al., “Analyzing String Buffers in C”, International Conference on Algebraic Methodology and Software Technology, vol. 2422 of Lecture Notes in Computer Science (H. Krichner and C. Ringeissen, Eds.) (Springer), pp. 365-379, Sep. 2002.
• Rugina, et al., “Symbolic Bounds Analysis of Pointers, Array Indices, and Accessed Memory Regions”, ACM Transactions of Programming Languages and Systems, vol. 27, No. 2, pp. 185-234, 2005.
• Xie, et al., “Archer: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors”, ESEC/FSE '03, Sep. 1-5, 2003, Helsinki, Finland.
• Xu, et al., “An Efficient and Backwards-Compatible Transformation to Ensure Memory Safety of C Programs”, SIGSOFT '04/FSE-12, Oct. 31-Nov. 6, 2004, Newport Beach, CA.