Certifying the Absence of Buffer Overflows

Despite increased awareness and efforts to reduce buffer overflows, they continue to be the cause of most software vulnerabilities. In large part, these problems are due to the widespread use of unsafe library routines among programmers. For reasons like efficiency, such routines will continue to be used, even during the development of mission-critical and safety-critical software systems. Effective certification techniques are needed to ascertain whether unsafe routines are used in a safe manner.

This report presents a technique for certifying the safety of buffer manipulations in C programs. The approach is based on two key ideas: (1) using a certifying model checker to automatically verify that a buffer manipulation is safe and (2) validating the resulting invariant and proving it with a decision procedure based on Boolean satisfiability. This report also discusses the advantages and limitations of the approach with respect to today's existing solutions for buffer-overflow detection. Experimental results are presented that position the technique favorably against other static overflow-detection tools and indicate that the procedure can complement and augment these tools from a purely verification perspective.

PDF [231 KB]

Authors

Sagar Chaki

Scott Hissam

This report is related to the following area(s) of work:

Software Assurance

Technical Note
CMU/SEI-2006-TN-030
September 2006

Cite This Report

SEI:

Chaki, Sagar; & Hissam, Scott. Certifying the Absence of Buffer Overflows (CMU/SEI-2006-TN-030). Software Engineering Institute, Carnegie Mellon University, 2006. http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm

IEEE:

S. Chaki, and S. Hissam, "Certifying the Absence of Buffer Overflows," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2006-TN-030, 2006. http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm

APA:

Chaki, S., & Hissam, S. (2006). Certifying the Absence of Buffer Overflows (CMU/SEI-2006-TN-030). Retrieved May 26, 2013, from the Software Engineering Institute, Carnegie Mellon University website: http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm

CHI:

Chaki, Sagar, and Scott Hissam. Certifying the Absence of Buffer Overflows (CMU/SEI-2006-TN-030). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006. http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm

MLA:

Chaki, S., & Hissam, S. 2006. Certifying the Absence of Buffer Overflows (Technical Report CMU/SEI-2006-TN-030). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://www.sei.cmu.edu/library/abstracts/reports/06tn030.cfm

Find Us Here

Find us on Youtube  Find us on LinkedIn  Find us on twitter  Find us on Facebook

Share This Page

Share on Facebook  Send to your Twitter page  Save to del.ico.us  Save to LinkedIn  Digg this  Stumble this page.  Add to Technorati favorites  Save this page on your Google Home Page 

For more information

Contact Us

info@sei.cmu.edu

412-268-5800

Help us improve

Visitor feedback helps us continually improve our site.

Please tell us what you
think with this short
(< 5 minute) survey.