Paper Appeared in 10th CCS
Posted 20 November 2003
The paper Buffer Overrun Detection using Linear Programming and Static Analysis by Vinod Ganapathy and Somesh Jha of the WiSA Project and David Chandler, David Melski, and David Vitek of Grammatech, Inc appeared in the 10th ACM Conference on Computer and Communications Security. This year's annual conference was held in Washington, DC, in October 2003. Vinod presented the paper at the conference.
This paper addresses the issue of identifying buffer overrun vulnerabilities by statically analyzing C source code. The authors demonstrate a light-weight analysis based on modeling C string manipulations as a linear program. They also present fast, scalable solvers based on linear programming, and demonstrate techniques to make the program analysis context sensitive. Based on these techniques, They built a prototype and used it to identify several vulnerabilities in popular security critical applications.
