: Axel Simon
: Value-Range Analysis of C Programs Towards Proving the Absence of Buffer Overflow Vulnerabilities
: Springer-Verlag
: 9781848000179
: 1
: CHF 110.70
:
: Programmiersprachen
: English
: 302
: Wasserzeichen/DRM
: PC/MAC/eReader/Tablet
: PDF
Abu?erover?owoccur wheninputiswrittenintoamemory u?erthatisnot large enough to hold the input. Bu?er over?ows may allow a malicious person to gain control over a computer system in that a crafted input can trick the defectiveprogramintoexecuting odethatisencodedintheinputits lf.They are recognised as one of the most widespread forms of security vulnerability, and many workarounds, including new processor features, have been proposed to contain the threat. This book describes a static analysis that aims to prove the absence of bu?er over?ows in C programs. The analysis is conservative in the sense that it locates every possible over?ow. Furthermore, it is fully automatic in that it requires no user annotations in the input program. Thekeyideaoftheanalysisistoin erasymbolicstateforeachp- gram point that describes the possible variable valuations that can arise at that point. The program is correct if the inferred values for array indices and pointer o?sets lie within the bounds of the accessed bu?er. The symbolic state consists of a ?nite set of linear inequalities whose feasible points induce a convex polyhedron that represents an approximation to possible variable valuations. The book formally describes how program operations are mapped to operations on polyhedra and details how to limit the analysis to those p- tionsofstructuresandarraystha arerelevantforveri?cation.Wit respectto operations on string bu?ers, we demonstrate how to analyse C strings whose length is determined by anul character within the string.
Preface6
Target Audience7
Acknowledgments8
Contents9
Contributions14
List of Figures16
1 Introduction20
1.1 Technical Background21
1.2 Value-Range Analysis23
1.3 Analysing C25
1.4 Soundness26
1.5 Efficiency30
1.6 Completeness34
1.7 Related Tools37
2 A Semantics for C41
2.1 Core C41
2.2 Preliminaries46
2.3 The Environment46
2.4 Concrete Semantics50
2.5 Collecting Semantics55
2.6 Related Work60
Abstracting Soundly62
3 Abstract State Space63
3.1 An Introductory Example64
3.2 Points-to Analysis67
3.3 Numeric Domains72
4 Taming Casting and Wrapping87
4.1 Modelling the Wrapping of Integers88
4.2 A Language Featuring Finite Integer Arithmetic90
4.3 Polyhedral Analysis of Finite Integers92
4.4 Implicit Wrapping of Polyhedral Variables93
4.5 Explicit Wrapping of Polyhedral Variables94
4.6 An Abstract Semantics for Sub C99
4.7 Discussion102
5 Overlapping Memory Accesses and Pointers104
5.1 Memory as a Set of Fields104
5.2 Access Trees108
5.3 Mixing Values and Pointers115
5.4 Relating Concrete and Abstract Domains121
6 Abstract Semantics126
6.1 Expressions and Simple Assignments131
6.2 Assigning Structures133
6.3 Casting,133
136133
6.4 Inferring Fields Automatically138
Ensuring Efficiency140
7 Planar Polyhedra141
7.1 Operations on Inequalities143
7.2 Operations on Sets of Inequalities145
8 The TVPI Abstract Domain161
8.1 Principles of the TVPI Domain162
8.2 Reduced Product between Bounds and Inequalities166
8.3 Related Work177
9 The Integral TVPI Domain178
9.1 The Merit of Z-Polyhedra179
9.2 Harvey’s Integral Hull Algorithm181
9.3 Planar Z-Polyhedra and Closure190
9.4 Related Work195
10 Interfacing Analysis and Numeric Domain197
10.1 Separating Interval from Relational Information197
10.2 Inferring Relevant Fields and Addresses199
10.3 Applying Widening in Fixpoint Calculations204
Improving Precision207
11 Tracking String Lengths208
11.1 Manipulating Implicitly Terminated Strings209
11.2 Incorporating String Buffer Analysis220
11.3 Related Work224
12 Widening with Landmarks227
12.1 An Introduction to Widening/Narrowing227
12.2 Revisiting the Analysis of String Buffers230
12.3 Acquiring Landmarks236
12.4 Using Landmarks at a Widening Point237
12.5 Extrapolation Operator for Polyhedra239
12.6 Related Work241
13 Combining Points-to and Numeric Analyses244
13.1 Boolean Flags in the Numeric Domain246
13.2 Incorporating Boolean Flags into Points-to Sets250
13.3 Practical Implementation259
14 Implementation268
14.1 Technical Overview of the Analyser269
14.2 Managing Abstract Domains271
14.3 Calculating Fixpoints273
14.4 Limitations of the String Buffer Analysis280
14.5 Proposed Future Refinements285
15 Conclusion and Outlook286
Conclusion286
Outlook287
A Core C Example289
References292
Index304