Institutional Repository
| static analysis of format string vulnerabilities | |
| Han Wei; Ren Mengfei; Tian Shuo; Ding Liping; He Yeping | |
| 2011 | |
| 会议名称 | 1st ACIS International Symposium on Software and Network Engineering, SSNE 2011 |
| 会议录名称 | Proceedings - 1st ACIS International Symposium on Software and Network Engineering, SSNE 2011 |
| 页码 | 122-127 |
| 会议日期 | December 19, 2011 - December 20, 2011 |
| 会议地点 | Seoul, Korea, Republic of |
| 收录类别 | EI |
| ISBN | 9780769546315 |
| 部门归属 | (1) National Engineering Research Center for Fundamental Software Institute of Software Beijing China; (2) Graduate School Chinese Academy of Science Beijing China; (3) School of Information Science and Technology Shijiazhuang Tiedao University Hebei China; (4) International School of Software Wuhan University Hubei China |
| 摘要 | This paper presents a novel approach, based on static analysis, to detect format string vulnerabilities in C programs. Format string vulnerability is viewed as a finite state safety property. The analysis is expressed as a system of constraint describing how the safety state at one program point is related to the state at adjacent program points. Our analysis is inter-procedurally flow sensitive and intra-procedurally path sensitive. To avoid state space explosion in inter-procedural analysis, we use procedural summary instead of analyzing the called function holistically. The experimental results show that this method can effectively locate format string vulnerabilities in C programs. In comparison with other static approaches, ours can greatly reduce false positive. © 2011 IEEE.; This paper presents a novel approach, based on static analysis, to detect format string vulnerabilities in C programs. Format string vulnerability is viewed as a finite state safety property. The analysis is expressed as a system of constraint describing how the safety state at one program point is related to the state at adjacent program points. Our analysis is inter-procedurally flow sensitive and intra-procedurally path sensitive. To avoid state space explosion in inter-procedural analysis, we use procedural summary instead of analyzing the called function holistically. The experimental results show that this method can effectively locate format string vulnerabilities in C programs. In comparison with other static approaches, ours can greatly reduce false positive. © 2011 IEEE. |
| 关键词 | c (Programming Language) Safety Engineering |
| 主办者 | International Association for; Computer and Information Science (ACIS); Seoul National University |
| 语种 | 英语 |
| 内容类型 | 会议论文 |
| URI标识 | http://ir.iscas.ac.cn/handle/311060/16298 |
| 专题 | 中国科学院软件研究所 |
| 推荐引用方式 GB/T 7714 | Han Wei,Ren Mengfei,Tian Shuo,et al. static analysis of format string vulnerabilities[C],2011:122-127. |
| 条目包含的文件 | 条目无相关文件。 | |||||
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
修改评论