ISCAS OpenIR
static analysis of format string vulnerabilities
Han Wei; Ren Mengfei; Tian Shuo; Ding Liping; He Yeping
2011
会议名称1st ACIS International Symposium on Software and Network Engineering, SSNE 2011
会议录名称Proceedings - 1st ACIS International Symposium on Software and Network Engineering, SSNE 2011
页码122-127
会议日期December 19, 2011 - December 20, 2011
会议地点Seoul, Korea, Republic of
收录类别EI
ISBN9780769546315
部门归属(1) National Engineering Research Center for Fundamental Software Institute of Software Beijing China; (2) Graduate School Chinese Academy of Science Beijing China; (3) School of Information Science and Technology Shijiazhuang Tiedao University Hebei China; (4) International School of Software Wuhan University Hubei China
摘要This paper presents a novel approach, based on static analysis, to detect format string vulnerabilities in C programs. Format string vulnerability is viewed as a finite state safety property. The analysis is expressed as a system of constraint describing how the safety state at one program point is related to the state at adjacent program points. Our analysis is inter-procedurally flow sensitive and intra-procedurally path sensitive. To avoid state space explosion in inter-procedural analysis, we use procedural summary instead of analyzing the called function holistically. The experimental results show that this method can effectively locate format string vulnerabilities in C programs. In comparison with other static approaches, ours can greatly reduce false positive. © 2011 IEEE.; This paper presents a novel approach, based on static analysis, to detect format string vulnerabilities in C programs. Format string vulnerability is viewed as a finite state safety property. The analysis is expressed as a system of constraint describing how the safety state at one program point is related to the state at adjacent program points. Our analysis is inter-procedurally flow sensitive and intra-procedurally path sensitive. To avoid state space explosion in inter-procedural analysis, we use procedural summary instead of analyzing the called function holistically. The experimental results show that this method can effectively locate format string vulnerabilities in C programs. In comparison with other static approaches, ours can greatly reduce false positive. © 2011 IEEE.
关键词c (Programming Language) Safety Engineering
主办者International Association for; Computer and Information Science (ACIS); Seoul National University
语种英语
内容类型会议论文
URI标识http://ir.iscas.ac.cn/handle/311060/16298
专题中国科学院软件研究所
推荐引用方式
GB/T 7714
Han Wei,Ren Mengfei,Tian Shuo,et al. static analysis of format string vulnerabilities[C],2011:122-127.
条目包含的文件
条目无相关文件。
个性服务
推荐该条目
保存到收藏夹
查看访问统计
导出为Endnote文件
谷歌学术
谷歌学术中相似的文章
[Han Wei]的文章
[Ren Mengfei]的文章
[Tian Shuo]的文章
百度学术
百度学术中相似的文章
[Han Wei]的文章
[Ren Mengfei]的文章
[Tian Shuo]的文章
必应学术
必应学术中相似的文章
[Han Wei]的文章
[Ren Mengfei]的文章
[Tian Shuo]的文章
相关权益政策
暂无数据
收藏/分享
所有评论 (0)
暂无评论
 

除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。