Nurit Dor

CSSV: towards a realistic tool for statically detecting all buffer overflows in C

Erroneous string manipulations are a major source of software defects in C programs yielding vulnerabilities which are exploited by software viruses. We present C String Static Verifyer (CSSV), a tool that statically uncovers all string manipulation errors. Being a conservative tool, it reports all such errors at the expense of sometimes generating false alarms. Fortunately, only a small number of false alarms are reported, thereby proving that statically reducing software vulnerability is achievable. CSSV handles large programs by analyzing each procedure separately. To this end procedure contracts are allowed which are verified by the tool.We implemented a CSSV prototype and used it to verify the absence of errors in real code from EADS Airbus. When applied to another commonly used string intensive application, CSSV uncovered real bugs with very few false alarms.

Effective typestate verification in the presence of aliasing

This paper addresses the challenge of sound typestate verification, with acceptable precision, for real-world Java programs. We present a novel framework for verification of typestate properties, including several new techniques to precisely treat aliases without undue performance costs. In particular, we present a flowsensitive, context-sensitive, integrated verifier that utilizes a parametric abstract domain combining typestate and aliasing information.To scale to real programs without compromising precision, we present a staged verification system in which faster verifiers run as early stages which reduce the workload for later, more precise, stages.We have evaluated our framework on a number of real Java programs, checking correct API usage for various Java standard libraries. The results show that our approach scales to hundreds of thousands of lines of code, and verifies correctness for 93% of the potential points of failure.

Cleanness Checking of String Manipulations in C Programs via Integer Analysis

All practical C programs use structures, arrays, and/or strings. At runtime, such objects are mapped into consecutive memory locations, hereafter referred to as buffers. Many software defects are caused by buffer overflow -- unintentional access to memory outside the intended object. Stringma nipulation is a major source of such defects. Accordingto the FUZZ study, they are the cause of most UNIX failures. We present a new algorithm for statically detecting buffer overflow defects caused by string manipulations in C programs. In many programs, our algorithm is capable of precisely handling destructive memory updates, even in the presence of overlapping pointer variables which reference the same buffer at different offsets. Thus, our algorithm can uncover defects which go undetected by previous works. We reduce the problem of checkings tring manipulation to that of analyzing integer variables. A prototype of the algorithm has been implemented and applied to statically uncover defects in real C applications, i.e., errors which occur on some inputs to the program. The applications were selected without a priori knowledge of the number of string manipulation errors. A significant number of string manipulation errors were found in every application, further indicating the extensiveness of such errors. We are encouraged by the fact that our algorithm reports very few false alarms, i.e., warnings on errors that never occur at runtime.

Numeric Domains with Summarized Dimensions

We introduce a systematic approach to designing summarizing abstract numeric domains from existing numeric domains. Summarizing domains use summary dimensions to represent potentially unbounded collections of numeric objects. Such domains are of benefit to analyses that verify properties of systems with an unbounded number of numeric objects, such as shape analysis, or systems in which the number of numeric objects is bounded, but large.

Checking Cleanness in Linked Lists

A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report “false alarms”. When applied to several intricate C programs manipulating singly linked lists, the new algorithm yields more accurate results, does not report any false alarm and usually runs even faster and consumes less space than a less precise algorithm.

Customization change impact analysis for erp professionals via program slicing

We describe a new tool that automatically identifies impact of customization changes, i.e., how changes affect software behavior. As opposed to existing static analysis tools that aim at aiding programmers or improve performance, our tool is designed for end-users without prior knowledge in programming. We utilize state-of-the-art static analysis algorithms for the programs within an Enterprise Resource Planning system (ERP). Key challenges in analyzing real world ERP programs are their significant size and the interdependency between programs. In particular, we describe and compare three customization change impact analyses for real-world programs, and a balancing algorithm built upon the three independent analyses. This paper presents PanayaImpactAnalysis (PanayaIA), a web on-demand tool, providing ERP professionals a clear view of the impact of a customization change on the system. In addition we report empirical results of PanayaIA when used by end-users on an ERP system of tens of millions LOCs.

Combined static and dynamic analysis for inferring program dependencies using a pattern language

One of the challenges when examining enterprise applications is the ability to understand the dependencies of these applications on external and internal resources such as database access or transaction activation. Inferring dependencies can be achieved using a static approach, a dynamic one or a combination of the two. Static analysis tools detect dependencies based on code investigation while dynamic tools detect dependencies based on runtime execution. The combination of these two approaches is essential for a complete and precise analysis. In this paper we present and illustrate a technique for inferring application dependencies on resources. The technique is based on a combined dynamic and static analysis. A pattern language is defined to enable the specification of dependencies as sequences of method invocations in the application code. Specifically, the sequences are patterns that constitute access to resources, e.g. databases, message queues, and control systems. We propose an algorithm for inferring application dependencies based on hybrid dynamic and static analysis that propagates information provided by dynamic analysis into the static analysis and back to the dynamic analysis. Empirical results from our implemented prototype are presented.

Automatic Verification of Strongly Dynamic Software Systems

Strongly dynamic software systems are difficult to verify. By strongly dynamic, we mean that the actors in such systems change dynamically, that the resources used by such systems are dynamically allocated and deallocated, and that for both sets, no bounds are statically known. In this position paper, we describe the progress we have made in automated verification of strongly dynamic systems using abstract interpretation with three-valued logical structures. We then enumerate a number of challenges that must be tackled in order for such techniques to be widely adopted.