ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors
description
Transcript of ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors
![Page 1: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/1.jpg)
ARCHER: Using Symbolic, Pathsensitive Analysis toDetect Memory Access Errors
Yichen Xie, Andy Chou, and Dawson EnglerComputer Systems Laboratory
Stanford UniversityStanford, CA 94305, U.S.A.
Wei Tao5070379106
![Page 2: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/2.jpg)
Authors
Yichen Xie
Stanford University
![Page 3: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/3.jpg)
Authors
Andy Chou
![Page 4: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/4.jpg)
Authors
Dawson Engler
Associate Professor Computer Science and Electrical Engineering Gates Building 3A-314 353 Serra Mall Stanford University
![Page 5: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/5.jpg)
Authors
![Page 6: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/6.jpg)
Problem
Memory Access Errors
![Page 7: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/7.jpg)
Introduction
ARCHER (ARray CHeckER):
No annotations needed.
Speed.
Few false positives.
Drawbacks.
![Page 8: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/8.jpg)
Introduction
Key features:
Interprocedural
Fully symbolic
Path sensitive
Context sensitive
Aware of pointer aliases for buffers
![Page 9: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/9.jpg)
Overview
The core of ARCHER consists of three pieces:
a translator
a traversal module
a solver
![Page 10: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/10.jpg)
Overview
![Page 11: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/11.jpg)
Implementation
![Page 12: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/12.jpg)
Implementation
![Page 13: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/13.jpg)
Results
![Page 14: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/14.jpg)
References[1] K. Ashcraft and D.R. Engler. Using programmer-writtencompiler extensions to catch security holes. In IEEESymposium on Security and Privacy, Oakland, California,May 2002.[2] R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminatingarray bounds checks on demand. In SIGPLAN Conferenceon Programming Language Design and Implementation,pages 321–333, June 2000.[3] W.R. Bush, J.D. Pincus, and D.J. Sielaff. A static analyzerfor finding dynamic programming errors. Software:Practice and Experience, 30(7):775–802, June 2000.[4] B. Chess. Improving computer security using extendedstatic checking. In IEEE Symposium on Security andPrivacy, Oakland, California, May 2002.
[5] Microsoft Corporation. AST Toolkit.http://research.microsoft.com/sbt/.[6] N. Dor, M. Rodeh, and M. Sagiv. CSSV: towards a realistictool for statically detecting all buffer overflows in c. InProceedings of the ACM SIGPLAN 2003 Conference onProgramming Language Design and Implementation, pages155–167. ACM Press, June 2003.[7] D.R. Engler, B. Chelf, A. Chou, and S. Hallem. Checkingsystem rules using system-specific, programmer-writtencompiler extensions. In Proceedings of Operating SystemsDesign and Implementation (OSDI), September 2000.[8] D.R. Engler, D.Y. Chen, S. Hallem, A. Chou, and B. Chelf.Bugs as deviant behavior: A general approach to inferringerrors in systems code. In Proceedings of the EighteenthACM Symposium on Operating Systems Principles, 2001.
![Page 15: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/15.jpg)
References
[9] C. Flanagan and K.R.M. Leino. Houdini, an annotationassistant for ESC/Java. In Symposium of Formal MethodsEurope, pages 500–517, March 2001.[10] C. Flanagan, K.R.M. Leino, M. Lillibridge, G. Nelson, J.B.Saxe, and R. Stata. Extended static checking for Java. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation, pages234–245. ACM Press, 2002.[11] C. Flanagan and S. Qadeer. Predicate abstraction forsoftware verification. In Proceedings of the 29th AnnualSymposium on Principles of Programming Languages, June2002.
[12] D. Freedman, R. Pisani, and R. Purves. Statistics. W WNorton & Co., third edition, September 1997.[13] S. Hallem, B. Chelf, Y. Xie, and D.R. Engler. A system andlanguage for building system-specific, static analyses. InProceedings of the ACM SIGPLAN 2002 Conference onProgramming Language Design and Implementation,Berlin, Germany, June 2002.[14] R. Hastings and B. Joyce. Purify: Fast detection ofmemory leaks and access errors. In Proceedings of theWinter USENIX Conference, December 1992.[15] Intrinsa. A technical introduction to PREfix/Enterprise.Technical report, Intrinsa Corporation, 1998.[16] R.W.M. Jones and P.H.J. Kelly. Backwards-compatiblebounds checking for arrays and pointers in C programs. InAutomated and Algorithmic Debugging, pages 13–26, May1997.
![Page 16: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/16.jpg)
References
[17] W. Landi, B. G. Ryder, and S. Zhang. Interproceduralmodification side effect analysis with pointer aliasing. InProceedings of the ACM SIGPLAN 1993 Conference onProgramming Language Design and Implementation, pages56–67. ACM Press, 1993.[18] D. Larochelle and D. Evans. Statically detecting likelybuffer overflow vulnerabilities. In 10th USENIX SecuritySymposium, August 2001.[19] G.C. Necula, S. McPeak, S.P. Rahul, and W. Weimer. CIL:Intermediate language and tools for analysis andtransformation of c programs. In International Conferenceon Compiler Construction, March 2002.
[20] G.C. Necula, S. McPeak, and W. Weimer. CCured:type-safe retrofitting of legacy code. In Symposium onPrinciples of Programming Languages, pages 128–139,January 2002.[21] W. Pugh. The omega test: a fast and practical integerprogramming algorithm for dependence analysis. InSupercomputing, pages 4–13, November 1991.[22] B. Schneier. Risks to cybersecurity. CongressionalTestimony by Federal Document Clearing House, June2003.
![Page 17: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/17.jpg)
References
[23] M.N. Velev and R.E. Bryant. Effective use of booleansatisfiability procedures in the formal verification ofsuperscalar and VLIW microprocessors. Journal ofSymbolic Computation, special issue on Integration ofAutomated Reasoning and Computer Algebra Systems,2002.[24] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first steptowards automated detection of buffer overrunvulnerabilities. In The 2000 Network and DistributedSystems Security Conference. San Diego, CA, February2000.
![Page 18: ARCHER: Using Symbolic, Pathsensitive Analysis to Detect Memory Access Errors](https://reader035.fdocuments.us/reader035/viewer/2022062303/568159a2550346895dc6f5f2/html5/thumbnails/18.jpg)
Thank you!