Browse > Article

Design and Implementation of Static Program Analyzer Finding All Buffer Overrun Errors in C Programs  

Yi Kwang-Keun (서울대학교 컴퓨터공학부)
Kim Jae-Whang (서울대학교 컴퓨터공학부)
Jung Yung-Bum (서울대학교 컴퓨터공학부)
Publication Information
Journal of KIISE:Software and Applications / v.33, no.5, 2006 , pp. 508-524 More about this Journal
Abstract
We present our experience of combining, in a realistic setting, a static analyzer with a statistical analysis. This combination is in order to reduce the inevitable false alarms from a domain-unaware static analyzer. Our analyzer named Airac(Array Index Range Analyzer for C) collects all the true buffer-overrun points in ANSI C programs. The soundness is maintained, and the analysis' cost-accuracy improvement is achieved by techniques that static analysis community has long accumulated. For still inevitable false alarms (e.g. Airac raised 970 buffer-overrun alarms in commercial C programs of 5.3 million lines and 737 among the 970 alarms were false), which are always apt for particular C programs, we use a statistical post analysis. The statistical analysis, given the analysis results (alarms), sifts out probable false alarms and prioritizes true alarms. It estimates the probability of each alarm being true. The probabilities are used in two ways: 1) only the alarms that have true-alarm probabilities higher than a threshold are reported to the user; 2) the alarms are sorted by the probability before reporting, so that the user can check highly probable errors first. In our experiments with Linux kernel sources, if we set the risk of missing true error is about 3 times greater than false alarming, 74.83% of false alarms could be filtered; only 15.17% of false alarms were mixed up until the user observes 50% of the true alarms.
Keywords
Static program analysis; abstract interpretation; buffer overrun; C language;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Patrick Cousot, Radhia Cousot, J'er^ome Feret, Laurent Mauborgne, Antoine Min'e, David Monniaux, and Xavier Rival. The astr'ee analyzer. In M. Sagiv, editor, European Symposium on Programming (ESOP'05), volume 3444 of Lecture Notes in Computer Science, pages 21-30. pringer-Verlag, 2005
2 Misha Zitser, Richard Lippmann, and Tim Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pages 97-106. ACM Press, 2004   DOI
3 Patrick Cousot, Radhia Cousot, .I'er^ome Feret, Laurent Mauborgne, Antoine Min'e, David Monniaux, and Xavier Rival. The astr'ee analyzer. In M. Sagiv, editor, European Symposium on Programming (ESOP'05), volume 3444 of Lecture Notes in Computer Science, pages 21-30. pringer-Verlag, 2005
4 Andrew Gelman, John B. Carlin, Hal S. Stern, and Donald B. Rubin. Bayesian Data Analysis. Text in Statistical Science. Chapman & HaIl/CRC, second edition edition, 2004
5 Patrick Cousot and Radhia Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of ACM Symposium on Principles of Programming Languages, pages 238-252, January 1977   DOI
6 Patrick Cousot and Radhia Cousot. Systematic design of program analysis frameworks. In Proceedings of ACM Symposium on Principles of Programming Languages, pages 269-282, 1979   DOI
7 Laurent Mauborgne and Xavier Rival. Trace partitioning in abstract interpretation based static analyzers. In M. Sagiv, editor, European Symposium on Programming (ESOP'O5), volume 3444 of Lecture Notes in Computer Science, pages 5-20. Springer-Verlag, 2005
8 N. Metropolis and S. Ulam. The Monte Carlo method. Journal of the American Statistical Association, 44(247):335-341, September 1949   DOI
9 Yichen Xie, Andy Chou, and Dawson Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. In ESEC/FSE-11: Proceedings qf the 9th European software engineering corference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering, pages 327-336. ACM Press, 2003   DOI
10 James O. Berger. Statistical Decision Theory and Bayesian Analysis, 2nd Edition. Springer, 1985
11 David Hovemeyer and William Pugh. Finding bugs is easy. SIGPLAN Not., 39(2):92-106, 2004   DOI
12 Patrick Cousot and Radhia Cousot. Comparing the galois connection and' widening/narrowing approaches to abstract interpretation. In PLILP '92: Proceedings of the 4th International Symposium on Programming Language Implementation and Logic Programming, pages 269-295. SpringerVerlag, 1992
13 Bruno Blanchet, Patrie Cousot, Radhia Cousot, Jerome Feret, Laurent Mauborgne, Antonie Mine, David Monnizux, and Xavier Rival. A static analyzer for large safety-critical software. In Proceedings of the SIGPLAN Coriference on Programming Language Design and Implementation, pages 196-207, June 2003   DOI
14 bugtraq. www.securityfocus.com
15 Nurit Dor, Michael Rodeh, and Mooly Sagiv. Cssv: towards a realistic tool for statically detecting all buffer overflows in c. In PLDI '03: Proceedings of the ACM SIGPLAN 2003 con-ference on Programming language design and implementation, pages 155-167. ACM Press, 2003   DOI
16 CERT/CC advisories. www.cert.org/advisories