Buffer overrun detection using linear programming and static analysis

Vinod Ganapathy, Somesh Jha, David Chandler, David Melski, David Vitek
2003 Proceedings of the 10th ACM conference on Computer and communication security - CCS '03  
This paper addresses the issue of identifying buffer overrun vulnerabilities by statically analyzing C source code. We demonstrate a light-weight analysis based on modeling C string manipulations as a linear program. We also present fast, scalable solvers based on linear programming, and demonstrate techniques to make the program analysis context sensitive. Based on these techniques, we built a prototype and used it to identify several vulnerabilities in popular security critical applications.
doi:10.1145/948152.948155 fatcat:jqnz4txfpjb2dchiertyujplwi