Abstraction-Based Static Analysis of Buffer Overruns in C Programs

Show simple item record

dc.contributor.advisor Dr. Matthias Stallmann, Committee Member en_US
dc.contributor.advisor Dr. Peng Ning, Committee Member en_US
dc.contributor.advisor Dr. Daniel C DuVarney, Committee Member en_US
dc.contributor.advisor Dr. S Purushothaman Iyer, Committee Chair en_US
dc.contributor.author Srinivasa, Gopal Ranganatha en_US
dc.date.accessioned 2010-04-02T18:18:49Z
dc.date.available 2010-04-02T18:18:49Z
dc.date.issued 2003-07-07 en_US
dc.identifier.other etd-07032003-111255 en_US
dc.identifier.uri http://www.lib.ncsu.edu/resolver/1840.16/2925
dc.description.abstract Bounds violations or buffer overruns have historically been a major source of defects in software systems, making bounds checking a key component in practical automatic verification methods. With the advent of the Internet, buffer overruns have been exploited by attackers to break into secure systems as well. Many security violations ranging from the 1988 Internet worm incident to the AnalogX Proxy server vulnerability have been attributed to buffer overruns. Programs written in the C language, which comprise most of the systems software available today, are particularly vulnerable because of the lack of array bounds checking in the C compiler, presence of pointers that can be used to write anywhere in memory, and the weak type system of the C language. Many methods have been proposed to detect these errors. Runtime methods that detect buffer overruns suffer from significant overhead and incomplete coverage, while compile time methods could suffer from low accuracy and poor scalability. In this thesis, we propose a new technique for bounds checking based on data abstraction that is more accurate, more scalable, and suffers from no runtime overhead. Enhancements have been made to C Wolf, a suite of model generation tools, to handle buffer overflow analysis. Case studies on web2c, a publicly available software package, pico server, an open source web server, and on the wu-ftpd server are presented to demonstrate the practicality of the technique. en_US
dc.rights I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. en_US
dc.subject static analysis en_US
dc.subject data abstraction en_US
dc.subject partial order en_US
dc.subject abstract interpretation en_US
dc.subject buffer overflows en_US
dc.subject buffer overruns en_US
dc.title Abstraction-Based Static Analysis of Buffer Overruns in C Programs en_US
dc.degree.name MS en_US
dc.degree.level thesis en_US
dc.degree.discipline Computer Science en_US

Files in this item

Files Size Format View
etd.pdf 299.2Kb PDF View/Open

This item appears in the following Collection(s)

Show simple item record