Skip to main content
SpringerLink
Log in

Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs

  • Conference paper
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4064))

Abstract

Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The ICAT team: Icat vulnerability statistics (2005), http://icat.nist.gov/icat.cfm?function=statistics

  2. Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999), Atlanta, Georgia (1999)

    Google Scholar 

  3. Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th Usenix Security Symposium, Washington, DC (2001)

    Google Scholar 

  4. Blexim: Basic integer overflows. Phrack Issue 0x3c, Phile 0x0a of 0x10 (2002)

    Google Scholar 

  5. CERT: Apache web server chunk handling vulnerability. Advisory CA-2002-17 (2002)

    Google Scholar 

  6. CERT: Openssh vulnerabilities in challenge response. Advisory CA-2002-18 (2002)

    Google Scholar 

  7. CERT: Integer overflow in sun rpc xdr library routines. Advisory CA-2003-10 (2003)

    Google Scholar 

  8. CERT: Apple quicktime contains an integer overflow in the “quicktime.qts” extension. Vulnerability Note VU#782958 (2004)

    Google Scholar 

  9. X-Force: Sendmail debugging function signed integer overflow. Vulnerability DB Entry 7016 (2001)

    Google Scholar 

  10. Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: ARCHERR: Runtime environment driven program safety. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 385–406. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  11. Horovitz, O.: Big loop integer protection. Phrack Issue 0x3c, Phile 0x09 of 0x10 (2002)

    Google Scholar 

  12. Howard, M.: An overlooked construct and an integer overflow redux (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure09112003.asp

  13. Howard, M.: Reviewing code for integer manipulation vulnerabilities (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp

  14. LeBlanc, D.: Integer handling with the c++ safeint class (2004), http://msdn.microsoft.com/library/en-us/dncode/html/secure01142004.asp

  15. Biba, K.J.: Integrity considerations for secure computer system. Technical Report ESD-TR-76-372, MTR-3153, The MITRE Corporation, USAF Electronic Systems Division, Bedford, MA (1977)

    Google Scholar 

  16. Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA (2004)

    Google Scholar 

  17. Foster, J.S.: Type Qualifiers: Lightweight Specifications to Improve Software Quality. PhD thesis. University of California, Berkeley (2002)

    Google Scholar 

  18. Boutell.com: Gd graphics library (2004), http://www.boutell.com/gd/

  19. Gentoo Linux: Gd: Integer overflow. Security Advisory GLSA 200411-08 (2004)

    Google Scholar 

  20. The rsync project: News for rsync 2.5.7 (2003), http://rsync.samba.org

  21. Sirainen, T.: Possible security hole (2003), http://www.mail-archive.com/rsync.lists.samba.org/msg08271.html

  22. The GNOME Project: Gnome imaging model - gdkpixbuf (2003), http://developer.gnome.org/arch/imaging/gdkpixbuf.html

  23. CERT: Gdkpixbuf xpm parser contains a heap overflow vulnerability. Vulnerability Note VU#729894 (2004)

    Google Scholar 

  24. CERT: Gdkpixbuf ico parser contains a integer overflow vulnerability. Vulnerability Note VU#577654 (2004)

    Google Scholar 

  25. CERT: Libtiff contains multiple heap-based buffer overflows. Vulnerability Note VU#948752 (2004)

    Google Scholar 

  26. Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings and narrowings. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 280–295. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  27. Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security 5 (2002)

    Google Scholar 

  28. Secure Software Inc.: Rats: Rough auditing tool for security (2002), http://www.securesw.com/rats.php

  29. Wheeler, D.A.: Flawfinder (2001), http://www.dwheeler.com/flawfinder/

  30. Evans, D.: Static detection of dynamic memory errors. In: Proceedings of the 1996 ACM Conference on Programming Language Design and Implementation (SIGPLAN), pp. 44–53 (1996)

    Google Scholar 

  31. Ashcraft, K., Engler, D.R.: Using programmer-written compiler extensions to catch security holes. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 143–159 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Laboratory, University of California at Davis, Davis, CA, 95616, USA

    Ebrima N. Ceesay, Jingmin Zhou, Michael Gertz, Karl Levitt & Matt Bishop

Authors
  1. Ebrima N. Ceesay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jingmin Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Gertz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Karl Levitt
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Matt Bishop
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. RWE AG, Opernplatz 1, 45128, Essen, Germany

    Roland Büschkes

  2. Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Tübingen, Germany

    Pavel Laskov

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ceesay, E.N., Zhou, J., Gertz, M., Levitt, K., Bishop, M. (2006). Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_1

Download citation

  • DOI: https://doi.org/10.1007/11790754_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36014-8

  • Online ISBN: 978-3-540-36017-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation