Article

Using Programmer-Written Compiler Extensions to Catch Security Holes

Authors:

Ken Ashcraft,

Dawson EnglerAuthors Info & Claims

SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy

Page 143

Published: 12 May 2002 Publication History

Publisher Site

Abstract

This paper shows how system-specific static analysis can find securityerrors that violate rules such as ``integers from untrusted sourcesmust be sanitized before use'' and ``do not dereference user-suppliedpointers.''In our approach, programmers write system-specificextensions that are linked into the compiler and check their code forerrors.We demonstrate the approach's effectiveness by using it tofind over 100 security errors in Linux and OpenBSD, over 50 of whichhave led to kernel patches.An unusual feature of our approach is theuse of methods to automatically detect when we miss code actions thatshould be checked.

Cited By

View all

Raghavan DLevis PZaharia MZhang IAngel SKasikci BKohler E(2021)Breakfast of championsProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465287(199-205)Online publication date: 1-Jun-2021
https://dl.acm.org/doi/10.1145/3458336.3465287
Ando R(2018)Automated reduction of attack surface using call graph enumerationProceedings of the 2018 2nd International Conference on Management Engineering, Software Engineering and Service Sciences10.1145/3180374.3181327(118-121)Online publication date: 13-Jan-2018
https://dl.acm.org/doi/10.1145/3180374.3181327
Zhang BLi QMa Y(2017)Research on dynamic heuristic scanning technique and the application of the malicious code detection modelInformation Processing Letters10.1016/j.ipl.2016.06.014117:C(19-24)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1016/j.ipl.2016.06.014
Show More Cited By

Recommendations

Checking system rules using system-specific, programmer-written compiler extensions
OSDI'00: Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4

Systems software such as OS kernels, embedded systems, and libraries must obey many rules for both correctness and performance. Common examples include "accesses to variable A must be guarded by lock B," "system calls must check user pointers for ...
Debugging native extensions of dynamic languages
ManLang '18: Proceedings of the 15th International Conference on Managed Languages & Runtimes

Many dynamic programming languages such as Ruby and Python enable developers to use so called native extensions, code implemented in typically statically compiled languages like C and C++. However, debuggers for these dynamic languages usually lack ...
An Analyzer-Based Software Security Measurement Model for Enhancing Software System Security
WCSE '10: Proceedings of the 2010 Second World Congress on Software Engineering - Volume 01

Software security has become an increasingly important issue for computer and software system. Secure holes of software system may cause a company out of business and even destroy social normal operation. How to improve software security becomes a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SP '02: Proceedings of the 2002 IEEE Symposium on Security and Privacy

May 2002

ISBN:0769515436

Publisher

IEEE Computer Society

United States

Publication History

Published: 12 May 2002

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

84
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Raghavan DLevis PZaharia MZhang IAngel SKasikci BKohler E(2021)Breakfast of championsProceedings of the Workshop on Hot Topics in Operating Systems10.1145/3458336.3465287(199-205)Online publication date: 1-Jun-2021
https://dl.acm.org/doi/10.1145/3458336.3465287
Ando R(2018)Automated reduction of attack surface using call graph enumerationProceedings of the 2018 2nd International Conference on Management Engineering, Software Engineering and Service Sciences10.1145/3180374.3181327(118-121)Online publication date: 13-Jan-2018
https://dl.acm.org/doi/10.1145/3180374.3181327
Zhang BLi QMa Y(2017)Research on dynamic heuristic scanning technique and the application of the malicious code detection modelInformation Processing Letters10.1016/j.ipl.2016.06.014117:C(19-24)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1016/j.ipl.2016.06.014
Wressnegger CYamaguchi FMaier ARieck KWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)Twice the Bits, Twice the TroubleProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978403(541-552)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978403
Jacobsen CKhole MSpall SBauer SBurtsev A(2016)Lightweight Capability DomainsACM SIGOPS Operating Systems Review10.1145/2883591.288360149:2(44-50)Online publication date: 20-Jan-2016
https://dl.acm.org/doi/10.1145/2883591.2883601
Voelter MMolotnikov ZKolb BGray JSprinkle JTolvanen JRossi M(2015)Towards improving software security using language engineering and mbeddr CProceedings of the Workshop on Domain-Specific Modeling10.1145/2846696.2846698(55-62)Online publication date: 27-Oct-2015
https://dl.acm.org/doi/10.1145/2846696.2846698
Jacobsen CKhole MSpall SBauer SBurtsev ALu S(2015)Lightweight capability domainsProceedings of the 8th Workshop on Programming Languages and Operating Systems10.1145/2818302.2818307(8-14)Online publication date: 4-Oct-2015
https://dl.acm.org/doi/10.1145/2818302.2818307
Min CKashyap SLee BSong CKim TMiller EHand S(2015)Cross-checking semantic correctnessProceedings of the 25th Symposium on Operating Systems Principles10.1145/2815400.2815422(361-377)Online publication date: 4-Oct-2015
https://dl.acm.org/doi/10.1145/2815400.2815422
Zhang BClause JPăsăreanu CMarinov D(2014)Lightweight automated detection of unsafe information leakage via exceptionsProceedings of the 2014 International Symposium on Software Testing and Analysis10.1145/2610384.2610412(327-338)Online publication date: 21-Jul-2014
https://dl.acm.org/doi/10.1145/2610384.2610412
Coker ZHafiz MNotkin DCheng BPohl K(2013)Program transformations to fix C integersProceedings of the 2013 International Conference on Software Engineering10.5555/2486788.2486892(792-801)Online publication date: 18-May-2013
https://dl.acm.org/doi/10.5555/2486788.2486892
Show More Cited By

Abstract

Cited By

Recommendations

Checking system rules using system-specific, programmer-written compiler extensions

Debugging native extensions of dynamic languages

An Analyzer-Based Software Security Measurement Model for Enhancing Software System Security

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations