Re: Compiler detection of buffer overflows (David Wagner)
15 Aug 2001 01:14:53 -0400

          From comp.compilers

Related articles
Compiler detection of buffer overflows (Ben Elliston) (2001-08-08)
Re: Compiler detection of buffer overflows (2001-08-15)
Re: Compiler detection of buffer overflows (2001-08-15)
Re: Compiler detection of buffer overflows (prener) (2001-08-18)
| List of all articles for this month |

From: (David Wagner)
Newsgroups: comp.compilers
Date: 15 Aug 2001 01:14:53 -0400
Organization: University of California, Berkeley
References: 01-08-048
Keywords: debug, bibliography
Posted-Date: 15 Aug 2001 01:14:53 EDT

Ben Elliston wrote:
>I am seeking references to work in the area of static and/or dynamic
>detection and prevention of buffer overflows.

There's been a bit of work in this area lately, so I'll just list
some of the recent references; you can trace citations backwards
in those papers to find other potentially relevant work.

David Larochelle and David Evans.
``Statically Detecting Likely Buffer Overflow Vulnerabilities.''
2001 USENIX Security Symp.,

Dor Nurit, Rodeh Michael, and Sagiv Mooly.
``Cleanness Checking of String Manipulations in C Programs via Integer
Analysis.'' SAS'01,

John Viega, J.T. Bloch, Tadayoshi Kohno, Gary McGraw.
``ITS4: A Static Vulnerability Scanner for C and C++ Code.''

Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, Jonathan Walpole.
``Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade.''

``A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities.''
NDSS 2000,

There are other lexical code scanning tools, such as RATS
( and flawfinder

Some more references may be found in my PhD thesis:

Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.