Title - King Fahd University of Petroleum and Minerals

bossprettyingData Management

Nov 28, 2012 (5 years and 7 months ago)


Copyright: King Fahd University of Petroleum & Minerals;


ARCHER: Using Symbolic, Path
Sensitive Analysis To Detect
Memory Access Errors

King Fah
d University of Petroleum &



Memory corruption errors lead to non
deterministic, elusive crashes. This paper
describes ARCHER
(ARray CHeckER) a static, e#ective memory access checker.
ARCHER uses path
sensitive, interprocedural symbolic analysis to bound the values
of both variables and memory sizes. It evaluates known values using a constraint
solver at every array access, point
er dereference, or call to a function that expects a
size parameter. Accesses that violate constraints are flagged as errors. Those that are
exploitable by malicious attackers are marked as security holes. We carefully
designed ARCHER to work well on large

bodies of source code. It requires no
annotations to use (though it can use them). Its solver has been built to be powerful in
the ways that real code requires, while backing o # on the places that were irrelevant.
Selective power allows it to gain e#cien
cy while avoiding classes of false positives
that arise when a complex analysis interacts badly with statically undecidable
program properties. ARCHER uses statistical code analysis to automatically infer the
set of functions that it should track

this i
nference serves as a robust guard against
omissions, especially in large systems which can have hundreds of such functions. In
practice ARCHER is e#ective: it finds many errors; its analysis scales to systems of
millions of lines of code and the average fa
lse positive rate of our results is below
35%. We have run ARCHER over several large open source software projects

as Linux, OpenBSD, Sendmail, and PostgreSQL

and have found errors in all of
them (118 in the case of Linux, including 21 security