Sciweavers

ICSE
2005
IEEE-ACM

Automatic discovery of API-level exploits

14 years 12 months ago
Automatic discovery of API-level exploits
We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique ...
Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Tho
Added 09 Dec 2009
Updated 09 Dec 2009
Type Conference
Year 2005
Where ICSE
Authors Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps, Randal E. Bryant
Comments (0)