Conference item
Towards automated bounded model checking of API implementations
- Abstract:
- We introduce and demonstrate the viability of a novel technique for verifying that implementations of application program interfaces (APIs) are bug free. Our technique applies a new abstract interpretation to extract an underlying model of API usage, and then uses this to synthesise a set of verifiable program fragments. These fragments are evaluated using CBMC and any potentially spurious property violation is presented to a domain expert user. The user’s response is then used to refine the underlying model of the API to eliminate false positives. The refinement-analysis process is repeated iteratively. We demonstrate the viability of the technique by showing how it can find an integer underflow within Google’s Brotli, an underflow that has been shown to lead directly to allow remote attackers to execute arbitrary code in CVE 2016-1968.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Accepted manuscript, pdf, 402.5KB, Terms of use)
-
Authors
- Publisher:
- CEUR-WS
- Host title:
- CEUR Workshop Proceedings
- Journal:
- CEUR Workshop Proceedings More from this journal
- Volume:
- 1639
- Pages:
- 31-42
- Publication date:
- 2016-07-01
- Acceptance date:
- 2016-04-19
- ISSN:
-
1613-0073
- Pubs id:
-
pubs:641256
- UUID:
-
uuid:9f95a39a-0a4a-42c6-acdc-696a07061375
- Local pid:
-
pubs:641256
- Source identifiers:
-
641256
- Deposit date:
-
2017-01-28
- ARK identifier:
Terms of use
- Copyright holder:
- Kroening et al
- Copyright date:
- 2016
- Notes:
- Copyright © 2016 for the individual papers by the papers' authors. Copying permitted for private and academic purposes. This volume is published and copyrighted by its editors.
If you are the owner of this record, you can report an update to it here: Report update to this record