Accession Number:

AD1084333

Title:

Detecting Leaks of Sensitive Data Due to Stale Reads

Descriptive Note:

[Technical Report, Briefing Charts]

Corporate Author:

Carnegie Mellon University Software Engineering Institute

Personal Author(s):

Report Date:

2018-01-01

Pagination or Media Count:

26

Abstract:

Overview. Problem addressed Leaks of sensitive stale data from a re-used buffer. Approach Heuristic-driven dynamic analysis for detecting reads that may be accessing stale sensitive data. Results Our dynamic analyses for C and Java can detect and stop Heartbleed OpenSSL and JetLeak Jetty. Evidence for attaining reasonably low false-positive rate currently 0.2 alarms kLOC for GNU Coreutils on its test suite. Staleness unlike out-of-bounds access is not a mechanically defined property it refers on developer intent.

Descriptors:

• computer programs
• software development
• transient response analysis
• engineering
• instrumentation
• materials
• trees (data structures)
• compilers
• department of defense
• guarantees
• universities
• language
• object code
• production
• computer programming
• copyrights
• demographic cohorts
• governments
• metadata
• application software

Subject Categories:

• Computer Programming and Software

Distribution Statement:

[A, Approved For Public Release]