Accession Number:

AD1084333

Title:

Detecting Leaks of Sensitive Data Due to Stale Reads

Descriptive Note:

Technical Report

Corporate Author:

Carnegie Mellon University Software Engineering Institute Pittsburgh United States

Personal Author(s):

Report Date:

2018-01-01

Pagination or Media Count:

26.0

Abstract:

Overview. Problem addressed Leaks of sensitive stale data from a re-used buffer. Approach Heuristic-driven dynamic analysis for detecting reads that may be accessing stale sensitive data. Results Our dynamic analyses for C and Java can detect and stop Heartbleed OpenSSL and JetLeak Jetty. Evidence for attaining reasonably low false-positive rate currently 0.2 alarms kLOC for GNU Coreutils on its test suite. Staleness unlike out-of-bounds access is not a mechanically defined property it refers on developer intent.

Subject Categories:

  • Computer Programming and Software

Distribution Statement:

APPROVED FOR PUBLIC RELEASE