Accession Number:



Detecting Leaks of Sensitive Data Due to Stale Reads

Descriptive Note:

[Technical Report, Briefing Charts]

Corporate Author:

Carnegie Mellon University Software Engineering Institute

Personal Author(s):

Report Date:


Pagination or Media Count:



Overview. Problem addressed Leaks of sensitive stale data from a re-used buffer. Approach Heuristic-driven dynamic analysis for detecting reads that may be accessing stale sensitive data. Results Our dynamic analyses for C and Java can detect and stop Heartbleed OpenSSL and JetLeak Jetty. Evidence for attaining reasonably low false-positive rate currently 0.2 alarms kLOC for GNU Coreutils on its test suite. Staleness unlike out-of-bounds access is not a mechanically defined property it refers on developer intent.

Subject Categories:

  • Computer Programming and Software

Distribution Statement:

[A, Approved For Public Release]