Detecting Leaks of Sensitive Data Due to Stale Reads
Carnegie Mellon University Software Engineering Institute Pittsburgh United States
Pagination or Media Count:
Overview. Problem addressed Leaks of sensitive stale data from a re-used buffer. Approach Heuristic-driven dynamic analysis for detecting reads that may be accessing stale sensitive data. Results Our dynamic analyses for C and Java can detect and stop Heartbleed OpenSSL and JetLeak Jetty. Evidence for attaining reasonably low false-positive rate currently 0.2 alarms kLOC for GNU Coreutils on its test suite. Staleness unlike out-of-bounds access is not a mechanically defined property it refers on developer intent.
- Computer Programming and Software