David Larochelle - University of Virginia
Buffer overflows are perhaps the single most important security problem on the Internet today. We have been working on using lightweight static checking to detect buffer overflows by analyzing source code [Larochelle and Evans, USENIX Security 2001]. The approach involves adding annotations to code that document programmer assumptions. For legacy programs, the process of adding annotations is often tedious and time-consuming. This project seeks to develop a tool that will assist in this process by using both static analysis of the program and information from test executions. By eliminating some of the work involved in annotating a program, we will be able to more efficiently and productively use static analysis to find and remove buffer overflow vulnerabilities from legacy code.