Splint - Secure Programming Lint
|Download - Documentation - Manual - Links||Reporting Bugs - Mailing Lists Sponsors - Credits|
Statically Detecting Likely Buffer Overflow Vulnerabilities [PPT] [PDF]
Splint TalksDavid Larochelle. Conference presentation at USENIX Security '01, August 16, 2001.Extensible Lightweight Static Checking [PPT] [PDF]Buffer overflow attacks may be today's single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.David Evans. Short talk at University of Washington and Microsoft Research Summer Institute on Specifying and Checking Properties of Software, 14 August 2001.CSCP: The Bugs and the Bees: Research in Swarm Programming and Security [PPT]Many properties can be expressed as constraints on abstract state associated with program objects. LCLint (http://lclint.cs.virginia.edu) is an extensible lightweight static checking tool that provides a language for specifying state associated with program objects and introducing annotations that express assumptions and constraints about that state at interface points. This presentation will look at how constraints can be defined for checking use properties of the ANSI C Stream I/O library functions, and report on results from using those constraints to check programs.David Evans. Short presentation for Computer Science Corporate Partners, 9 November 2001.CS696: The Bugs and the Bees [PPT] [PDF]David Evans. Research overview talk for graduate orientation seminar, 17 September 2001.CS390: A Smorgasbord of Security, a Smattering of Swarm Programming, and Sampling of Static Checking and a Splash of Web SitesDavid Evans. Senior Seminar (CS 390) talk describing Fourth-Year Thesis Projects I am supervising, 21 March 2001.Why You Should Be Paranoid About What Comes Into and Out Of Your Computer [PPT]David Evans. Engineering Week talk, 21 February 2001. (Not really about Splint, but the pictures make up for it...)Annotation-Assisted Lightweight Static Checking [PPT]Talk at The First International Workshop on Automated Program Analysis, Testing and Verification (ICSE 2000). June 2000. (Position Paper)Let's Stop Beating Dead Horses and Start Beating Trojan Horses [PPT]Slides from my short presentation in a debate on Proof-Carrying Code with Peter Lee at the Infosec Research Council, Malicious Code Study Group. San Antonio, 13 January 2000.Systems for Safety and Dependability [PPT]Invited talk at Reliable Software Technologies. Summarizes Naccio and LCLint. Sterling, VA, 14 December 1999.