The C and C++ programming languages are notoriously insecure yet remain indispensable. Developers therefore resort to a multi-pronged approach to find security issues before adversaries. These include manual, static, and dynamic program analysis. Dynamic bug finding tools - henceforth 'sanitizers' - can find bugs that elude other types of analysis because they observe the actual execution of a program, and can therefore directly observe incorrect program behavior as it happens. A vast number of sanitizers have been prototyped by academics and refined by practitioners. We provide a systematic overview of sanitizers with an emphasis on their role in finding security issues. Specifically, we taxonomize the available tools and the security vulnerabilities they cover, describe their performance and compatibility properties, and highlight various trade-offs.
|Title of host publication||Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Number of pages||21|
|Publication status||Published - 2019 May|
|Event||40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States|
Duration: 2019 May 19 → 2019 May 23
|Name||Proceedings - IEEE Symposium on Security and Privacy|
|Conference||40th IEEE Symposium on Security and Privacy, SP 2019|
|Period||19/5/19 → 19/5/23|
Bibliographical noteFunding Information:
ACKNOWLEDGMENT The authors thank the anonymous reviewers for their constructive feedback. We also thank Gregory J. Duck, Mathias Payer, Nathan Burow, Bart Coppens, and Manuel Rigger for their helpful feedback. This material is based upon work partially supported by the Defense Advanced Research Projects Agency under contracts FA8750-15-C-0124 and FA8750-15-C-0085, by the United States Office of Naval Research under contract N00014-17-1-2782, and by the National Science Foundation under awards CNS-1619211 and CNS-1513837. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency or its Contracting Agents, the Office of Naval Research or its Contracting Agents, the National Science Foundation, or any other agency of the U.S. Government. The authors also gratefully acknowledge a gift from Oracle Corporation.
© 2019 IEEE.
All Science Journal Classification (ASJC) codes
- Safety, Risk, Reliability and Quality
- Computer Networks and Communications