Title:  A Framework for Analyzing Undefined Behavior in C Software

Committee: 

Dr. Keromytis, Advisor

Dr. Monrose, Chair

Dr. Frank Li

Abstract: The objective of the proposed research is to develop a program analysis framework to reason about undefined behavior. Undefined behavior in the C programming language is behavior which is not defined by the language's standard. Reliance on undefined behavior by the programmer may result in behavior that is unintended by the programmer and can introduce vulnerabilities in the software. Despite the abundance of research on software bugs and vulnerabilities, little research has been conducted on undefined behavior apart from a large amount of research focusing on a few well-known vulnerabilities. The proposed research will create a taxonomy of undefined behavior and develop static and dynamic program analyses to determine the security impacts of undefined behavior. It will demonstrate that a program analysis framework can statically detect undefined behavior in program binaries, find vulnerabilities caused by undefined behavior with fuzzing, and enable program equivalence checking in the presence of undefined behavior.