The C and C++ programming languages are notoriously insecure yet remain indispensable. Developers therefore resort to a multi-pronged approach to find security issues before adversaries. These include manual, static, and dynamic program analysis. Dynamic bug finding tools - henceforth 'sanitizers' - can find bugs that elude other types of analysis because they observe the actual execution of a program, and can therefore directly observe incorrect program behavior as it happens. A vast number of sanitizers have been prototyped by academics and refined by practitioners. We provide a systematic overview of sanitizers with an emphasis on their role in finding security issues. Specifically, we taxonomize the available tools and the security vulnerabilities they cover, describe their performance and compatibility properties, and highlight various trade-offs.
|Title of host publication||Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Number of pages||21|
|Publication status||Published - 2019 May|
|Event||40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States|
Duration: 2019 May 19 → 2019 May 23
|Name||Proceedings - IEEE Symposium on Security and Privacy|
|Conference||40th IEEE Symposium on Security and Privacy, SP 2019|
|Period||19/5/19 → 19/5/23|
Bibliographical notePublisher Copyright:
© 2019 IEEE.
All Science Journal Classification (ASJC) codes
- Safety, Risk, Reliability and Quality
- Computer Networks and Communications