GrammaTech Awarded Air Force Research Grant to Develop Source-Code Analyzer that Detects Buffer-Overrun Vulnerabilities

Ithaca, NY — GrammaTech, Inc. announced today that it has been awarded a $749,979 Small Business Innovative Research (SBIR) Program Phase II grant by the United States Air Force. Under the terms of the agreement, GrammaTech is developing a source-code analyzer that statically detects buffer-overrun security vulnerabilities.

Popular languages like C and C++ are particularly prone to programming errors that expose systems to attack. The most commonly exploited vulnerability is inadequate bounds checking on C/C++ buffers. By overrunning a stack buffer, an attacker can overwrite critical system bookkeeping information and take control of a system.

The seriousness of the problem has led to the development of tools targeted at preventing buffer overruns. Some of these tools do run-time monitoring-but such tools require significant computational overhead and/or miss classes of vulnerabilities. Furthermore, run-time tools do not completely eliminate the vulnerability, so it can still be exploited through a denial-of-service attack. In contrast, source code scanning tools have the potential to completely eliminate buffer overrun vulnerabilities, without run-time overhead.

GrammaTech's approach uses advanced constraint analysis techniques. The technology greatly increase the accuracy of automatic vulnerability detection, drastically reducing the amount of manual source code analysis required. Furthermore, the remaining manual investigation can be simplified by GrammaTech's program understanding tool, CodeSurfer®. The technology has the potential to help programmers rapidly identify and fix buffer overflow vulnerabilities before applications are deployed.

About GrammaTech:
GrammaTech's static-analysis tools are used worldwide by startups, Fortune 500 companies, educational institutions, and government agencies. The staff includes fourteen researchers with PhDs in programming languages and program analysis.