Automatic discovery of API-level exploits

Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps, Randal E. Bryant

Research output: Contribution to journalConference articlepeer-review


We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demonstrate a tool that identifies a previously known exploit.

Original languageEnglish (US)
Article number1553574
Pages (from-to)312-321
Number of pages10
JournalProceedings - International Conference on Software Engineering
StatePublished - 2005
Externally publishedYes
Event27th International Conference on Software Engineering, ICSE 2005 - Saint Louis, MO, United States
Duration: May 15 2005May 21 2005

All Science Journal Classification (ASJC) codes

  • Software


  • API-level exploit
  • Bounded model checking

Fingerprint Dive into the research topics of 'Automatic discovery of API-level exploits'. Together they form a unique fingerprint.

Cite this