Automatic discovery of API-level exploits

Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps, Randal E. Bryant

Research output: Contribution to conferencePaperpeer-review

1 Scopus citations


We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demon-strate a tool that identifies a previously known exploit.

Original languageEnglish (US)
Number of pages10
StatePublished - 2005
Externally publishedYes
Event27th International Conference on Software Engineering, ICSE05 - St. Louis, MO, United States
Duration: May 15 2005May 21 2005


Other27th International Conference on Software Engineering, ICSE05
Country/TerritoryUnited States
CitySt. Louis, MO

All Science Journal Classification (ASJC) codes

  • Engineering(all)


  • API-level exploit
  • Bounded model checking


Dive into the research topics of 'Automatic discovery of API-level exploits'. Together they form a unique fingerprint.

Cite this