Cristina Cifuentes Sun Microsystems Laboratories, Brisbane Parfait – Layered Program Analysis for Bug and Security Vulnerability Checking of C Code A security vulnerability is a software bug that can be exploited by an external attacker. Security vulnerabilities expose a major threat for operating systems and programs that are executed with higher privileges, as an attacker can gain total control over a computer system by exploiting a vulnerabilities. Even in a rigid software development process, bugs are introduced that may result in severe security vulnerabilities. This is especially true for large legacy systems written in C and C++. Manual code inspections are the predominant approach to find security vulnerabilities. These inspections are time- consuming, repetitive and tedious. They can never be complete or time-effective, particularly in light of the large code-bases of software systems these days (thousands to millions of lines of code). As a systems company, Sun develops systems software using languages like C and C++ that provide good performance but are type unsafe. For example, the Solaris operating system is written in C, the HotSpot Java VM is written in C++, and the Sun Studio compilers and support tools (e.g., dbx) are written in C and C++. Static bug checking tools can support the repetitive and tedious security auditing phase of the de- velopment process. Specific vulnerabilities that can be detected by these tools include buffer overflows, integer overflows and format string exploits. Although bug checking tools provide assistance, due to theoretical limitations it is impossible to correctly identify all bugs without false alarms. Moreover, if a bug checking tool is not sound, bugs can be overlooked. In this talk I give an overview of our new project, Parfait; a static, layered program analysis framework for checking bugs in C systems code. The framework is coupled with security domain knowledge to better cater for security vulnerabilities in large systems code. The framework was designed to provide better precision of bugs (less false positives), be scalable (produce results for millions of lines of code in a run-time efficient manner), and support security vulnerability analysis.