Note: For a few days, I've been trying to detect runtime issues such as buffer overflows (wether they are stack based or heap based) or use-after-frees. I tried to do that without changing the execution flow nor using any intermediate representationa - Only via the behavior analysis. Detecting buffer overflows or user-after-frees isn't really difficult. The most difficult part was to detect the stack overflows but that was also the most interesting part. Below, there is an example execution of my analyzer so that you can have a better idea of what it catches. I'm going to write a blog post about that very soon. ---------- Simple code with several tests ---------- #include #include #include #define BUFF_MAX 32 void test4_heap_overflow(char *buff1) { /* 5 bytes overwritten outside the area "42 42 42 42 00" */ strcpy(buff1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB"); } void test5_stack_overflow(void) { int a, b, i; a = 0x90909090; b = 0x91919191; for (i = 0; i <= sizeof(b); i++) *(((unsigned char *)(&b))+i) = 'E'; } int main(int ac, const char *av[]) { char *buff1 = NULL, *buff2 = NULL; int i = 0; buff1 = malloc(BUFF_MAX); buff2 = malloc(BUFF_MAX); if (!buff1 || !buff2) return -1; /* Test 1 - heap overflow (off-by-one) */ for (i = 0; i <= BUFF_MAX; i++) buff1[i] = 'A'; /* Test 2 - heap overflow (off-by-one) - Via linear buffer buff1->buff2 */ for (i = 0; i <= BUFF_MAX; i++) buff2[i] = 'B'; /* Test 3 - Use after free */ free(buff1); buff1[16] = 'C'; /* Will match */ buff1 = malloc(BUFF_MAX); buff1[16] = 'C'; /* Will not match */ /* Test 4 - Classical Heap overflow */ test4_heap_overflow(buff1); /* Test 5 - Stack overclow */ test5_stack_overflow(); return 0; } --------------------------------------------------- Run my Pin tool on the above code. $ gcc -o test test.c $ ../../../pin -t ./obj-intel64/OverflowDetection.so -- ./test 400694: mov byte ptr [rax], 0x41 -- Heap overflow in f31030 4006b7: mov byte ptr [rax], 0x42 -- Heap overflow in f31060 4006d8: mov byte ptr [rax], 0x43 -- Use after free in f31020 4005df: mov dword ptr [rax+0x20], 0x42424242 -- Heap overflow in f31030 4005e6: mov byte ptr [rax+0x24], 0x0 -- Heap overflow in f31034 400613: mov byte ptr [rax], 0x45 -- Stack overflow in 7fff531e7688 $