Software SecurityProgram Analysis with PREfast & SALErik PollDigital Security groupRadboud University Nijmegen1Recap from last week• Buffer overflows notorious source of security flaws in C(++) code– Classic example: attacker overflows buffer on the stack, to inject hisown machine code (aka shell code) and corrupt control data (ie. thereturn address) to execute this codePreventable by distinguishing W  X : (non)executable memory– Or: attacker corrupts control data to execute other code (library