"... In PAGE 4: ...Table 3: Characteristics of buffer overflows many times. For example, for the SM-1 model program, there were 28 buffer overflows of the same buffer that were identical with regard to the features used in Table3 . It is likely that an actual static analysis tool would detect none or all of these similar buffer overflows and that a program- mer would also correct all or none.... In PAGE 4: ... It is likely that an actual static analysis tool would detect none or all of these similar buffer overflows and that a program- mer would also correct all or none. Results in Table3 reflect this assumption and do not count identical buffer overflows in one model program individually. Instead, the relative frequencies of the observed values in Table 3 were first cal- culated separately for each model program weighting each buffer overflow uniformly when computing relative frequen- cies.... In PAGE 4: ... Results in Table 3 reflect this assumption and do not count identical buffer overflows in one model program individually. Instead, the relative frequencies of the observed values in Table3 were first cal- culated separately for each model program weighting each buffer overflow uniformly when computing relative frequen- cies. Following this, overall relative frequencies were cal- culated by weighting relative frequencies uniformly for all model programs.... In PAGE 4: ... Following this, overall relative frequencies were cal- culated by weighting relative frequencies uniformly for all model programs. The results, giving each model program a weight of one, appear in Table3 and indicate that there is considerable variety in real buffer overflows. Most out-of- bound accesses exceed the upper bound, but one is below the lower bound.... In PAGE 6: ...Using features from Table3 , this buffer overflow is classified as: exceeds upper bound, char variable, on stack, buffer declaration and use in same scope, no container, no index computation, string function, no alias, no local control flow, no loop, and tainted input from the command line. This characterization, how- ever, inadequately reflects the difficulty of analyzing the code.... In PAGE 6: ... The bottom two buffer overruns occur when the real name from the gecos field in the passwd file is copied into a fixed length buffer with no length check. Using features from Table3 , these are both classified as: ex- ceeds upper bound, char variable, on stack, inter-procedural scope, no container, no index computation, pointer access, alias, in if statement, in for loop, and tainted input from a file. Both of these buffer overflows can be forced to occur by a local user because it is relatively easy to change the real name field in the password file to be a long string.... ..."

"... In PAGE 3: ... Hence, one of the best countermeasures is to hinder attack networks from being established in the first place, and defending against buffer overflow vulnerabilities is an important step in this direction. Table1 shows the percentages of CERT advisories between 1996 and 2001 relating to buffer overflow weaknesses. In 2001, more than 50 percent of CERT advisories involved buffer overflow.... ..."

"... In PAGE 61: ...3 Variation analysis This section studies the impact of larger first level caches and other transaction lengths. In Table4 , we present more insights of the system behavior by varying the ... In PAGE 62: ... 10 In Table4 , the first column represents the L1 cache size and transaction size (T. Size) with reference to the size in Table 2.... In PAGE 62: ...1% 0% 100% BL: Base line system, BF: System implemented with Bloom filter, Red.: Reduction From Table4 , we see that the speculative buffer overflow problem persists in the baseline system even with larger private L1 caches. With the transaction size that is indicated in Table 2, the cache size of 128 K manifest fewer numbers of overflows.... ..."

"... In PAGE 6: ...ach node, e.g., 20 packets. For example in the chain topol- ogy of Figure 1, the maximum queue size is 16 packets at node E, as shown in Table4 . The average queue sizes are all less than 2 packets.... ..."