Feng-Juan Gao,Yu Wang,Lin-Zhang Wang,Zijiang Yang,Xuan-Dong Li

DOI: https://doi.org/10.1007/s11390-020-0525-z

IF: 1.871

2020-01-01

Journal of Computer Science and Technology

Abstract:Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.

Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Tieyun BAO,Fengjuan GAO,Yan ZHOU,You LI,Linzhang WANG,Xuandong LI

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.005

2016-01-01

Abstract:Buffer overflow vulnerability is a kind of serious security defect. Currently there are dynamic and static ap-proaches to detect buffer overflow. The effectiveness of Dynamic tools depends on design of test case, and they often in-troduce execution overhead. Static program analysis techniques have been widely used in buffer overflow detection, which often report a large number of false warnings. Manual validating the results of static analysis is time consuming and er-ror-prone, which severely limits the usefulness of static analysis tools. Symbolic execution is a promising software testing and analysis technology, which systematically explore execution space of test program and generates test cases with high coverage. In this paper we propose a novel approach for automatic buffer overflow warnings validating based on symbolic execution.Our approach is consist of three steps:firstly detect the reachability of statements in static analysis path segment in inter procedural control flow graph and map the static path segment sets to complete path sets which are used to be val-idated;secondly guide the symbolic execution so that we only focus on the execution paths that cover the buffer overflow warnings generated by static program analysis through pruning useless path; finally construct warning path constraints according to buffer overflow vulnerability models at suspicios statements and classify results depend on the output of con-straint solver. Based on the proposed technique we implemented a prototype tool BOVTool and our experimental results on real open source programs show that the percentage of false warnings which do not need to be manually validated is 59.9%on average.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Hao Sun,Xiangyu Zhang,Chao Su,Qingkai Zeng

DOI: https://doi.org/10.1145/2714576.2714605

2015-01-01

Abstract:Integer-Overflow-to-Buffer-Overflow ( IO2BO ) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for detecting IO2BO vulnerabilities in C/C++ programs. IntTracker utilizes a static taint analysis to select potential overflow sites that are integer operations along critical paths, from sources that are program points reading values from users, to sinks that are memory allocation sites. It then instruments overflow checks at the selected sites. Instead of producing warnings once integer overflows occur, IntTracker replaces the overflown value with a very large and rarely used integer value ( dirty value), and treats such the value as an overflow tag. Tag propagation is performed by the existing program operations without any instrumentation as operations on dirty values often produce dirty values. Propagation can be automatically cut off by sanitization routines as they could prevent dirty values from affecting further program execution. IntTracker monitors whether any dirty value is used at a sink to detect IO2BO vulnerabilities. We evaluate IntTracker on 3444 programs of the NIST's SAMATE reference dataset, the SPEC CINT2000 benchmarks and 34 IO2BO bugs in real world. The experimental results show that IntTracker is effective in detecting harmful IO2BO vulnerabilities while bypassing false positives introduced by sanitization routines. Meanwhile, the runtime overhead is negligible, averaging about 0.69%. In contrast, IntPatch, the state of the art, produces a lot more false positives and has a higher overhead.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Manuel Rigger,Daniel Pekarek,Hanspeter Mössenböck

DOI: https://doi.org/10.1007/978-3-030-02744-5_29

2018-11-22

Abstract:In languages like C, buffer overflows are widespread. A common mitigation technique is to use tools that detect them during execution and abort the program to prevent the leakage of data or the diversion of control flow. However, for server applications, it would be desirable to prevent such errors while maintaining availability of the system. To this end, we present an approach to handle buffer overflows without aborting the program. This approach involves implementing a continuation logic in library functions based on an introspection function that allows querying the size of a buffer. We demonstrate that introspection can be implemented in popular bug-finding and bug-mitigation tools such as LLVM's AddressSanitizer, SoftBound, and Intel-MPX-based bounds checking. We evaluated our approach in a case study of real-world bugs and show that for tools that explicitly track bounds data, introspection results in a low performance overhead.

Cryptography and Security

张实睿,许蕾,徐宝文

DOI: https://doi.org/10.3969/j.issn.1003-7985.2009.02.016

2009-01-01

Abstract:A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow. Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables. After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables. The effectiveness of this method is demonstrated in a case study. Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.

Kang Sun,Daliang Xu,Dongwei Chen,Xu Cheng,Dong Tong

2020-01-01

Abstract: Annex K of C11, bounds-checking interfaces, recently introduced a set of alternative functions to mitigate buffer overflows, primarily those caused by string/memory functions. However, poor compatibility limits their adoption. Failure oblivious computing can eliminate the possibility that an attacker can exploit memory errors to corrupt the address space and significantly increase the availability of systems. In this paper, we present S3Library (Saturation-Memory-Access Safer String Library), which is compatible with the standard C library in terms of function signature. Our technique automatically replaces unsafe deprecated memory/string functions with safer versions that perform bounds checking and eliminate buffer overflows via boundless memory. S3Library employs MinFat, a very compact pointer representation following the Less is More principle, to encode metadata into unused upper bits within pointers. In addition, S3Library utilizes Saturation Memory Access to eliminate illegal memory accesses into boundless padding area. Even if an out-of-bounds access is made, the fault program will not be interrupted. We implement our scheme within the LLVM framework on X86-64 and evaluate our approach on correctness, security, runtime performance and availability.

Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Zhi-qiang LIN,Yi WANG,Bing MAO,Li XIE

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.05.016

2007-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:This paper presents a dynamic and transparent toolkit, SafeBird, to defend against run-time buffer overflows by combining several techniques. SafeBird consists of three tools: SIET, LibsafeXP and SLI. SIET extracts the size and starting address information of program global variables from the symbol section of ELF executable file. LibsafeXP, a dynamic shared library and an extension to Libsafe, contains wrapper functions for all the buffer related C Standard Library functions. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge provided by SIET, heap buffer knowledge by intercepting/tracking memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. The third tool SLI is used to accomplish the function interception and inject the shared library, LibsafeXP, into the running process online without interruption. Compared with existing approaches, SafeBird is more transparent to programs: it works on binary mode, and neither requires the source code or any debug information, nor needs to stop/restart the protected software. Performance and effectiveness evaluations indicate that SafeBird could be used to prevent run-time buffer overflow attacks efficiently, and imposes only about 10 percent overhead on average.

PAN Yi,WU Chun-Mei,WU Gang-Shan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.03.041

2005-01-01

Computer Science

Abstract:Enhancing compiler technology is one of the publicly available methods for buffer overflow prevention. This paper compares four typical and publicly available tools for buffer overflow prevention by enhancing compiler technology. Our motivation for this is to guide software developers to choose an appropriate tool to increase software quality from a security point of view, and also guide the researchers to bring forward their own more effective and safer method on buffer overflow prevention.

Misha Zitser,Richard Lippmann,Tim Leek

DOI: https://doi.org/10.1145/1041685.1029911

2004-11-01

ACM SIGSOFT Software Engineering Notes

Abstract:Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with and a "OK" case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Poly-Space and Splint which had average detection rates of 87% and 57%, respectively. However, average false alarm rates were high and roughly 50% for these two tools. On patched programs these two tools produce one warning for every 12 to 46 lines of source code and neither tool appears able to accurately distinguished between vulnerable and patched code.

English Else

Jie Chen,Xiaoguang Mao

DOI: https://doi.org/10.1109/SERE-C.2012.35

2012-01-01

Abstract:Buffer overflow is one of the most dangerous and common vulnerabilities in CPS software. Despite static and dynamic analysis, manual analysis is still heavily used which is useful but costly. Human computation harness humans' time and energy in a way of playing games to solve computational problems. In this paper we propose a human computation method to detect buffer overflows that does not ask a person whether there is a potential vulnerability, but rather a random person's idea. We implement this method as a game called Bodhi in which each player is shown a piece of code snippet and asked to choose whether their partner would think there is a buffer overflow vulnerability at a given position in the code. The purpose of the game is to make use of the rich distributed human resource to increase effectiveness of manual detection for buffer overflows. The game has been proven to be efficient and enjoyable in practice.

Minglei SHANG,Hao HUANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.014

2005-01-01

Abstract:The principle of buffer overflow and overflow string are analyzed.Then several typical real-time buffer overflow attacks detectionmethods are analyzed.At last, a real-time buffer overflow attack detection approach based on system calls is presented.This approach adds mandatoryaccess control to original system call function by the means of hijacking system calls.In the way of monitoring illegal system calls,it can detect andprevent various buffer overflow attacks of improving priviledge.

Zhiqiang Lin,Bing Mao,Li Xie,I. I NTRODUCTION

DOI: https://doi.org/10.1109/IAW.2006.1652114

2006-01-01

Abstract:This paper presents a practical tool, LibsafeXP, to protect the software against the most common and severe attack, buffer overflows. As a dynamic shared library and an extension to Libsafe and LibsafePlus, LibsafeXP contains wrapper functions for all the buffer related functions in C standard library. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge extracted from the program symbol information, heap buffer knowledge by intercepting memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. Compared with other approaches, LibsafeXP is more transparent to programs: it works on binary mode, and neither requires the source code nor any debugging information. The performance and effectiveness evaluation indicates LibsafeXP could be used to defend against buffer overflow attacks and impose about 10 percent overhead on the protected software

Chao Zhang,Wei Zou,Tielei Wang,Yu Chen,Tao Wei

DOI: https://doi.org/10.3233/jcs-2011-0434

2011-01-01

Journal of Computer Security

Abstract:One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. Many programmers have not realized the existence of IO2BO and its harm. Even for those who are aware of IO2BO, locating and fixing IO2BO vulnerabilities are still tedious and error-prone. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities, and then uses backward slicing to find out related vulnerable arithmetic operations, and finally instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers who want to check integer overflows manually. We evaluated IntPatch on a few real-world applications. It caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have negligible runtime performance losses which are on average 1%.

Christof Fetzer,Zhen Xiao

DOI: https://doi.org/10.1109/RELDIS.2001.969756

2001-01-01

Abstract:Buffer overflow attacks are a major cause of secu- rity breaches in modern operating systems. Not only are overflows of buffers on the stack a security threat, over- flows of buffers kept on the heap can be too. A mali- cious user might be able to hijack the control flow of a root-privileged program if the user can initiate an over- flow of a buffer on the heap when this overflow over- writes a function pointer stored on the heap. This paper presents a fault-containment wrapper which provides ef- fective and efficient protection against heap buffer over- flows caused by C library functions. The wrapper inter- cepts every function call to the C library that can write to the heap and performs careful boundary checks before it calls the original function. This method is transparent to existing programs and does not require source code modification or recompilation. Experimental results on Linux machines indicate that the performance overhead is small.