XIA Jian-jun,SUN Le-chang,LIU Jing-ju,ZHANG Min,CAI Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.09.095

2011-01-01

Abstract:Buffer overflow(BOF) is always one of the most dangerous vulnerabilities to computer security.This paper proposed multi-dimentional Fuzzing of buffer overflow(MFBOF),which was based on multi-dimentional Fuzzing technology,combined the structure knowledge of target's input,static binary code analysis and dynamic I/O analysis technique,generated test cases using adaptive simulated annealing genetic algorithm.The results of testing Libpng validate that MFBOF is effective.At last,this paper gave its further improvement directions.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

Fanping Zeng,Liangliang Mao,Zhide Chen,Qing Cao

DOI: https://doi.org/10.1109/WICOM.2009.5302048

2009-01-01

Abstract:Integer overflow vulnerability is a kind of common software vulnerabilities, there has been no effective way to detect integer overflow vulnerabilities. Because of the lack of dynamic execution, static analysis can not determine the run-time distribution of memory, and may miss the detection of possible security issues; source code auditing is an expensive and time consuming process. Although there has been applying mutation analysis for testing ANSI C programs, and lots of mutation operators have been designed with respect to specific questions, there are not any of operators specifically designed for integer overflow. In this paper, we propose some new mutation operators to force the generation of adequate test data set for integer overflow vulnerabilities. The results indicate that the proposed operators are effective for detecting integer overflow vulnerabilities.

Si-Hao SHAO,Qing GAO,Sen MA,Fu-Yao DUAN,Xiao MA,Shi-Kun ZHANG,Jin-Hua HU

DOI: https://doi.org/10.13328/j.cnki.jos.005504

2018-01-01

Abstract:First,in this paper,the breadth and risk of buffer overflow vulnerabilities are introduced.Then,from the aspect of how to exploit a buffer overflow vulnerability,an overview is provided on the definition of buffer overflow vulnerabilities,memory organization in operation systems,and classification of buffer overflow attacks.Based on the research,buffer overflow analysis technologies are classified into three categories:automatic detection,automatic repair,and run-time protection.Each types of technologies are introduced,analyzed and discussed according to the classification.Finally,three possible research directions in the field of buffer overflow vulnerability analysis are discussed:(1) analyzing binary code;(2) using machine learning algorithms;(3) combining multiple technologies for analysis.

Sun Ding,Hee Beng Kuan Tan,Hongyu Zhang

DOI: https://doi.org/10.5220/0004888000490059

2014-01-01

Abstract:Buffer overflow vulnerability is one of the commonly found significant security vulnerabilities. This vulnerability may occur if a program does not sufficiently prevent input from exceeding intended size or accessing unintended memory locations. Researchers have put effort in different directions to address this vulnerability, including creating a run-time defence mechanism, proposing effective detection methods or automatically modifying the original program to remove the vulnerabilities. These techniques share many commonalities and also have differences. In this paper, we characterize buffer overflow vulnerability in the form of four patterns and propose ABOR--a framework that integrates, extends and generalizes existing techniques to remove buffer overflow vulnerability more effectively and accurately. ABOR only patches identified code segments; thus it is an optimized solution that can eliminate buffer overflows while keeping a minimum runtime overhead. We have implemented the proposed approach and evaluated it through experiments on a set of benchmarks and three industrial C/C++ applications. The experiment result proves ABORâ s effectiveness in practice.

Feng-Juan Gao,Yu Wang,Lin-Zhang Wang,Zijiang Yang,Xuan-Dong Li

DOI: https://doi.org/10.1007/s11390-020-0525-z

IF: 1.871

2020-01-01

Journal of Computer Science and Technology

Abstract:Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.

WANG Ye-jun,NI Xi-zhen,WEN Wei-ping,JIANG Jian-chun

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.033

2005-01-01

Abstract:The buffer overflow attacks have been the most common form in the network attacks and become a predominant problem in the system and network security area. After the principle of the buffer overflow attack is explained, this paper analyzes the causes leading to the attacks. Then the usual attack types the attackers often exploit are presented. Last, the common measures to defend these attacks and my own idea about the solution of this problem by modifying the compiler and the relevant functions of the system are given.

Peng Luo,Deqing Zou,Yajuan Du,Hai Jin,Changming Liu,Jinan Shen

DOI: https://doi.org/10.1016/j.cose.2019.101616

IF: 5.105

2019-01-01

Computers & Security

Abstract:Buffer overflow (BoF) is one of the most dangerous security vulnerabilities. A BoF can be induced by functions, such as the memcpy family, or loops with pointer or array operations. Static detection of BoF is a well-defined method and often performed before system deployment. However, most of previous static techniques either detect the BoFs induced by functions or analyze simple loops that induce BoFs, such as the single loop with a single loop variable. In order to clearly understand the impact of loops on BoF, we perform an empirical study on real-world BoFs detected in the past three years, including 211 BoFs from 60 open-source systems, and find that about a third of these BoFs are induced by loops. Motivated by this observation, we propose a novel static detection technique, DBloop, to localize BoFs induced by loops. The key of DBloop is to get the extremum length of data-movement on the buffer by analyzing target loops and then check whether the buffer overruns using constraint solving. We have implemented DBloop with CIL, and evaluated it on real-world programs detection by comparing with a commercial tool, Checkmarx, and an open-source tool, Splint. DBloop successfully localizes 57 BoFs induced by loops, while Checkmarx and Splint only detect 4 and 3, respectively. Moreover, DBloop has detected 4 new BoFs that have not been reported before.

Chao Zhang,Wei Zou,Tielei Wang,Yu Chen,Tao Wei

DOI: https://doi.org/10.3233/jcs-2011-0434

2011-01-01

Journal of Computer Security

Abstract:One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. Many programmers have not realized the existence of IO2BO and its harm. Even for those who are aware of IO2BO, locating and fixing IO2BO vulnerabilities are still tedious and error-prone. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities, and then uses backward slicing to find out related vulnerable arithmetic operations, and finally instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers who want to check integer overflows manually. We evaluated IntPatch on a few real-world applications. It caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have negligible runtime performance losses which are on average 1%.

Hao Sun,Xiangyu Zhang,Chao Su,Qingkai Zeng

DOI: https://doi.org/10.1145/2714576.2714605

2015-01-01

Abstract:Integer-Overflow-to-Buffer-Overflow ( IO2BO ) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for detecting IO2BO vulnerabilities in C/C++ programs. IntTracker utilizes a static taint analysis to select potential overflow sites that are integer operations along critical paths, from sources that are program points reading values from users, to sinks that are memory allocation sites. It then instruments overflow checks at the selected sites. Instead of producing warnings once integer overflows occur, IntTracker replaces the overflown value with a very large and rarely used integer value ( dirty value), and treats such the value as an overflow tag. Tag propagation is performed by the existing program operations without any instrumentation as operations on dirty values often produce dirty values. Propagation can be automatically cut off by sanitization routines as they could prevent dirty values from affecting further program execution. IntTracker monitors whether any dirty value is used at a sink to detect IO2BO vulnerabilities. We evaluate IntTracker on 3444 programs of the NIST's SAMATE reference dataset, the SPEC CINT2000 benchmarks and 34 IO2BO bugs in real world. The experimental results show that IntTracker is effective in detecting harmful IO2BO vulnerabilities while bypassing false positives introduced by sanitization routines. Meanwhile, the runtime overhead is negligible, averaging about 0.69%. In contrast, IntPatch, the state of the art, produces a lot more false positives and has a higher overhead.

Donghai Tian,Xi Xiong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1007/978-3-642-18178-8_34

2010-01-01

Abstract:Nowadays Buffer overflow attacks are still recognized as one of the most severe threats in software security. Previous solutions suffer from limitations in that: 1) Some methods based on compiler extensions have limited practicality because they need to access source code; 2) Other methods that need to modify some aspects of the operating system or hardware require much deployment effort; 3) Almost all methods are unable to deploy a runtime protection for programs that cannot afford to restart. In this paper, we propose PHUKO, an on-the-fly buffer overflow prevention system which leverages virtualization technology. PHUKO offers the protected program a fully transparent environment and an easy deployment without the need to restart the program. The experiments show that our system can defend against realistic buffer overflow attacks effectively with moderate performance overhead.

Chao Zhang,Tielei Wang,Tao Wei,Yu Chen,Wei Zou

DOI: https://doi.org/10.1007/978-3-642-15497-3_5

2010-01-01

Abstract:The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In tins paper, we present the design and implementation of IntPatch, a. compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and datafiow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.

Sun Ding,Hee Beng Kuan Tan,Hongyu Zhang

DOI: https://doi.org/10.1007/978-3-319-22348-3_12

2015-01-01

Abstract:Buffer overflow vulnerability is one of the commonly found significant security vulnerabilities. This vulnerability may occur if a program does not sufficiently prevent input from exceeding intended size and accessing unintended memory locations. Researchers have put effort in different directions to address this vulnerability. How, authorized reports and data showed that as more sophisticated attack vectors are being discovered, efforts on a single direction are not sufficient to resolve this critical issue well. In this paper, we characterize buffer overflow vulnerability in four patterns and propose ABOR, a framework to remove buffer overflow vulnerabilities from source code automatically. It only patches identified code segments, which means it is an optimized solution that eliminates buffer overflows at the maximum while adds runtime overhead at the minimum. We have implemented the proposed approach and evaluated ABOR over a set of real world C/C++ applications. The results prove ABOR’s effectiveness in practice.

REN Gao-ming,QIAO Xiang-dong,YANG Tong,BAI Jun-liang

DOI: https://doi.org/10.16208/j.issn1000-7024.2011.09.060

2011-01-01

Abstract:To verify whether WehnTrust have the expected detection and prevention function of buffer overflow attacks,experiments are designed to test it.First,the source code of the intrusion prevention system is analyzed and debugged.On this basis,five experiments are presented to simulate buffer overflow attack;and,aiming at the features of WehnTrust,experimental environment is built to simulate attacked test of the C++ virtual function,structured exception handing attack and format string attack.By analyzing and summarizing the experimental results,it is indicated that WehnTrust are not fully capable of intrusion prevention of the developers claimed.

Rui Ma,Yiming Yan,Long Wang,Changzhen Hu,Jingfeng Xue

2016-01-01

Abstract:Buffer overflow vulnerability is currently one of the most serious software security vulnerabilities. Taking effective methods to detect buffer overflow vulnerabilities is of great significance to improve the robustness and security of software. After analyzing the principle of buffer overflow and various buffer overflow vulnerabilities, as well as comparing static with dynamic detection techniques, this paper presents a static detection method for buffer overflow based on abstract syntax tree, especially for vulnerabilities caused by string accessing of C source code. The proposed method first generates an abstract syntax tree for the source code by using the GCC compiler, and collects the characteristics of vulnerability by analyzing AST nodes. For the nodes associated with the buffer overflow, the method further gives a formal description of that characteristic so as to generate security attributed and constraint rules. By traversing the abstract syntax tree, the proposed method finally determines whether buffer overflow vulnerability exists in the source code. Experiments with 12 C programs were carried out on the Windows platform, and each program has been discovered at least one typical buffer overflow vulnerability. The experimental results highlight the feasibility and effectiveness of the proposed method, especially in the detecting out of range for a pointer, an array, and a structure object, as well as the buffer overflow vulnerability caused by some C library function calls.

Donghai Tian,Xi Xiong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1016/j.compeleceng.2013.11.032

IF: 4.152

2014-01-01

Computers & Electrical Engineering

Abstract:Buffer overflow defenses have been comprehensively studied for many years. Different from previous solutions, we propose PHUKO, an on-the-fly buffer overflow prevention system which leverages virtualization technology. PHUKO offers the protected program a fully transparent environment and an easy deployment without the need to restart the program. Generally, the working process of PHUKO can be divided into two stages. First, we utilize static binary analysis to identify the instructions offline which are the entries of vulnerable functions. Second, by combining virtual machine introspection and online patching, PHUKO instruments the protected running program on-the-fly with memory safety enforcement. The experiments show that our system can defend against realistic buffer overflow attacks effectively with a moderate performance overhead.

PAN Yi,WU Chun-Mei,WU Gang-Shan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.03.041

2005-01-01

Computer Science

Abstract:Enhancing compiler technology is one of the publicly available methods for buffer overflow prevention. This paper compares four typical and publicly available tools for buffer overflow prevention by enhancing compiler technology. Our motivation for this is to guide software developers to choose an appropriate tool to increase software quality from a security point of view, and also guide the researchers to bring forward their own more effective and safer method on buffer overflow prevention.

CHEN Shikun,LI Zhoujun,HUANG Yonggang,XING Jianying

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.016

2009-01-01

Abstract:Buffer overflows are the main source of security issues in C programs.This paper presents a SAT-based technique to identify buffer overflows in C source codes using a source-to-source transformation which adds some statements into the source code to model the buffer properties, with some asserts to describe the buffer overflows.Then, the asserts are checked by SAT tools.This technique was used to automatically identify buffer overflows in source codes in 1 164 code fragments from a publicly available benchmark.Tests show that the system accurately located buffer overflow vulnerabilities in these programs with zero false alarms and an omission rate of only 2.08%.

Tieyun BAO,Fengjuan GAO,Yan ZHOU,You LI,Linzhang WANG,Xuandong LI

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.02.005

2016-01-01

Abstract:Buffer overflow vulnerability is a kind of serious security defect. Currently there are dynamic and static ap-proaches to detect buffer overflow. The effectiveness of Dynamic tools depends on design of test case, and they often in-troduce execution overhead. Static program analysis techniques have been widely used in buffer overflow detection, which often report a large number of false warnings. Manual validating the results of static analysis is time consuming and er-ror-prone, which severely limits the usefulness of static analysis tools. Symbolic execution is a promising software testing and analysis technology, which systematically explore execution space of test program and generates test cases with high coverage. In this paper we propose a novel approach for automatic buffer overflow warnings validating based on symbolic execution.Our approach is consist of three steps:firstly detect the reachability of statements in static analysis path segment in inter procedural control flow graph and map the static path segment sets to complete path sets which are used to be val-idated;secondly guide the symbolic execution so that we only focus on the execution paths that cover the buffer overflow warnings generated by static program analysis through pruning useless path; finally construct warning path constraints according to buffer overflow vulnerability models at suspicios statements and classify results depend on the output of con-straint solver. Based on the proposed technique we implemented a prototype tool BOVTool and our experimental results on real open source programs show that the percentage of false warnings which do not need to be manually validated is 59.9%on average.