Jingbo Yuan,Shunli Ding

DOI: https://doi.org/10.1109/iccsn.2011.6013572

2011-01-01

Abstract:Buffer overflow vulnerabilities are currently the most prevalent security vulnerability. The paper presents a method that combines static analysis with dynamic test to deal with the problem on buffer overflow vulnerabilities detecting. By using the method we can identify potential weakness locations. A buffer overflow vulnerabilities testing system was developed. The experiment results tested and verified that the new methodology is feasibility and availability.

Huan Ying,Yanmiao Zhang,Lifang Han,Yushi Cheng,Jiyuan Li,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ITNEC.2019.8729362

2019-01-01

Abstract:As a modern power transmission network, smart grid connects plenty of terminal devices. However, along with the growth of devices are the security threats. Different from the previous separated environment, an adversary nowadays can destroy the power system by attacking these devices. Therefore, it’s critical to ensure the security and safety of terminal devices. To achieve this goal, detecting the pre-existing vulnerabilities of the device program and enhance the terminal security, are of great importance and necessity. In this paper, we propose a novel approach that detects existing buffer-overflow vulnerabilities of terminal devices via automatic static analysis (ASA). We utilize the static analysis to extract the device program information and build corresponding program models. By further matching the generated program model with pre-defined vulnerability patterns, we achieve vulnerability detection and error reporting. The evaluation results demonstrate that our method can effectively detect buffer-overflow vulnerabilities of smart terminals with a high accuracy and a low false positive rate.

XIA Yi-Min,LUO Jun,ZHANG Min-Xuan

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.10.074

2006-01-01

Computer Science

Abstract:Security vulnerability of software is a serious threat for information security. Static analysis can find security vulnerabilities by automatically deriving information about the behavior of software. Comparing with other program analysis methods, static analysis method can detect security vulnerabilities automatically and effectively. This paper presents the theory basis and principles of static analysis methods, and introduces their applications and characters in security vulnerabilities detection. At last, we show some security languages which can support detection of security vulnerability.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Liu Xin,Cai Wandong

DOI: https://doi.org/10.1109/iccsn.2011.6013559

2011-01-01

Abstract:In this article we address program errors, and through the static code analysis. First, we use inter-procedural based on analysis and blunt insensitive vulnerability testing model, — extracted from the source code. Second, we use of model checking to solve the model. In addition, we do alias analysis method is correct and accuracy testing model. This paper proposed concepts are aimed at those general class buffer of those loopholes and can be applied to the detection of buffer overrun vulnerabilities types such as format string of attacks, and the test code injection. In order to evaluate the effectiveness of CodeAuditor, use the tool to detect the loophole few C affinity grams. We take six open source applications as a test. Experimental results show that, 18 previously unknown vulnerabilities in six open source applications have found our tools. The observation is false positives in about 23%.

Rui Ma,Yiming Yan,Long Wang,Changzhen Hu,Jingfeng Xue

2016-01-01

Abstract:Buffer overflow vulnerability is currently one of the most serious software security vulnerabilities. Taking effective methods to detect buffer overflow vulnerabilities is of great significance to improve the robustness and security of software. After analyzing the principle of buffer overflow and various buffer overflow vulnerabilities, as well as comparing static with dynamic detection techniques, this paper presents a static detection method for buffer overflow based on abstract syntax tree, especially for vulnerabilities caused by string accessing of C source code. The proposed method first generates an abstract syntax tree for the source code by using the GCC compiler, and collects the characteristics of vulnerability by analyzing AST nodes. For the nodes associated with the buffer overflow, the method further gives a formal description of that characteristic so as to generate security attributed and constraint rules. By traversing the abstract syntax tree, the proposed method finally determines whether buffer overflow vulnerability exists in the source code. Experiments with 12 C programs were carried out on the Windows platform, and each program has been discovered at least one typical buffer overflow vulnerability. The experimental results highlight the feasibility and effectiveness of the proposed method, especially in the detecting out of range for a pointer, an array, and a structure object, as well as the buffer overflow vulnerability caused by some C library function calls.

Yifei Xiao,Dahai Jin,Dalin Zhang

DOI: https://doi.org/10.2991/icmmcce-15.2015.435

2015-01-01

Abstract:In the modern society, with the high-speed development of computer science and technology, the wave of the Internet economy is around the world, the use of computer software in every corner of our lives, various applications emerge in endlessly, people pay more and more attention on software security. Tainted data which comes from the external input variables and has been used by some function without detection of legitimacy is a kind of code security defect. In this paper, the author provides a detailed analysis and classification on the cause of the security defect, and introduces a method of tainted data detection based on static code analysis. The detection method preprocesses the code firstly to create abstract syntax tree, symbol table, control flow graph and function call graph. To analysis the relationship between the function calls, the author uses the function summary instead of expansion of the functions. In the last, by using this method to detect some open source projects, the experiment shows that this method has both lower positive rate and negative rate.

XIA Chao,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.065

2008-01-01

Abstract:This paper proposes a method to detect buffer-overflow vulnerabilities for executables.Combining dynamic analysis and static analysis, it makes further detection of buffer-overflow vulnerabilities.Static methods mainly deal with the internal semantic relationship of assembly instructions and the properties of a function's stack frame for executables.Dynamic emulation provides a virtual run-time environment,which enables the program to combine its static properties while virtually executed,and then it can get the function's semantic results on buffer manipulation,and determine whether there is a buffer-overflow vulnerability.

张林,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.055

2008-01-01

Abstract:This paper summarizes two strategies of software security flaw detection,named static analysis and program verification.Several static detection methods such as lexical analysis,rule checking,type theory deduction,model checking,theorem proving,and symbol execution are also synthetically reviewed.It discusses the advantage,applicability and tendency of static detecting techniques.

Peng Li,Baojiang Cui

DOI: https://doi.org/10.1109/icitis.2010.5689543

2010-01-01

Abstract:Using static analysis tools can detect software vulnerabilities, which is important for improving the security of software. Static analysis technology has developed rapidly, but the comparison and evaluation of static analysis techniques and tools are not much. This paper focuses on software vulnerability static analysis techniques and tools. First we discuss the commonly-used static analysis techniques and tools, and compare these tools in a technical perspective, and then we analyze the characteristics of these tools through the experiment, finally, combining dynamic analysis, we propose an efficient software vulnerability detection method.

Aiman Hanna,Hai Zhou Ling,Xiaochun Yang,Mourad Debbabi

DOI: https://doi.org/10.1007/978-3-642-05151-7_5

2009-01-01

Abstract:The main contribution of this paper is a framework for security testing. The key components of this framework are twofold: First, a static analyzer that automatically identifies suspicious sites of security vulnerabilities in a control flow graph. Second, a test-data generator. The intent is to attempt proving/disproving whether, or not, the suspicious sites are actual vulnerabilities. The paper introduces the static-dynamic hybrid vulnerability detection system, a system that targets the automation of security vulnerability detection in software. The system combines the detection powers of both static and dynamic analysis. Various components compose this model, namely Static Vulnerability Revealer, Goal-Path-oriented System, and Dynamic Vulnerability Detector.

xiaoyu wang,qiaoyan wen,zhao zhang

DOI: https://doi.org/10.2991/lemcs-14.2014.70

2014-01-01

Abstract:Buffer overflow has become the most common software vulnerability, which seriously restricts the development of the software industry. It's very essential t o find out an effective method to detect this kind of software bugs accurately. In this paper, we design an improved buffer overflow detection system. At first, our system preprocesses the source code to add some auxiliary detection symbols. Then, it scans the source code by a static detector, which uses the identifier for auxiliary detection and combines with a dynamic detection method to improve the recognition accuracy and detection capability. Finally, we make a comparison between our system and the original detection system. To assess the usefulness of this approach, several experiments are performed on a simulation system, and we can draw a conclusion that our system performs better than other detection software. The method proposed in this paper is of the important application value and can improve detection accuracy.

Shunli Ding,Jingbo Yuan

DOI: https://doi.org/10.1109/csae.2011.5952950

2011-01-01

Abstract:Buffer overflow attack is the most common and arguably the most dangerous attack method. The buffer overflow detecting will play a significant role in network security filed. Various solutions have been developed to address the buffer overflow vulnerability problem. The paper presents a method that combines static analysis with dynamic test. By using the method we can identify a lot of potential weakness locations. A buffer overflow vulnerabilities testing system was developed. Using the system some PE-format files and dynamic link library files are detected respectively. The experiment results show that the method is feasibility and availability.

Lei Wang,Qiang Zhang,Peng Zhao

DOI: https://doi.org/10.1109/SCAM.2008.24

2008-10-03

Abstract:Ensuring the correctness and reliability of software systems is one of the main problems in software development. Model checking, a static analysis method, is preponderant in improving the precision of vulnerabilities detection. However, when applied to buffer overflow and other bugs, it is hard to automatically construct the model for detecting the vulnerabilities. To address this problem we propose an approach that combines constraint based analysis and model checking together. We trace the memory size of buffer-related variables and instrument the code with corresponding constraint assertions before the potential vulnerable points by constraint based analysis. Then the problem of detecting vulnerabilities is converted into the problem of detecting vulnerabilities to verifying the reach ability of these assertions by model checking. In order to reduce the cost of model checking, program slicing is introduced to reduce the code size. CodeAuditor is a prototype implementation of our approach. With CodeAuditor, several yet unreported vulnerabilities are discovered in several open source software, and the performance is shown to be improved significantly with the help of program slicing.

Computer Science

XU Chao,HE Yan-xiang,HU Ming-hao,WU Wei,CHEN Yong,LIU Jian-bo

DOI: https://doi.org/10.3969/j.issn.1001-3695.2012.02.057

2012-01-01

Abstract:To enhance the buffer overflow detection for programs,this paper put forward a testing method based the analysis for C programs using CCured and BLAST.Firstly,the method used CCured to insert runtime detections into C program,and then described the constraints of the detections with the customized security-attribute language provided by BLAST.At last,according to the descriptions,BLAST could do model checking on the programs to find out the potential buffer overflow vulnerabilities in the programs as far as possible.

Xiaosong Zhang,Lin Shao,Jiong Zheng

DOI: https://doi.org/10.1109/ICACIA.2008.4770021

2008-01-01

Abstract:Buffer overflow vulnerabilities can cause attacks that result in serious consequences. However the techniques of buffer overflow vulnerability detection are limited to manual analysis, binary-patch comparison, fuzzing and so on. They rely on manual analysis, thus cause high overhead. In this paper, we propose a novel method of detection of buffer overflow vulnerabilities, which is based on fuzzing, data-flow dynamic analysis and automated exception analysis. This new method effectively improves the detection of unknown security vulnerabilities (0 Day). Moreover, it is more automated and has better performance in finding new security vulnerabilities.

SHI Sheng-li,REN Ping-an

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.10.037

2011-01-01

Abstract:According to the features that the attacker usual depends on modifying function return address or function entry address to change the program execution sequence and the structural characteristics of ELF file,while calling function and returning after function calling,certain specific information is dealed with in order to detect attack action.This paper presents a new approach of detecting buffer overflow attacks at runtime depending on the pin that is a tool for the dynamic program monitoring and provides numbers of API functions to design a tool which executives runtime program.Case analysis shows that the method does not need alter the software and hardware system.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

SHAO Lin,ZHANG Xiao-song,SU En-biao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.03.088

2009-01-01

Abstract:The techniques of buffer overflow vulnerabilities detection was single and limited to manual analysis,binary-patch comparison,fuzzing and so on.These techniques of vulnerabilities detection were either too dependent on manual analysis or too blind,leading up to the low efficiency of vulnerabilities detection.Introduced a new method of buffer overflow vulnerabilities detection,which was based on fuzzing,data-flow dynamic analysis and automated exception analysis.Overcame the disadvantages of old techniques,this new method effectively improves the detection of potential unknown security vulnerabilities(0day) in software.Besides,this method is more automated and performs better in finding new security vulnerabilities.