Feng-Juan Gao,Yu Wang,Lin-Zhang Wang,Zijiang Yang,Xuan-Dong Li

DOI: https://doi.org/10.1007/s11390-020-0525-z

IF: 1.871

2020-01-01

Journal of Computer Science and Technology

Abstract:Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Huan Ying,Yanmiao Zhang,Lifang Han,Yushi Cheng,Jiyuan Li,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ITNEC.2019.8729362

2019-01-01

Abstract:As a modern power transmission network, smart grid connects plenty of terminal devices. However, along with the growth of devices are the security threats. Different from the previous separated environment, an adversary nowadays can destroy the power system by attacking these devices. Therefore, it’s critical to ensure the security and safety of terminal devices. To achieve this goal, detecting the pre-existing vulnerabilities of the device program and enhance the terminal security, are of great importance and necessity. In this paper, we propose a novel approach that detects existing buffer-overflow vulnerabilities of terminal devices via automatic static analysis (ASA). We utilize the static analysis to extract the device program information and build corresponding program models. By further matching the generated program model with pre-defined vulnerability patterns, we achieve vulnerability detection and error reporting. The evaluation results demonstrate that our method can effectively detect buffer-overflow vulnerabilities of smart terminals with a high accuracy and a low false positive rate.

ZHANG Jun-xian,LI Zhou-jun

DOI: https://doi.org/10.13190/j.jbupt.2016.s.012

2016-01-01

Abstract:Buffer overflow is a source of many security problems in C programs. A new tool named Path-Checker to detect buffer overflows in C codes using dynamic symbolic execution method is proposed. PathChecker uses quantifier-free predicate formulas to describe the safety properties of buffer access oper-ations and check these properties using a SMT solver. Experimental results show the effectiveness of this tool which is very easy to extend to check other safety properties.

Bo Wu,Yufeng Ma,Qian Zhang,Fengchen Qian

DOI: https://doi.org/10.23977/meet.2019.93720

2019-01-01

Abstract:Buffer overflows in C and C++ programs are among the most common and serious classes of software vulnerabilities for two decades. To mitigate and to eradicate this security threat, many detection approaches based on static and dynamic analysis techniques have been proposed. This paper aims to provide an alternative and multipath solution to existing symbolic execution approaches by catching the red-zones in memory, rather than the strict memory object bounds, which are absolute vulnerable to buffer overflows. From the observations of buffer overflow attacks that are commonly overwrite a special position to exploit the vulnerabilities, in this paper, we propose a multipath dynamic buffer overflow detecting approach (symbolic-execution-based), relying on catching the red-zones in the stack and heap memory. We examine every memory store operation both in concrete addresses and symbolic pointers, whose writing size should never overlap or cross a red-zone position. We implement a practical dynamic checking tool called MACBin based on S2E platform. We apply it to test several real world software, the results show that MACBin is useful and effective at detecting buffer overflow vulnerabilities.

Zhi-yuan WAN,Bo ZHOU

DOI: https://doi.org/10.3785/j.issn.1008-973x.2015.04.011

2015-01-01

Abstract:An approach based on static information flow tracking was proposed to detect input validation vulnerabilities in order to reduce the false positive rate of vulnerability detection techniques based on static analysis.The approach was implemented on top of the static code analysis tool FindBugs.The performance and precision of our approach were evaluated.Experimental results show that our approach can effectively detect input validation vulnerabilities.The false positive rate of FindBugs was reduced by 55.7% without significantly slowing the performance.

Rui Ma,Yiming Yan,Long Wang,Changzhen Hu,Jingfeng Xue

2016-01-01

Abstract:Buffer overflow vulnerability is currently one of the most serious software security vulnerabilities. Taking effective methods to detect buffer overflow vulnerabilities is of great significance to improve the robustness and security of software. After analyzing the principle of buffer overflow and various buffer overflow vulnerabilities, as well as comparing static with dynamic detection techniques, this paper presents a static detection method for buffer overflow based on abstract syntax tree, especially for vulnerabilities caused by string accessing of C source code. The proposed method first generates an abstract syntax tree for the source code by using the GCC compiler, and collects the characteristics of vulnerability by analyzing AST nodes. For the nodes associated with the buffer overflow, the method further gives a formal description of that characteristic so as to generate security attributed and constraint rules. By traversing the abstract syntax tree, the proposed method finally determines whether buffer overflow vulnerability exists in the source code. Experiments with 12 C programs were carried out on the Windows platform, and each program has been discovered at least one typical buffer overflow vulnerability. The experimental results highlight the feasibility and effectiveness of the proposed method, especially in the detecting out of range for a pointer, an array, and a structure object, as well as the buffer overflow vulnerability caused by some C library function calls.

Jingbo Yuan,Shunli Ding

DOI: https://doi.org/10.1109/iccsn.2011.6013572

2011-01-01

Abstract:Buffer overflow vulnerabilities are currently the most prevalent security vulnerability. The paper presents a method that combines static analysis with dynamic test to deal with the problem on buffer overflow vulnerabilities detecting. By using the method we can identify potential weakness locations. A buffer overflow vulnerabilities testing system was developed. The experiment results tested and verified that the new methodology is feasibility and availability.

YANG Yang,ZHANG Huan-guo,WANG Hou-zhen

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.06.036

2010-01-01

Computer Science

Abstract:Symbolic execution is an effective and automatic bug-finding method.But symbolic execution is limited in practice by the computation cost and path explosion.We presented a tool for full-automatic detection and generating inputs that lead to memory safety violations in C programs,including buffer overflow,buffer overrun and pointer derefe-rence error.In order to reduce the amount of symbol variable,we used the symbol variable to track the length of buf-fer and C string.The use of symbolic buffer length makes it possible to compactly summarize the behavior of standard buffer manipulation functions.While resolving the problem of path explosion,we introduced the dynamic slicing metho-ds to prune the redundant paths.It’s shown by the experiments that our method presented in this paper not only is feasible but also has little cost.

Luhang Xu,Weixi Jia,Wei Dong,Yongjun Li

DOI: https://doi.org/10.1109/qrs-c.2018.00085

2018-01-01

Abstract:Buffer overflow vulnerabilities are widely found in software. Finding these vulnerabilities and identifying whether these vulnerabilities can be exploit is very important. However, it is not easy to find all of the buffer overflow vulnerabilities in software programs, and it is more difficult to find and exploit these vulnerabilities in binary programs. This paper proposes a method and a corresponding tool that automatically finds buffer overflow vulnerabilities in binary programs, and then automatically generate exploit for the vulnerability. The tool uses symbolic execution to search the target software and find potential buffer overflow vulnerabilities, then try to bypass system protection by choosing different exploiting method according to the different level of protections. Finally, the exploit of software vulnerability is generated using constraint solver. The method and tool can automatically find vulnerabilities and generate exploits for three kinds of protection: without system protection, with address space layout randomization protection, and with stack non-executable protection.

Sun Ding,Hee Beng Kuan Tan,Kaiping Liu,Mahinthan Chandramohan,Hongyu Zhang

DOI: https://doi.org/10.1109/COMPSACW.2012.103

2012-01-01

Abstract:Buffer overflow vulnerability is one of the major security threats for applications written in C/C++. Among the existing approaches for detecting buffer overflow vulnerability, though flow sensitive based approaches offer higher precision but they are limited by heavy overhead and the fact that many constraints are unsolvable. We propose a novel method to efficiently detect vulnerable buffer overflows in any given control flow graph through recognizing two patterns. The proposed approach first uses syntax analysis to filter away those branches that cannot possibly comply with any of the two patterns before applying a limited symbolic evaluation for a precise matching against the patterns. The proposed approach only needs to evaluate a limited set of selected branch predicates according to the patterns and avoids the need to deal with a large number of general branch predicates. This significantly improves the scalability while not sacrificing the detection precision. Our experiments demonstrate the scalability and efficiency of the proposed method, which demonstrates its applicability.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

Shenglin Xu,Yongjun Wang

DOI: https://doi.org/10.1155/2022/1251987

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Stack buffer overflow vulnerability is a common software vulnerability that can overwrite function return addresses and hijack program control flow, causing serious system problems. Existing automated exploit generation (AEG) solutions cannot bypass position-independent executable (PIE) exploit mitigation and cannot cope with the situation where the standard output function is not introduced into the program. In this paper, we propose a solution to alleviate the above difficulties: BofAEG, which is based on symbolic execution and dynamic analysis to automatically detect stack buffer overflow vulnerability and generate exploit. We used to capture the flag (CTF) and common vulnerabilities and exposures (CVE) programs for experiments. Results show that BofAEG can not only detect and generate exploits effectively but also implement more exploit techniques and is faster than existing AEG solutions.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Shunli Ding,Jingbo Yuan

DOI: https://doi.org/10.1109/csae.2011.5952950

2011-01-01

Abstract:Buffer overflow attack is the most common and arguably the most dangerous attack method. The buffer overflow detecting will play a significant role in network security filed. Various solutions have been developed to address the buffer overflow vulnerability problem. The paper presents a method that combines static analysis with dynamic test. By using the method we can identify a lot of potential weakness locations. A buffer overflow vulnerabilities testing system was developed. Using the system some PE-format files and dynamic link library files are detected respectively. The experiment results show that the method is feasibility and availability.

Weizhong Qiang,Yuehua Liao,Guozhong Sun,Laurence T. Yang,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/access.2017.2676161

IF: 3.9

2017-01-01

IEEE Access

Abstract:During the lifecycle of a software system, software patches are committed to software repositories to fix discovered bugs or append new features. Unfortunately, the patches may bring new bugs or vulnerabilities, which could break the stability and security of the software system. A study shows that more than 15% of software patches are erroneous due to poor testing. In this paper, we present a novel approach for automatically determining whether a patch brings new vulnerabilities. Our approach combines symbolic execution with data flow analysis and static analysis, which allows a quick check of patch-related codes. We focus on typical memory-related vulnerabilities, including buffer overflows, memory leaks, uninitialized data, and dangling pointers. We have implemented our approach as a tool called KPSec, which we used to test a set of real-world software patches. Our experimental results show that our approach can effectively identify typical memory-related vulnerabilities introduced by the patches and improve the security of the updated software.

Misha Zitser,Richard Lippmann,Tim Leek

DOI: https://doi.org/10.1145/1041685.1029911

2004-11-01

ACM SIGSOFT Software Engineering Notes

Abstract:Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with and a "OK" case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Poly-Space and Splint which had average detection rates of 87% and 57%, respectively. However, average false alarm rates were high and roughly 50% for these two tools. On patched programs these two tools produce one warning for every 12 to 46 lines of source code and neither tool appears able to accurately distinguished between vulnerable and patched code.

English Else

Shikun Chen,Zhoujun Li

DOI: https://doi.org/10.1109/ICIS.2009.158

2009-01-01

Abstract:We present a highly automated technique to identify buffer overflows in C source code, and implement the approach in our prototype cboc. It is a sound tool, and of particular significance is its ability to easily deal with pointer expressions and dynamic memory allocations, which are integral parts of the buffer overflow problem. Our implementation hinges on a key design consideration: introducing the notion of site-safe expression allows us to manage pointer de-reference expediently, and the expense is that it may yield some false alarms. Fortunately, only a small number of false alarms are reported, and all probable false alarms belong to a special alarm type non-site-safe. Experiments show that cboc is competitive with state-of-the-art model checker CBMC.

Lei Wang,Qiang Zhang,Peng Zhao

DOI: https://doi.org/10.1109/SCAM.2008.24

2008-10-03

Abstract:Ensuring the correctness and reliability of software systems is one of the main problems in software development. Model checking, a static analysis method, is preponderant in improving the precision of vulnerabilities detection. However, when applied to buffer overflow and other bugs, it is hard to automatically construct the model for detecting the vulnerabilities. To address this problem we propose an approach that combines constraint based analysis and model checking together. We trace the memory size of buffer-related variables and instrument the code with corresponding constraint assertions before the potential vulnerable points by constraint based analysis. Then the problem of detecting vulnerabilities is converted into the problem of detecting vulnerabilities to verifying the reach ability of these assertions by model checking. In order to reduce the cost of model checking, program slicing is introduced to reduce the code size. CodeAuditor is a prototype implementation of our approach. With CodeAuditor, several yet unreported vulnerabilities are discovered in several open source software, and the performance is shown to be improved significantly with the help of program slicing.

Computer Science

Ashwin Kallingal Joshy,Xueyuan Chen,Benjamin Steenhoek,Wei Le

DOI: https://doi.org/10.1145/3460319.3464832

2021-06-29

Abstract:Static analysis is an important approach for finding bugs and vulnerabilities in software. However, inspecting and confirming static warnings are challenging and time-consuming. In this paper, we present a novel solution that automatically generates test cases based on static warnings to validate true and false positives. We designed a syntactic patching algorithm that can generate syntactically valid, semantic preserving executable code fragments from static warnings. We developed a build and testing system to automatically test code fragments using fuzzers, KLEE and Valgrind. We evaluated our techniques using 12 real-world C projects and 1955 warnings from two commercial static analysis tools. We successfully built 68.5% code fragments and generated 1003 test cases. Through automatic testing, we identified 48 true positives and 27 false positives, and 205 likely false positives. We matched 4 CVE and real-world bugs using Helium, and they are only triggered by our tool but not other baseline tools. We found that testing code fragments is scalable and useful; it can trigger bugs that testing entire programs or testing procedures failed to trigger.

Software Engineering