Abstract
In this paper, a new static method for automated detection of vulnerabilities that could result in buffer overflows in programs is suggested. The problem of the software defense against threads related to buffer overflows is very important one. Currently, there does not exist satisfactory approaches to its solution. The existing dynamic methods make it possible to avoid incorrect execution for certain classes of programs. The basic disadvantage of these methods is that the procedure of the error detection after the session of tests is very involved. Moreover, they do not guarantee that the results obtained are correct. Static analysis methods are, as a rule, lexical scanners and do not thoroughly analyze the execution of the program, as well as its memory content (e.g., arrays, variables, and the like). The objective of the suggested method is to improve situation in this field and facilitate the audit of a program code by the programmer.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.REFERENCES
Viega, J., Bloch, J.T., Kohno, T., and McGraw, G., A Static Vulnerability Scanner for C and C++ Code, Annual Computer Security Applications Conf., 2000.
Larochelle, D. and Evans, D., Statically Detecting Likely Buffer Overflow Vulnerabilities, www.cs.virginia.edu/evans/usenix01-abstract.html.
Dor, N., Rodeh, M., and Sagiv, M., Cleanness Checking of String Manipulations in C Programs via Integer Analysis, London: Springer, 2001.
Cowan, C., Wagle, P., and Pu, C., Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. http://immunix.org/StackGuard/discex00.pdf.
Wagner, D., Foster, J., Brewer, E., and Aiken, A., A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities, Proc. of the 2000 Network and Distributed Systems Security Conf., 2000.
Aho, A., Setty, R., and Ullman J., Kompilyatory: printsipy, tekhnologii i instrumenty, (Compilers: Principles, Technologies, and Tools), Moscow: Vil’yams, 2003.
Anderson, R., Proving Program Correctness, Translated under the title Dokozatel’stvo pravil’nosti programm, Moscow: Mir, 1982.
Dijkstra, E., Discipline of Programming, Englewood Cliffs: Prentice-Hall, 1976.
Yudin, D.B. and Gol’shtein, E.G., Lineynoe programmirovanie (Linear Programming), Moscow: Izd. Fiz.-Mat. Lit., 1963.
Vereshchagin, N.K. and Shen’, A., Yazyki i ischisleniya, (Languages and Calculus), Moscow: MTsNMO, 2002.
Arzhantsev, I.V., Bazisy Grebnera i sistemy algebraicheskikh uravnenii (Grobner Bases and Systems of Algebraic Equations), Moscow: MTsNMO, 2003.
Author information
Authors and Affiliations
Additional information
__________
Translated from Programmirovanie, Vol. 31, No. 4, 2005.
Original Russian Text Copyright © 2005 by Puchkov, Shapchenko.
Rights and permissions
About this article
Cite this article
Puchkov, F.M., Shapchenko, K.A. Static Analysis Method for Detecting Buffer Overflow Vulnerabilities. Program Comput Soft 31, 179–189 (2005). https://doi.org/10.1007/s11086-005-0030-8
Received:
Issue Date:
DOI: https://doi.org/10.1007/s11086-005-0030-8