Alex Shaw
ABSTRACT
This paper describes two program transformations to fix buffer overflows originating from unsafe library functions and bad pointer operations. Together, these transformations fixed all buffer overflows featured in 4,505 programs of NIST’s SAMATE reference dataset, making the changes automatically on over 2.3 million lines of C code.
- D. D. Babic and A. Hu. Calysto: scalable and precise extended static checking. In Proceedings of the 30th international conference on software engineering. ICSE ’08, pages 211-220, New York, NY, USA, 2008. ACM. Google Scholar
Digital Library
- Bulba and Kil3r. Bypassing StackGuard and Stack Shield. Phrack Magazine. 10(56):File 5, 200.Google Scholar
- J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, PLDI ’03, pages 232-244, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maeir, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of bu ffer-overflow attacks. In Seventh USENIX Security Symposium proceedings: conference proceedings: San Antonio, Texas, January 26–29, 1998. USENIX, 1998. Google ScholarDigital Library
- N. Dor, M. Rodeh, and S. Sagiv. CSSV: Towards a realistic tool for statically detecting all bu ffer overflows in C. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation 2003, San Diego, California, USA, June 9-11, 2003. ACM, 2003. Google ScholarDigital Library
- H. Etoh. GCC extension for protecting applications from stack-smashing attacks. http://www.research.ibm.com/trl/projects/security/ssp/, 2000.Google Scholar
- D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19:42–51, January 2002. Google ScholarDigital Library
- V. Ganapathy, S. Jha, D. Chandler, D. Melski, and D. Vitek. Bu ffer overrun detection using linear programming and static analysis. In Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, Washington, DC, USA, October 27-30, Google ScholarDigital Library
- B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In Proceedings of the 28th international conference on Software engineering, ICSE ’06, pages 232–241, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- M. Hafiz, J. Overbey, F. Behrang, and J. Hall. OpenRefactory/C: An infrastructure for building correct and complex C transformations. In Proceeding of the 6th Workshop on Refactoring Tools (WRT ’13), 2013. Google ScholarDigital Library
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter 1992 USENIX Conference, pages 125–136, 1992.Google Scholar
- E. Haugh and M. Bishop. Testing C programs for bu ffer overflow vulnerabilities. In NDSS. The Internet Society, 2003.Google Scholar
- B. Johnson, Y. Song, E. Murphy-Hill, R. Bowdidge. Why don’t software developers use static analysis tools to find bugs? In ICSE ’13: Proceedings of the International Conference on Software Engineering, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- W. Le and M. L. So ffa. Marple: A demand-driven path-sensitive bu ffer overflow detector. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, SIGSOFT ’08/FSE-16, pages 272–282, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- National Institute of Standards and Technology (NIST). SAMATE - Software Assurance Metrics and Tool Evaluation, 2012.Google Scholar
- qmail home page. Maintained by Daniel Julius Bernstein. http://cr.yp.to/qmail.html.Google Scholar
- R. Rugina and M. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation, PLDI ’00, pages 182–195, New York, NY, USA, 2000. ACM. {18} R. Seacord. The CERT C secure coding standard. Addison-Wesley, 2009. {19} J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. In 16th Annual Computer Security Applications Conference. ACM, 2000. {20} D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step toward automated detection of buffer overrun vulnerabilities. In NDSS. The Internet Society, 2000. Google ScholarDigital Library
- J. Wilander and M. Kamkar. A comparison of publicly available tools for dynamic bu ffer overflow prevention. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA. The Internet Society, 2003.Google Scholar
- Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. SIGSOFT Softw. Eng. Notes, 28:327– 336, September 2003. Google ScholarDigital Library
Recommendations
Automatically Fixing C Buffer Overflows Using Program Transformations
DSN '14: Proceedings of the 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and NetworksFixing C buffer overflows at source code level remains a manual activity, at best semi-automated. We present an automated approach to fix buffer overflows by describing two program transformations that automatically introduce two well-known security ...
Testing static analysis tools using exploitable buffer overflows from open source code
Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each ...
Testing static analysis tools using exploitable buffer overflows from open source code
SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineeringFive modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each ...
Comments