• Corpus ID: 3841417

Statically Detecting Likely Buffer Overflow Vulnerabilities

@inproceedings{Larochelle2001StaticallyDL,
  title={Statically Detecting Likely Buffer Overflow Vulnerabilities},
  author={David Larochelle and David Evans},
  booktitle={USENIX Security Symposium},
  year={2001}
}
Buffer overflow attacks may be today's single most important security threat. [] Key Method Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.
Verification of C Buffer Overflows in C Programs
TLDR
An implementation of the astatic approach for buffer overflow detection by identifying the likely vulnerabilities through an analysis of the source code is described as an extension of HIP/SLEEK, an automated verification system based on the separation logic.
Testing C Programs for Buffer Overflow Vulnerabilities
TLDR
A testing technique that instruments programs with code that keeps track of memory buffers, and checks arguments to functions to determine if they satisfy certain conditions, warns when a buffer overflow may occur when executed with ”normal” test data.
Hybrid analysis of executables to detect security vulnerabilities: security vulnerabilities
TLDR
This work presents a hybrid approach which is a combination of static and dynamic analysis to identify vulnerabilities in executables, exploiting the synergy between static andynamic analysis to detect memory leaks, buffer overflow and dangling pointers.
Buffer overrun detection using linear programming and static analysis
This paper addresses the issue of identifying buffer overrun vulnerabilities by statically analyzing C source code. We demonstrate a light-weight analysis based on modeling C string manipulations as
ABOR: An Automatic Framework for Buffer Overflow Removal in C/C++Programs
TLDR
ABOR, a framework to remove buffer overflow vulnerabilities from source code automatically only patches identified code segments, which means it is an optimized solution that eliminates buffer overflows at the maximum while adds runtime overhead at the minimum.
Identify Stack Overflow Exploits with Dynamic Binary Instrumentation
  • Quanchen Zou, Wei Huang, Jing An, Wenqing Fan
  • Computer Science
    2015 International Conference on Industrial Informatics - Computing Technology, Intelligent Technology, Industrial Information Integration
  • 2015
TLDR
DStack is useful for identifying intrusion attempts but also for checking the run-time robustness of applications, and has been evaluated on two real-world CVE vulnerability and shown that it can help identify the root causes of stack overflow effectively.
A Methodology for the Automated Identification of Buffer Overflow Vulnerabilities in Executable Software Without Source-Code
TLDR
This paper presents a methodology for the automated detection of buffer overflow vulnerabilities in executable software that removes source code availability or prior knowledge on vulnerable functions and allows the analysis of executable code without any knowledge about its internal structure.
Static Techniques for Vulnerability Detection
TLDR
In this paper a comprehensive analysis is required to develop some standard solutions against vulnerabilities, which are the well-known and well understood flaws by the carelessness of developer of the software.
Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs
TLDR
ABOR is a framework that integrates, extends and generalizes existing techniques to remove buffer overflow vulnerability more effectively and accurately and is an optimized solution that can eliminate buffer overflows while keeping a minimum runtime overhead.
Improving Security Using Extensible Lightweight Static Analysis
TLDR
This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 58 REFERENCES
A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities
TLDR
The design and prototype of a new technique for finding potential buffer overrun vulnerabilities in security-critical C code are implemented and used to find new remotely-exploitable vulnerabilities in a large, widely deployed software package.
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
  • C. Cowan
  • Computer Science
    USENIX Security Symposium
  • 1998
TLDR
StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Static detection of dynamic memory errors
Many important classes of bugs result from invalid assumptions about the results of functions and the values of parameters and global variables. Using traditional methods, these bugs cannot be
Transparent Run-Time Defense Against Stack-Smashing Attacks
TLDR
Two new methods to detect and handle buffer overflow vulnerabilities in process stacks are presented that work with any existing pre-compiled executable and can be used transparently per-process as well as on a system-wide basis.
ITS4: a static vulnerability scanner for C and C++ code
TLDR
ITS4, a tool for statically scanning security-critical C source code for vulnerabilities, stakes out a new middle ground between accuracy and efficiency and is efficient enough to offer real-time feedback to developers during coding while producing few false negatives.
Buffer overflows: attacks and defenses for the vulnerability of the decade
TLDR
This work surveys the various types of buffer overflow vulnerabilities and attacks, and considers which combinations of techniques can eliminate the problem, while preserving the functionality and performance of existing systems.
Extended static checking
TLDR
This talk reports on some of the research results of and the current state of the Extended Static Checking project at DEC SRC.
Flexible policy-directed code safety
  • David Evans, Andrew Twyman
  • Computer Science
    Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344)
  • 1999
TLDR
Naccio is presented, a system architecture that allows a large class of safety policies to be expressed in a general and platform-independent way and mechanisms that can be used to efficiently and conveniently enforce these safety policies by transforming programs are described.
Dynamically discovering likely program invariants to support program evolution
TLDR
This paper describes techniques for dynamically discovering invariants, along with an instrumenter and an inference engine that embody these techniques, and reports on the application of the engine to two sets of target programs.
Policy-directed code safety
TLDR
Naccio is introduced, a general architecture for constraining the behavior of program executions and how a large class of safety policies can be defined, and results from the experience with the prototype implementations are evaluated.
...
1
2
3
4
5
...