Buffer overflow patching for C and C++ programs-Reference-Cited by-同舟云学术

Buffer overflow patching for C and C++ programs

Published:2013-06 Issue:2 Volume:13 Page:8-19
ISSN:1559-6915
Container-title:ACM SIGAPP Applied Computing Review
language:en
Short-container-title:SIGAPP Appl. Comput. Rev.

Author:

Shahriar Hossain¹,Haddad Hisham M.¹,Vaidya Ishan¹

Affiliation:

1. Kennesaw State University, Kennesaw, GA

Abstract

The presence of buffer overflow (BOF) vulnerabilities in programs hampers essential security objectives such as confidentiality, integrity and availability. In particular, exploitations of BOF might lead to many unwanted consequences including denial of service through program crash, control flow hijacking, and corrupted program state. When BOF vulnerabilities are detected, they need to be patched before the software is redeployed. Source level automatic patching of vulnerabilities has the challenges of finding a set of general rules and consistently applying them without bringing any side effects to intended software. This paper proposes a set of general rules to address the mitigation of BOF vulnerabilities for C/C++ programs. In particular, we developed a set of rules to identify vulnerable code and how to make the code vulnerability free. The proposed rule-based approach addresses both simple (one statement) and complex (multiple statements) forms of code that can be vulnerable to BOF ranging from unsafe library function calls to the pointer usage in control flow structures (loop and conditional statements). We evaluated the proposed approach using two publicly available benchmarks and a number of open source C/C++ applications. The results show that the proposed rules can not only identify previously known BOF vulnerabilities, but also find new vulnerabilities. Moreover, the patching rules impose negligible overhead to the application.

Funder

Kennesaw State University College of Science and Mathematics Faculty Summer Research Award Program and Faculty Startup Research Grant

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/2505420.2505421

Reference30 articles.

1. Aleph One Smashing the Stack for Fun and Profit Phrack Magazine Volume 7 Issue 49 November 1996 Accessed from http://insecure.org/stf/smashstack.html Aleph One Smashing the Stack for Fun and Profit Phrack Magazine Volume 7 Issue 49 November 1996 Accessed from http://insecure.org/stf/smashstack.html

2. Assessing Test Suites for Buffer Overflow Vulnerabilities, International Journal on Software Engineering and Knowledge Engineering;Shahriar H.;World Scientific,2010

3. Mitigating program security vulnerabilities

4. Common Weakness Enumeration (CWE) http://cwe.mitre.org/documents/vuln-trends/index.html Common Weakness Enumeration (CWE) http://cwe.mitre.org/documents/vuln-trends/index.html

5. ITS4: Software Security Tool http://www.cigital.com/its4 ITS4: Software Security Tool http://www.cigital.com/its4

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. CorCA: An Automatic Program Repair Tool for Checking and Removing Effectively C Flaws;2023 IEEE Conference on Software Testing, Verification and Validation (ICST);2023-04

2. Automatic Prevention of Buffer Overflow Vulnerability Using Candidate Code Generation;IEICE Transactions on Information and Systems;2018-12-01

3. Research on Key Data Structure Localization Technology of Buffer Overflow Vulnerability;Proceedings of the 2018 International Conference on Information Science and System;2018-04-27

4. Auditing buffer overflow vulnerabilities using hybrid static–dynamic analysis;IET Software;2016-04