More Web Proxy on the site http://driver.im/

Article

Testing static analysis tools using exploitable buffer overflows from open source code

Authors:

Richard Lippmann,

Tim LeekAuthors Info & Claims

SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering

Pages 97 - 106

https://doi.org/10.1145/1029894.1029911

Published: 31 October 2004 Publication History

Abstract

Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with and a "OK" case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Poly-Space and Splint which had average detection rates of 87% and 57%, respectively. However, average false alarm rates were high and roughly 50% for these two tools. On patched programs these two tools produce one warning for every 12 to 46 lines of source code and neither tool appears able to accurately distinguished between vulnerable and patched code.

References

[1]

Abstract interpretation. http://www.polyspace.com/downloads.htm, September 2001.

[2]

Cert coordination center. http://www.cert.org/advisories, October 2003.

[3]

Common vulnerabilities and exposures. http://www.cve.mitre.org, October 2003.

[4]

Internet software consortium - bind. http://www.isc.org/products/BIND, October 2003.

[5]

Secure software, rough auditing tool for security (rats). http://www.securesoftware.com, October 2003.

[6]

Sendmail consortium. http://www.sendmail.org, October 2003.

[7]

Wu-ftp development group. http://www.wu-ftpd.org, October 2003.

[8]

G. Brat and R. Klemm. Static analysis of the mars exploration rover ight software. In Proceedings of the First International Space Mission Challenges for Information Technology, pages 321--326, 2003.

[9]

J. Condit, M. Harren, S. McPeak, G. C. Necula, and W. Weimer. Ccured in the real world. In Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, pages 232--244. ACM Press, 2003.

Digital Library

[10]

P. Cousot and R. Cousot. Static determination of dynamic properties of programs. In Proceedings of the Second International Symposium on Programming, pages 106--130. Dunod, Paris, France, 1976.

[11]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. Stackguard: Automatic adaptive detection and prevention of buffer-over ow attacks. In Proceedings of the 7th USENIX Security Conference, pages 63--78, San Antonio, Texas, January 1998.

Digital Library

[12]

A. Deutsch. Interprocedural may-alias analysis for pointers: Beyond k-limiting. In Proceedings of the Conference on Programming Language Design and Implementation, pages 230--241, 1994.

Digital Library

[13]

A. Deutsch. On the complexity of escape analysis. In Proceedings of the Symposium on Principles of Programming Languages, pages 358--371, 1997.

Digital Library

[14]

D. Evans and D. Larochelle. Improving security using extensible lightweight static analysis. IEEE Softw., 19(1):42--51, 2002.

Digital Library

[15]

G. Holzmann. Static source code checking for user-defined properties. Pasadena, CA, USA, June 2002.

[16]

M. K. J. Wilander. A comparison of publicly available tools for static intrusion prevention. In Proceedings of the 7th Nordic Workshop of Secure IT Systems, 2002.

[17]

B. W. Kernighan and D. M. Ritchie. The C Programming Language. Prentice Hall, Murray Hill, NJ, 2nd edition, 1988.

Digital Library

[18]

W. S. M. Fearnow. Sans institute - lion worm. http://www.sans.org/y2k/lion.htm, April 2001.

[19]

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. The spread of the sapphire/slammer worm. Technical report, CAIDA, ICSI, Silicon Defense, UC Berkeley EECS and UC San Diego CSE, 2003.

[20]

J. Nazario. Source code scanners for better code. Linux Journal, 2002.

[21]

E. O. P. Broadwell. A comparison of static analysis and fault injection techniques for developing robust system services. Technical report, University of California, Berkeley, May 2002.

[22]

T. G. P. Mell, V. Hu. Nist icat metabase. http://icat.nist.gov, October 2003.

[23]

M. Rinard, C. Cadar, D. Dumitran, D. Roy, and W. Beebee. Enhancing availability and security through failure-oblivious computing. Technical Report 935, Massachusetts Institute of Technology, 2004.

[24]

O. Ruwase and M. Lam. A practical dynamic buffer over flow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 2004), February 2003.

[25]

J. Ullrich. Sans institute - blaster, power outage, sobig: Two weeks in august and the internet storm center. http://isc.incidents.org/presentations/sansne2003.pdf,

[26]

J. Viega, J. T. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security, 5(2), 2002.

[27]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium, pages 3--17, San Diego, CA, February 2000.

[28]

D. Wheeler. More than a gigabuck: Estimating gnu/linux's size. http://www.dwheeler.com/sloc, 2001.

[29]

Y. Xie, A. Chou, and D. Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. In Proceedings of the 10th ACM SIGSOFT international symposium on Foundations of software engineering, pages 327--336. ACM Press, 2003.

Digital Library

[30]

M. Zitser. Securing software: An evaluation of static source code analyzers. Master's thesis, Massachusetts Institute of Technology, 2003.

Cited By

Barakat RJosten SSchneider M(2024)Buffer Access Monitoring for Enhanced Buffer Overflow Detection in Fuzzing2024 32nd International Conference on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS)10.1109/MASCOTS64422.2024.10786534(1-6)Online publication date: 21-Oct-2024
https://doi.org/10.1109/MASCOTS64422.2024.10786534
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Show More Cited By

Index Terms

Recommendations

Testing static analysis tools using exploitable buffer overflows from open source code

Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each ...
Filtering false alarms of buffer overflow analysis using SMT solvers

Buffer overflow detection using static analysis can provide a powerful tool for software programmers to find difficult bugs in C programs. Sound static analysis based on abstract interpretation, however, often suffers from false alarm problem. Although ...
Program transformations to fix C buffer overflows
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

This paper describes two program transformations to fix buffer overflows originating from unsafe library functions and bad pointer operations. Together, these transformations fixed all buffer overflows featured in 4,505 programs of NIST’s SAMATE ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering

October 2004

282 pages

ISBN:1581138555

DOI:10.1145/1029894

General Chair:
Richard N. Taylor
University of California, Irvine, CA
,
Program Chair:
Matthew B. Dwyer
University of Nebraska - Lincoln

ACM SIGSOFT Software Engineering Notes Volume 29, Issue 6
November 2004
275 pages
ISSN:0163-5948
DOI:10.1145/1041685
Issue’s Table of Contents

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGSOFT04/FSE-12

Sponsor:

SIGSOFT04/FSE-12: SIGSOFT 2004 -12th International Symposium on the Foundations of Software Engineering

October 31 - November 6, 2004

CA, Newport Beach, USA

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

161
Total Citations
View Citations
3,261
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)5

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Barakat RJosten SSchneider M(2024)Buffer Access Monitoring for Enhanced Buffer Overflow Detection in Fuzzing2024 32nd International Conference on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS)10.1109/MASCOTS64422.2024.10786534(1-6)Online publication date: 21-Oct-2024
https://doi.org/10.1109/MASCOTS64422.2024.10786534
Wang PLiu SLiu AJiang W(2024)Detecting security vulnerabilities with vulnerability netsJournal of Systems and Software10.1016/j.jss.2023.111902208:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.jss.2023.111902
Brohet MRegazzoni F(2023)A Survey on Thwarting Memory Corruption in RISC-VACM Computing Surveys10.1145/360490656:2(1-29)Online publication date: 17-Jun-2023
https://dl.acm.org/doi/10.1145/3604906
Sultana KAnu VChong T(2023)Using software metrics for predicting vulnerable classes in java and python based systemsInformation Security Journal: A Global Perspective10.1080/19393555.2023.224034333:3(251-267)Online publication date: 28-Jul-2023
https://doi.org/10.1080/19393555.2023.2240343
Pakshad PShameli-Sendi AKhalaji Emamzadeh Abbasi B(2023)A security vulnerability predictor based on source code metricsJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00469-y19:4(615-633)Online publication date: 17-Feb-2023
https://doi.org/10.1007/s11416-023-00469-y
Codabux ZZakia Sultana KChowdhury M(2023)A catalog of metrics at source code level for vulnerability prediction: A systematic mapping studyJournal of Software: Evolution and Process10.1002/smr.2639Online publication date: 17-Nov-2023
https://doi.org/10.1002/smr.2639
Lipp SBanescu SPretschner ARyu SSmaragdakis Y(2022)An empirical study on the effectiveness of static C code analyzers for vulnerability detectionProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534380(544-555)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534380
Hu YShen ZDolan-Gavitt B(2022)Characterizing and Improving Bug-Finders with Synthetic Bugs2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER53432.2022.00115(971-982)Online publication date: Mar-2022
https://doi.org/10.1109/SANER53432.2022.00115
Khoury R(2022)A Taxonomy of Software Flaws Leading to Buffer Overflows2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS57517.2022.00011(1-8)Online publication date: Dec-2022
https://doi.org/10.1109/QRS57517.2022.00011
Wang PLiu SLiu AJiang W(2022)Detecting Security Vulnerabilities with Vulnerability Nets2022 IEEE 22nd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C57518.2022.00062(375-383)Online publication date: Dec-2022
https://doi.org/10.1109/QRS-C57518.2022.00062
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents