Article

A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors)

Authors:

Tudor LeuAuthors Info & Claims

ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference

Pages 82 - 90

https://doi.org/10.1109/CSAC.2004.2

Published: 06 December 2004 Publication History

Publisher Site

Abstract

Buffer overflow vulnerabilities are caused by programming errors that allow an attacker to cause the program to write beyond the bounds of an allocated memory block to corrupt other data structures.The standard way to exploit a buffer overflow vulnerability involves a request that is too large for the buffer intended to hold it.The buffer overflow error causes the program to write part of the request beyond the bounds of the buffer, corrupting the address space of the program and causing the program to execute injected code contained in the request. We have implemented a compiler that inserts dynamic checks into the generated code to detect all out of bounds memory accesses.When it detects an out of bounds write, it stores the value away in a hash table to return as the value for corresponding out of bounds reads.The net effect is to (conceptually) give each allocated memory block unbounded size and to eliminate out of bounds accesses as a programming error. We have acquired several widely used open source servers (Apache, Sendmail, Pine, Mutt, and Midnight Commander). With standard compilers, all of these servers are vulnerable to buffer overflow attacks as documented at security tracking web sites.Our compiler eliminates these security vulnerabilities (as well as other memory errors).Our results show that our compiler enables the servers to execute successfully through buffer overflow attacks to continue to correctly service user requests without security vulnerabilities.

Cited By

View all

Fang BHalawa HPattabiraman KRipeanu MKrishnamoorthy SEigenmann RDing CMcKee S(2019)BonVoisionProceedings of the ACM International Conference on Supercomputing10.1145/3330345.3330388(484-496)Online publication date: 26-Jun-2019
https://dl.acm.org/doi/10.1145/3330345.3330388
Jin ZChen YLiu TLi KWang ZZheng J(2019)A Novel and Fine-grained Heap Randomization Allocation Strategy for Effectively Alleviating Heap Buffer Overflow VulnerabilitiesProceedings of the 2019 4th International Conference on Mathematics and Artificial Intelligence10.1145/3325730.3325738(115-122)Online publication date: 12-Apr-2019
https://dl.acm.org/doi/10.1145/3325730.3325738
Monperrus M(2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
https://dl.acm.org/doi/10.1145/3105906
Show More Cited By

A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors)
1. Security and privacy
  1. Systems security

Recommendations

Buffer overflow and format string overflow vulnerabilities
Special issue: Security software

Buffer overflow vulnerabilities are among the most widespread of security problems. Numerous incidents of buffer overflow attacks have been reported and many solutions have been proposed, but a solution that is both complete and highly practical is yet ...
Defending against Buffer-Overflow Vulnerabilities

A survey of techniques ranging from static analysis to hardwaremodification describes how various defensive approaches protect against buffer overflow, a vulnerability that represents a severesecurity threat.
Realization of Buffer Overflow
IFITA '10: Proceedings of the 2010 International Forum on Information Technology and Applications - Volume 01

In recent decades, the buffer overflow has been a source of many serious security issues. In recent years, by the CERT/CC (Computer Emergency Response Term/Coodination Center) issued advice on the buffer overflow vulnerability for more than accounted ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference

December 2004

434 pages

ISBN:0769522521

Publisher

IEEE Computer Society

United States

Publication History

Published: 06 December 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Fang BHalawa HPattabiraman KRipeanu MKrishnamoorthy SEigenmann RDing CMcKee S(2019)BonVoisionProceedings of the ACM International Conference on Supercomputing10.1145/3330345.3330388(484-496)Online publication date: 26-Jun-2019
https://dl.acm.org/doi/10.1145/3330345.3330388
Jin ZChen YLiu TLi KWang ZZheng J(2019)A Novel and Fine-grained Heap Randomization Allocation Strategy for Effectively Alleviating Heap Buffer Overflow VulnerabilitiesProceedings of the 2019 4th International Conference on Mathematics and Artificial Intelligence10.1145/3325730.3325738(115-122)Online publication date: 12-Apr-2019
https://dl.acm.org/doi/10.1145/3325730.3325738
Monperrus M(2018)Automatic Software RepairACM Computing Surveys10.1145/310590651:1(1-24)Online publication date: 23-Jan-2018
https://dl.acm.org/doi/10.1145/3105906
Kuvaiskii DOleksenko OArnautov STrach BBhatotia PFelber PFetzer C(2017)SGXBOUNDSProceedings of the Twelfth European Conference on Computer Systems10.1145/3064176.3064192(205-221)Online publication date: 23-Apr-2017
https://dl.acm.org/doi/10.1145/3064176.3064192
Alouneh SBsoul HKharbutli M(2016)A software tool to protect executable files from buffer overflow attacksInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2016.0785836:2(133-166)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1504/IJITST.2016.078583
Qi ZLong FAchour SRinard MYoung MXie T(2015)An analysis of patch plausibility and correctness for generate-and-validate patch generation systemsProceedings of the 2015 International Symposium on Software Testing and Analysis10.1145/2771783.2771791(24-36)Online publication date: 13-Jul-2015
https://dl.acm.org/doi/10.1145/2771783.2771791
Wamhoff JSchwalbe MFaqeh RFetzer CFelber P(2013)Transactional Encoding for Tolerating Transient Hardware Errors15th International Symposium on Stabilization, Safety, and Security of Distributed Systems - Volume 825510.5555/2718693.2718694(1-16)Online publication date: 13-Nov-2013
https://dl.acm.org/doi/10.5555/2718693.2718694
Rinard MGroeneveld PSciuto DHassoun S(2012)Obtaining and reasoning about good enough softwareProceedings of the 49th Annual Design Automation Conference10.1145/2228360.2228526(930-935)Online publication date: 3-Jun-2012
https://dl.acm.org/doi/10.1145/2228360.2228526
Younan YJoosen WPiessens F(2012)Runtime countermeasures for code injection attacks against C and C++ programsACM Computing Surveys10.1145/2187671.218767944:3(1-28)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187679
Khan MZulkernine MCrnkovic IStafford JPetriu DHappe JInverardi P(2011)Building components with embedded security monitorsProceedings of the joint ACM SIGSOFT conference -- QoSA and ACM SIGSOFT symposium -- ISARCS on Quality of software architectures -- QoSA and architecting critical systems -- ISARCS10.1145/2000259.2000282(133-142)Online publication date: 20-Jun-2011
https://dl.acm.org/doi/10.1145/2000259.2000282
Show More Cited By

Abstract

Cited By

Recommendations

Buffer overflow and format string overflow vulnerabilities

Defending against Buffer-Overflow Vulnerabilities

Realization of Buffer Overflow

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations