Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs

Sun Ding, Hee Beng Kuan Tan, Hongyu Zhang

2014

Abstract

Buffer overflow vulnerability is one of the commonly found significant security vulnerabilities. This vulnerability may occur if a program does not sufficiently prevent input from exceeding intended size or accessing unintended memory locations. Researchers have put effort in different directions to address this vulnerability, including creating a run-time defence mechanism, proposing effective detection methods or automatically modifying the original program to remove the vulnerabilities. These techniques share many commonalities and also have differences. In this paper, we characterize buffer overflow vulnerability in the form of four patterns and propose ABOR--a framework that integrates, extends and generalizes existing techniques to remove buffer overflow vulnerability more effectively and accurately. ABOR only patches identified code segments; thus it is an optimized solution that can eliminate buffer overflows while keeping a minimum runtime overhead. We have implemented the proposed approach and evaluated it through experiments on a set of benchmarks and three industrial C/C++ applications. The experiment result proves ABOR’s effectiveness in practice.

References

  1. Abstract syntax tree en.wikipedia.org/wiki/Abstract_ syntax_tree, 2014.
  2. CodeSurfer, http://www.grammatech.com/, 2012.
  3. C++Reference, http://www.cplusplus.com/reference/, 2014.
  4. Celestvision, http://www.celestvision.com, 2014.
  5. DingS-Buffer overflow detection. http://sunshine-nanyang. com/index.html, 2014.
  6. US-CERT, http://www.us-cert.gov/, 2014.
  7. Z3: SMT solver, http://z3.codeplex.com/, 2014.
  8. Criswell, J., Lenharth, A., Dhurjati, D. and Adve, V. 2007. Secure virtual architecture: a safe execution environment for commodity operating systems. SIGOPS Oper. Syst. Rev., 41, 351-366.
  9. Dhurjati, D. and Aave, V. 2006. Backwards-compatible array bounds checking for C with very low overhead. Proceedings of the 28th international conference on Software engineering. Shanghai, China: ACM.
  10. Dor, N., Rodeh, M. and Sagiv, M. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. PLDI 7803: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, 2003 San Diego, California, USA. ACM, 155-167.
  11. Hafiz, M. and Johnson, R. E. 2009. Security-oriented program transformations. Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. Oak Ridge, Tennessee: ACM.
  12. Kundu, A. and Bertino, E. 2011. A New Class of Buffer Overflow Attacks. Proceedings of the 2011 31st International Conference on Distributed Computing Systems. IEEE Computer Society.
  13. Larochelle, D. and Evans, D. 2001. Statically detecting likely buffer overflow vulnerabilities. Proceedings of the 10th conference on USENIX Security Symposium - Volume 10. Washington, D.C.: USENIX Association.
  14. Le, W. and Soffa, M. L. 2008. Marple: a demand-driven path-sensitive buffer overflow detector. Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering. Atlanta, Georgia: ACM.
  15. Lei, W., Qiang, Z. and Pengchao, Z. Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking. Source Code Analysis and Manipulation, 2008 Eighth IEEE International Working Conference on, 28-29 Sept. 2008. 165-173.
  16. Lhee, K.-S. and Chapin, S. J. 2003. Buffer overflow and format string overflow vulnerabilities. Softw. Pract. Exper., 33, 423-460.
  17. Lin, Z., Jiang, X., Xu, D., Mao, B. & Xie, L. 2007. AutoPaG: towards automated software patch generation with source code root cause identification and repair. Proceedings of the 2nd ACM symposium on Information, computer and communications security. Singapore: ACM.
  18. Lu, S., Li, Z., Qin, F., Tan, L., Zhou, P. and Zhou, Y. Bugbench: Benchmarks for evaluating bug detection tools. In Workshop on the Evaluation of Software Defect Detection Tools, 2005.
  19. Miller, T. C. and Raadt, T. D. 1999. strlcpy and strlcat: consistent, safe, string copy and concatenation. Proceedings of the annual conference on USENIX Annual Technical Conference. Monterey, California: USENIX Association.
  20. Nagarakatte, S., Zhao, J., Martin, M. M. K. and Zdancewic, S. 2009. SoftBound: highly compatible and complete spatial memory safety for c. Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation. Dublin, Ireland: ACM.
  21. Necula, G. C., Condit, J., Harren, M., Mcpeak, S. and Weimer, W. 2005. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst., 27, 477-526.
  22. Newsome, J. and Song, D. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of the Network and Distributed System Security Symposium (NDSS), 2005.
  23. Ozdoganoglu, H., Vijaykumar, T. N., Brodley, C. E., Kuperman, B. A. and Jalote, A. 2006. SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address. Computers, IEEE Transactions on, 55, 1271-1285.
  24. Padmanabhuni, B. and Tan, H. 2011. Techniques for Defending from Buffer Overflow Vulnerability Security Exploits. Internet Computing, IEEE, PP, 1-1.
  25. Sinha, S., Harrold, M. J. and Rothermel, G. 2001. Interprocedural control dependence. ACM Trans. Softw. Eng. Methodol., 10, 209-254.
  26. Vallentin, M. On the Evolution of Buffer Overflows. http://matthias.vallentin.net/course-work/buffer_ overflows .pdf, 2007.
  27. Wilander, J. and Kamkar, M. A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention. Network and Distributed System Security Symposium(NDSS), 2003. 149-162.
  28. Xie, Y., Chou, A. and Engler, D. ARCHER: using symbolic, path-sensitive analysis to detect memory access errors. ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering, 2003 Helsinki, Finland. ACM, 327-336.
  29. Xu, J., Kalbarczyk, Z., Patel, S. and Ravishankar, I. Architecture Support for Defending Against Buffer Overflow Attacks. Second Workshop on Evaluating and Architecting System dependabilitY, 2002. 55-62.
  30. Younan, Y., Joosen, W. and Piessens, F. 2012. Runtime countermeasures for code injection attacks against C and C++ programs. ACM Comput. Surv., 44, 1-28.
  31. Zitser, M., Lippmann, R. and Leek, T. 2004. Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes, 29, 97-106.
Download


Paper Citation


in Harvard Style

Ding S., Tan H. and Zhang H. (2014). Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs . In Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-028-4, pages 49-59. DOI: 10.5220/0004888000490059


in Bibtex Style

@conference{iceis14,
author={Sun Ding and Hee Beng Kuan Tan and Hongyu Zhang},
title={Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs},
booktitle={Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},
year={2014},
pages={49-59},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004888000490059},
isbn={978-989-758-028-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Automatic Removal of Buffer Overflow Vulnerabilities in C/C++ Programs
SN - 978-989-758-028-4
AU - Ding S.
AU - Tan H.
AU - Zhang H.
PY - 2014
SP - 49
EP - 59
DO - 10.5220/0004888000490059