Proceedings of the Institute for System Programming of the RAS
RUS  ENG    JOURNALS   PEOPLE   ORGANISATIONS   CONFERENCES   SEMINARS   VIDEO LIBRARY   PACKAGE AMSBIB  
General information
Latest issue
Archive

Search papers
Search references

RSS
Latest issue
Current issues
Archive issues
What is RSS



Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
Find






Personal entry:
Login:
Password:
Save password
Enter
Forgotten password?
Register


Proceedings of the Institute for System Programming of the RAS, 2018, Volume 30, Issue 3, Pages 21–30
DOI: https://doi.org/10.15514/ISPRAS-2018-30(3)-2
(Mi tisp322)
 

Buffer overflow detection via static analysis: expectations vs. reality

I. A. Dudinaab

a Lomonosov Moscow State University
b Ivannikov Institute for System Programming, Russian Academy of Sciences
References:
Abstract: Over the last few decades buffer overflow remains one of the main sources of program errors and vulnerabilities. Among other solutions several static analysis techniques were developed to mitigate such program defects. We analyzed different approaches and tools that address this issue to discern common practices and types of detected errors. Also, we explored some popular sets of synthetic tests (Juliet Test Suite, Toyota ITC benchmark) and set of buggy code snippets extracted from real applications to define types of defects that a static analyzer is expected to uncover. Both sources are essential to understand the design goals of a production quality static analyzer. Test suites expose a set of features to support that is easy to understand, classify, and check. On the other hand, they don’t provide a real picture of a production code. Inspecting vulnerabilities is useful but provides an exploitation-biased sample. Besides, it does not include defects eliminated during the development process (probably with the help of some static analyzer). Our research has shown that interprocedural analysis, path-sensitivity and loop handling are essential. An analysis can really benefit from tracking affine relations between variables and modeling C-style strings as a very important case of buffers. Our goal is to use this knowledge to enhance our own buffer overrun detector. Now it can perform interprocedural context- and path-sensitive analysis to detect buffer overflow mainly for static and stack objects with approximately 65% true positive ratio. We think that promising directions are improving string manipulations handling and combining taint analysis with our approaches.
Keywords: software error detection, static analysis, buffer overrun.
Bibliographic databases:
Document Type: Article
Language: English
Citation: I. A. Dudina, “Buffer overflow detection via static analysis: expectations vs. reality”, Proceedings of ISP RAS, 30:3 (2018), 21–30
Citation in format AMSBIB
\Bibitem{Dud18}
\by I.~A.~Dudina
\paper Buffer overflow detection via static analysis: expectations vs. reality
\jour Proceedings of ISP RAS
\yr 2018
\vol 30
\issue 3
\pages 21--30
\mathnet{http://mi.mathnet.ru/tisp322}
\crossref{https://doi.org/10.15514/ISPRAS-2018-30(3)-2}
\elib{https://elibrary.ru/item.asp?id=35192491}
Linking options:
  • https://www.mathnet.ru/eng/tisp322
  • https://www.mathnet.ru/eng/tisp/v30/i3/p21
  • Citing articles in Google Scholar: Russian citations, English citations
    Related articles in Google Scholar: Russian articles, English articles
    Proceedings of the Institute for System Programming of the RAS
    Statistics & downloads:
    Abstract page:168
    Full-text PDF :245
    References:22
     
      Contact us:
     Terms of Use  Registration to the website  Logotypes © Steklov Mathematical Institute RAS, 2024