[1] Zhang Shirui, Xu Lei, Xu Baowen,. Method of integer overflow detection to avoid buffer overflow [J]. Journal of Southeast University (English Edition), 2009, 25 (2): 219-223. [doi:10.3969/j.issn.1003-7985.2009.02.016]
Copy
Method of integer overflow detection to avoid buffer overflow(
)
)Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]
- Volumn:
- 25
- Issue:
- 2009 2
- Page:
- 219-223
- Research Field:
- Computer Science and Engineering
- Publishing date:
- 2009-06-30
Info
- Title:
- Method of integer overflow detection to avoid buffer overflow
- Author(s):
- Zhang Shirui1; Xu Lei2; Xu Baowen2
-
1School of Computer Science and Engineering, Southeast University, Nanjing 211189, China
2State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210093, China
- Keywords:
- integer overflow; buffer overflow; path relaxation
- PACS:
- TP309.2
- DOI:
- 10.3969/j.issn.1003-7985.2009.02.016
- Abstract:
- A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow.When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow.Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables.After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables.The effectiveness of this method is demonstrated in a case study.Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.
References:
[1] Blexim.Basic integer overflows[EB/OL].(2002-12-28)[2008-06-08].http://www.phrack.com/issues.html?issue=60&id=10#article.
[2] Aho A, Sethi R, Ullman J.Compilers:principles, techniques, and tools[M].New York:Addison-Wesley, 1986:188-200.
[3] Larochelle D, Evans D.Statically detecting likely buffer overflow vulnerabilities[C]//Proc of the 10th USENIX Security Symposium.Washington, DC, 2001:177-190.
[4] Wilander J, Kamkar M.A comparison of publicly available tools for dynamic buffer overflow prevention[C]//Proc of the 10th Network and Distributed System Security Symposium.San Diego, 2003:149-162.
[5] Dor N, Rodeh M, Sagiv M.Towards a realistic tool for statically detecting all buffer overflows in C[C]//Proc of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation.San Diego, 2003:155-167.
[6] Haugh E, Bishop M.Testing C programs for buffer overflow vulnerabilities[C]//Proc of the 10th Network and Distributed System Security Symposium.San Diego, 2003:123-130.
[7] Lhee K, Chapin S.Type-assisted dynamic buffer overflow detection[C]//Proc of the 11th USENIX Security Symposium. San Francisco, 2002:81-88.
[8] Hastings R, Joyce B.Fast detection of memory leaks and access errors[C]//Proc of the Winter USENIX Conference.San Francisco, 1992:125-136.
[9] Horovitz O.Big integer loop protection[EB/OL].(2002-12-28)[2008-06-08].http://www.phrack.com/issues.html?issue=60&id=9#article.
Memo
- Memo:
-
Biographies: Zhang Shirui(1984—), male, graduate;Xu Baowen(corresponding author), male, doctor, professor, bwxu@nju.edu.cn.
Foundation items: The National Natural Science Foundation of China(No.60873050, 60703086), the Opening Foundation of State Key Laboratory of Software Engineering in Wuhan University(No.SKLSE20080717).
Citation: Zhang Shirui, Xu Lei, Xu Baowen.Method of integer overflow detection to avoid buffer overflow[J].Journal of Southeast University(English Edition), 2009, 25(2):219-223.