A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dyn...A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow. Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables. After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables. The effectiveness of this method is demonstrated in a case study. Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.展开更多
Most solutions for detecting buffer overflow are based on source code. But the requirement tor source code is not always practical especially for business software. A new approach was presented to detect statically th...Most solutions for detecting buffer overflow are based on source code. But the requirement tor source code is not always practical especially for business software. A new approach was presented to detect statically the potential buffer overflow vulnerabilities in the binary code of software. The binary code was translated into assembly code without the lose of the information of string operation functions. The feature code abstract graph was constructed to generate more accurate constraint statements, and analyze the assembly code using the method of integer range constraint. After getting the elementary report on suspicious code where buffer overflows possibly happen, the control flow sensitive analysis using program dependence graph was done to decrease the rate of false positive. A prototype was implemented which demonstrates the feasibility and efficiency of the new approach.展开更多
The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the sta...The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.展开更多
Integer overflow vulnerability will cause buffer overflow. The research on the relationship between them will help us to detect integer overflow vulnerability. We present a dynamic analysis methods RICB (Run-time Int...Integer overflow vulnerability will cause buffer overflow. The research on the relationship between them will help us to detect integer overflow vulnerability. We present a dynamic analysis methods RICB (Run-time Integer Checking via Buffer overflow). Our approach includes decompile execute file to assembly language; debug the execute file step into and step out; locate the overflow points and checking buffer overflow caused by integer overflow. We have implemented our approach in three buffer overflow types: format string overflow, stack overflow and heap overflow. Experiments results show that our approach is effective and efficient. We have detected more than 5 known integer overflow vulnerabilities via buffer overflow.展开更多
Different abnormalities are commonly encountered in computer network systems.These types of abnormalities can lead to critical data losses or unauthorized access in the systems.Buffer overflow anomaly is a prominent i...Different abnormalities are commonly encountered in computer network systems.These types of abnormalities can lead to critical data losses or unauthorized access in the systems.Buffer overflow anomaly is a prominent issue among these abnormalities,posing a serious threat to network security.The primary objective of this study is to identify the potential risks of buffer overflow that can be caused by functions frequently used in the PHP programming language and to provide solutions to minimize these risks.Static code analyzers are used to detect security vulnerabilities,among which SonarQube stands out with its extensive library,flexible customization options,and reliability in the industry.In this context,a customized rule set aimed at automatically detecting buffer overflows has been developed on the SonarQube platform.The memoization optimization technique used while creating the customized rule set enhances the speed and efficiency of the code analysis process.As a result,the code analysis process is not repeatedly run for code snippets that have been analyzed before,significantly reducing processing time and resource utilization.In this study,a memoization-based rule set was utilized to detect critical security vulnerabilities that could lead to buffer overflow in source codes written in the PHP programming language.Thus,the analysis process is not repeatedly run for code snippets that have been analyzed before,leading to a significant reduction in processing time and resource utilization.In a case study conducted to assess the effectiveness of this method,a significant decrease in the source code analysis time was observed.展开更多
The development of the information technology has brought threats to human society when it has influenced seriously the global politics, economics and military etc. But among the security of information system, buffer...The development of the information technology has brought threats to human society when it has influenced seriously the global politics, economics and military etc. But among the security of information system, buffer overrun vulnerability is undoubtedly one of the most important and common vulnerabilities. This paper describes a new technology, named program slicing, to detect the buffer overflow leak in security-critical C code. First, we use slicing technology to analyze the variables which may be with vulnerability and extract the expressions which will bring memory overflow. Secondly, we utilize debug technology to get the size of memory applied by the variable and the size of memory used for these code segments (the slicing result) further. Therefore we can judge whether it will overflow according to the analysis above. According to the unique excellence of program slicing performing in the large-scale program’s debugging, the method to detect buffer overrun vulnerability described in this paper will reduce the workload greatly and locate the code sentences affected by corresponding variable set quickly, particularly including the potential vulnerability caused by parameter dependence among the subroutines.展开更多
A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remot...A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.展开更多
Buffer overflow poses a serious threat to the memory security of modern operating systems.It overwrites the con-tents of other memory areas by breaking through the buffer capacity limit,destroys the system execution e...Buffer overflow poses a serious threat to the memory security of modern operating systems.It overwrites the con-tents of other memory areas by breaking through the buffer capacity limit,destroys the system execution environ-ment,and provides implementation space for various system attacks such as program control flow hijacking.That makes it a wide range of harms.A variety of security technologies have been proposed to deal with system security problems including buffer overflow.For example,No eXecute(NX for short)is a memory management technology commonly used in Harvard architecture.It can refuse the execution of code which residing in a specific memory,and can effectively suppress the abnormal impact of buffer overflow on control flow.Therefore,in recent years,it has also been used in the field of system security,deriving a series of solutions based on NX technology,such as ExecShield,DEP,StackGuard,etc.However,these security solutions often rely too much on the processor archi-tecture so that the protection coverage is insufficient and the accuracy is limited.Especially in the emerging system architecture field represented by RiSC-V,there is still a lack of effective solutions for buffer overflow vulnerabilities.With the continuous rapid development of the system architecture,it is urgent to develop defense methods that are applicable to different system application environments and oriented to all executable memory spaces to meet the needs of system security development.Therefore,we propose BOP,A new system memory security design method based on RISC-V extended instructions,to build a RISC-V buffer overflow detection and defense system and deal with the buffer overflow threat in RIsC-V.According to this method,NX technology can be combined with program control flow analysis,and Nx bit mechanism can be used to manage the executability of memory space,so as to achieve a more granular detection and defense of buffer overflow attacks that may occur in RISC-V system environment.In addition,The memory management and control function of BOP is not only very suitable for solving the security problems in the existing single architecture system,but also widely applicable to the combina-tion of multiple heterogeneous systems.展开更多
Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warning...Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.展开更多
Buffer overflow is the most dangerous attack method that can be exploited. According to the statistics of Computer Emergency Readiness Team ( CERT ), buffer overflow accounts for 50% of the current software vulnerab...Buffer overflow is the most dangerous attack method that can be exploited. According to the statistics of Computer Emergency Readiness Team ( CERT ), buffer overflow accounts for 50% of the current software vulnerabilities, and this ratio is going up. Considering a subset of C language, Mini C, this paper presents an abstract machine model that can realire buffer overflow detection, which is based on operation semantic. Thus the research on buffer overflow detection can be built on strict descriptions of operation semantic. Not only the correctness can be assured, but also the system can be realized and extended easily.展开更多
缓冲区溢出漏洞广泛存在于由不安全的高级语言所编写的程序中.利用缓冲区溢出漏洞,攻击者可以实现控制流劫持等危险攻击方式.基于Canary的栈保护技术是处理缓冲区溢出漏洞的一种简单有效且广泛部署的防御手段,然而位置固定和取值相同的...缓冲区溢出漏洞广泛存在于由不安全的高级语言所编写的程序中.利用缓冲区溢出漏洞,攻击者可以实现控制流劫持等危险攻击方式.基于Canary的栈保护技术是处理缓冲区溢出漏洞的一种简单有效且广泛部署的防御手段,然而位置固定和取值相同的特点使其容易被攻击者分析和破解.本文提出一种基于软件多样性的栈保护技术,它以拥有随机化大小和偏移的异构Canary为核心,不仅能直接抵御常规Canary无法处理的泄漏类和覆盖类攻击,而且能构造出各种更加安全的多样性软件系统.实验结果表明,异构Canary在有效提升安全性的同时仅为SPEC CPU 2017基准程序集额外引入了不高于2%的编译开销和平均3.22%的运行开销.展开更多
Transmission Control Protocol (TCP) is the most important transport layer protocol being used nowadays. It suffers from many problems over mobile networks especially over Cognitive Radio (CR). CR is one of the latest ...Transmission Control Protocol (TCP) is the most important transport layer protocol being used nowadays. It suffers from many problems over mobile networks especially over Cognitive Radio (CR). CR is one of the latest mobile technologies that brings its own share of problems for TCP. The buffer overflow for CR secondary network relay node can affect the performance of TCP. The contribution of this paper is the novel cross-layer model being used to evaluate the effect of the TCP congestion control on the secondary relay node buffer size in Cognitive Radio Network (CRN). The performance has been assessed by buffer overflow probability.展开更多
基金The National Natural Science Foundation of China (No.60873050,60703086)the Opening Foundation of State Key Laboratory of Software Engineering in Wuhan University (No.SKLSE20080717)
文摘A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow. Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables. After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables. The effectiveness of this method is demonstrated in a case study. Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.
文摘Most solutions for detecting buffer overflow are based on source code. But the requirement tor source code is not always practical especially for business software. A new approach was presented to detect statically the potential buffer overflow vulnerabilities in the binary code of software. The binary code was translated into assembly code without the lose of the information of string operation functions. The feature code abstract graph was constructed to generate more accurate constraint statements, and analyze the assembly code using the method of integer range constraint. After getting the elementary report on suspicious code where buffer overflows possibly happen, the control flow sensitive analysis using program dependence graph was done to decrease the rate of false positive. A prototype was implemented which demonstrates the feasibility and efficiency of the new approach.
文摘The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.
基金Supported by the National Natural Science Foundation of China (60903188), Shanghai Education Commission Innovation Foundation (11YZ192) and World Expo Science and Technology Special Fund of Shanghai Science and Technology Commission (08dz0580202).
文摘Integer overflow vulnerability will cause buffer overflow. The research on the relationship between them will help us to detect integer overflow vulnerability. We present a dynamic analysis methods RICB (Run-time Integer Checking via Buffer overflow). Our approach includes decompile execute file to assembly language; debug the execute file step into and step out; locate the overflow points and checking buffer overflow caused by integer overflow. We have implemented our approach in three buffer overflow types: format string overflow, stack overflow and heap overflow. Experiments results show that our approach is effective and efficient. We have detected more than 5 known integer overflow vulnerabilities via buffer overflow.
文摘Different abnormalities are commonly encountered in computer network systems.These types of abnormalities can lead to critical data losses or unauthorized access in the systems.Buffer overflow anomaly is a prominent issue among these abnormalities,posing a serious threat to network security.The primary objective of this study is to identify the potential risks of buffer overflow that can be caused by functions frequently used in the PHP programming language and to provide solutions to minimize these risks.Static code analyzers are used to detect security vulnerabilities,among which SonarQube stands out with its extensive library,flexible customization options,and reliability in the industry.In this context,a customized rule set aimed at automatically detecting buffer overflows has been developed on the SonarQube platform.The memoization optimization technique used while creating the customized rule set enhances the speed and efficiency of the code analysis process.As a result,the code analysis process is not repeatedly run for code snippets that have been analyzed before,significantly reducing processing time and resource utilization.In this study,a memoization-based rule set was utilized to detect critical security vulnerabilities that could lead to buffer overflow in source codes written in the PHP programming language.Thus,the analysis process is not repeatedly run for code snippets that have been analyzed before,leading to a significant reduction in processing time and resource utilization.In a case study conducted to assess the effectiveness of this method,a significant decrease in the source code analysis time was observed.
文摘The development of the information technology has brought threats to human society when it has influenced seriously the global politics, economics and military etc. But among the security of information system, buffer overrun vulnerability is undoubtedly one of the most important and common vulnerabilities. This paper describes a new technology, named program slicing, to detect the buffer overflow leak in security-critical C code. First, we use slicing technology to analyze the variables which may be with vulnerability and extract the expressions which will bring memory overflow. Secondly, we utilize debug technology to get the size of memory applied by the variable and the size of memory used for these code segments (the slicing result) further. Therefore we can judge whether it will overflow according to the analysis above. According to the unique excellence of program slicing performing in the large-scale program’s debugging, the method to detect buffer overrun vulnerability described in this paper will reduce the workload greatly and locate the code sentences affected by corresponding variable set quickly, particularly including the potential vulnerability caused by parameter dependence among the subroutines.
文摘A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.
基金Strategic Priority Research Program of CAS(XDC05040000).
文摘Buffer overflow poses a serious threat to the memory security of modern operating systems.It overwrites the con-tents of other memory areas by breaking through the buffer capacity limit,destroys the system execution environ-ment,and provides implementation space for various system attacks such as program control flow hijacking.That makes it a wide range of harms.A variety of security technologies have been proposed to deal with system security problems including buffer overflow.For example,No eXecute(NX for short)is a memory management technology commonly used in Harvard architecture.It can refuse the execution of code which residing in a specific memory,and can effectively suppress the abnormal impact of buffer overflow on control flow.Therefore,in recent years,it has also been used in the field of system security,deriving a series of solutions based on NX technology,such as ExecShield,DEP,StackGuard,etc.However,these security solutions often rely too much on the processor archi-tecture so that the protection coverage is insufficient and the accuracy is limited.Especially in the emerging system architecture field represented by RiSC-V,there is still a lack of effective solutions for buffer overflow vulnerabilities.With the continuous rapid development of the system architecture,it is urgent to develop defense methods that are applicable to different system application environments and oriented to all executable memory spaces to meet the needs of system security development.Therefore,we propose BOP,A new system memory security design method based on RISC-V extended instructions,to build a RISC-V buffer overflow detection and defense system and deal with the buffer overflow threat in RIsC-V.According to this method,NX technology can be combined with program control flow analysis,and Nx bit mechanism can be used to manage the executability of memory space,so as to achieve a more granular detection and defense of buffer overflow attacks that may occur in RISC-V system environment.In addition,The memory management and control function of BOP is not only very suitable for solving the security problems in the existing single architecture system,but also widely applicable to the combina-tion of multiple heterogeneous systems.
基金This work was supported by the National Natural Science Foundation of China under Grant No.62032010partially by the Postgraduate Research and Practice Innovation Program of Jiangsu Province of China.
文摘Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.
文摘Buffer overflow is the most dangerous attack method that can be exploited. According to the statistics of Computer Emergency Readiness Team ( CERT ), buffer overflow accounts for 50% of the current software vulnerabilities, and this ratio is going up. Considering a subset of C language, Mini C, this paper presents an abstract machine model that can realire buffer overflow detection, which is based on operation semantic. Thus the research on buffer overflow detection can be built on strict descriptions of operation semantic. Not only the correctness can be assured, but also the system can be realized and extended easily.
文摘缓冲区溢出漏洞广泛存在于由不安全的高级语言所编写的程序中.利用缓冲区溢出漏洞,攻击者可以实现控制流劫持等危险攻击方式.基于Canary的栈保护技术是处理缓冲区溢出漏洞的一种简单有效且广泛部署的防御手段,然而位置固定和取值相同的特点使其容易被攻击者分析和破解.本文提出一种基于软件多样性的栈保护技术,它以拥有随机化大小和偏移的异构Canary为核心,不仅能直接抵御常规Canary无法处理的泄漏类和覆盖类攻击,而且能构造出各种更加安全的多样性软件系统.实验结果表明,异构Canary在有效提升安全性的同时仅为SPEC CPU 2017基准程序集额外引入了不高于2%的编译开销和平均3.22%的运行开销.
文摘Transmission Control Protocol (TCP) is the most important transport layer protocol being used nowadays. It suffers from many problems over mobile networks especially over Cognitive Radio (CR). CR is one of the latest mobile technologies that brings its own share of problems for TCP. The buffer overflow for CR secondary network relay node can affect the performance of TCP. The contribution of this paper is the novel cross-layer model being used to evaluate the effect of the TCP congestion control on the secondary relay node buffer size in Cognitive Radio Network (CRN). The performance has been assessed by buffer overflow probability.
