{"title":"Auditing Buffer Overflow Vulnerabilities Using Hybrid Static-Dynamic Analysis","authors":"Bindu Padmanabhuni, Hee Beng Kuan Tan","doi":"10.1109/COMPSAC.2014.62","DOIUrl":null,"url":null,"abstract":"Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.","PeriodicalId":106871,"journal":{"name":"2014 IEEE 38th Annual Computer Software and Applications Conference","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE 38th Annual Computer Software and Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/COMPSAC.2014.62","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 13
Abstract
Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
