Automatic Buffer Overflow Warning Validation

Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of computer science and technology Jg. 35; H. 6; S. 1406 - 1427
Hauptverfasser: Gao, Feng-Juan, Wang, Yu, Wang, Lin-Zhang, Yang, Zijiang, Li, Xuan-Dong
Format: Journal Article
Sprache:Englisch
Veröffentlicht: Singapore Springer Singapore 01.11.2020
Springer
Springer Nature B.V
State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China
Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China%Department of Computer Science, Western Michigan University, Kalamazoo 49008-5466, U.S.A
Schlagworte:
Artificial Intelligence
Buffers
C plus plus
Computer Science
Data Structures and Information Theory
Information Systems Applications (incl.Internet)
Regular Paper
Software
Software Engineering
Source code
Source programs
Theory of Computation
Warning
symbolic execution
static analysis warning
buffer overflow
automatic repair
ISSN:1000-9000, 1860-4749
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Static buffer overflow detection techniques tend to report too many false positives fundamentally due to the lack of software execution information. It is very time consuming to manually inspect all the static warnings. In this paper, we propose BovInspector, a framework for automatically validating static buffer overflow warnings and providing suggestions for automatic repair of true buffer overflow warnings for C programs. Given the program source code and the static buffer overflow warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector provides suggestions to automatically repair it with 11 repair strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically validate on average 60% of total warnings reported by static tools.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1000-9000
1860-4749
DOI:10.1007/s11390-020-0525-z