Auditing buffer overflow vulnerabilities using hybrid static–dynamic analysis

Buffer overflow (BOF) vulnerabilities when present in code can be exploited to violate security objectives such as availability, confidentiality and integrity. They make up substantial portion of input manipulation attacks due to their common presence and ease of exploitation. In this study, the aut...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IET software Jg. 10; H. 2; S. 54 - 61
Hauptverfasser: Padmanabhuni, Bindu Madhavi, Tan, Hee Beng Kuan
Format: Journal Article
Sprache:Englisch
Veröffentlicht: The Institution of Engineering and Technology 01.04.2016
Schlagworte:
auditing
BOF auditing
buffer overflow vulnerability auditing
buffer storage
bugs
Computer information security
Computer programs
data mining
dynamic program analysis
Dynamic tests
Dynamics
hybrid static-dynamic analysis
learning (artificial intelligence)
machine learning
Manuals
program debugging
program diagnostics
Recall
Reporting
Security
security objective
security of data
static code attribute mining
static program analysis
program debugging
dynamic program analysis
buffer storage
security objective
buffer overflow vulnerability auditing
program diagnostics
static code attribute mining
data mining
auditing
static program analysis
machine learning
bugs
security of data
learning (artificial intelligence)
hybrid static-dynamic analysis
BOF auditing
ISSN:1751-8806, 1751-8814, 1751-8814
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Buffer overflow (BOF) vulnerabilities when present in code can be exploited to violate security objectives such as availability, confidentiality and integrity. They make up substantial portion of input manipulation attacks due to their common presence and ease of exploitation. In this study, the authors propose a hybrid approach combining static and dynamic program analysis with machine learning to audit BOFs. Simple rules to generate test data is proposed to confirm some of the vulnerabilities through dynamic analysis. Confirmed cases can be fixed by developers without further verification. Statements whose vulnerability is not confirmed by dynamic analysis are predicted by mining static code attributes. In the authors’ evaluation using standard benchmarks, their best classifier achieved a recall over 93% and accuracy >94%. Dynamic analysis itself confirmed 34% of known vulnerabilities along with reporting six new bugs, thereby reducing by third, otherwise needed manual auditing effort.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 23
ISSN:1751-8806
1751-8814
1751-8814
DOI:10.1049/iet-sen.2014.0185