ELAID: detecting integer-Overflow-to-Buffer-Overflow vulnerabilities by light-weight and accurate static analysis

The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability has been widely exploited by attackers to cause severe damages to computer systems. Automatically identifying this kind of vulnerability is critical for software security. Despite many works have been done to mitigate integer overflow, ex...

Full description

Saved in:
Bibliographic Details
Published in:Cybersecurity (Singapore) Vol. 3; no. 1; pp. 1 - 19
Main Authors: Xu, Lili, Xu, Mingjie, Li, Feng, Huo, Wei
Format: Journal Article
Language:English
Published: Singapore Springer Singapore 08.09.2020
Springer Nature B.V
SpringerOpen
Subjects:
Buffers
Computer Science
Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability
Integers
Inter-procedural dataflow analysis
Overflow
Path satisfiability
Software reliability
Software testing
Taint analysis
Weight reduction
Inter-procedural dataflow analysis
Taint analysis
Path satisfiability
Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability
ISSN:2523-3246, 2523-3246
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability has been widely exploited by attackers to cause severe damages to computer systems. Automatically identifying this kind of vulnerability is critical for software security. Despite many works have been done to mitigate integer overflow, existing tools either report large number of false positives or introduce unacceptable time consumption. To address this problem, in this article we present a static analysis framework. It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities. Then it uses a light-weight method to further filter out false positives. Specifically, it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered, and feeds the constraints to SMT solver to decide their satisfiability. We have implemented a prototype system ELAID based on LLVM, and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world. The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:2523-3246
2523-3246
DOI:10.1186/s42400-020-00058-2