A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors)
Buffer overflow vulnerabilities are caused by programming errors that allow an attacker to cause the program to write beyond the bounds of an allocated memory block to corrupt other data structures. The standard way to exploit a buffer overflow vulnerability involves a request that is too large for...
Saved in:
| Published in: | 20th Annual Computer Security Applications Conference pp. 82 - 90 |
|---|---|
| Main Authors: | , , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
2004
|
| Subjects: | |
| ISBN: | 9780769522524, 0769522521 |
| ISSN: | 1063-9527 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Buffer overflow vulnerabilities are caused by programming errors that allow an attacker to cause the program to write beyond the bounds of an allocated memory block to corrupt other data structures. The standard way to exploit a buffer overflow vulnerability involves a request that is too large for the buffer intended to hold it. The buffer overflow error causes the program to write part of the request beyond the bounds of the buffer, corrupting the address space of the program and causing the program to execute injected code contained in the request. We have implemented a compiler that inserts dynamic checks into the generated code to detect all out of bounds memory accesses. When it detects an out of bounds write, it stores the value away in a hash table to return as the value for corresponding out of bounds reads. The net effect is to (conceptually) give each allocated memory block unbounded size and to eliminate out of bounds accesses as a programming error. We have acquired several widely used open source servers (Apache, Sendmail, Pine, Mutt, and Midnight Commander). With standard compilers, all of these servers are vulnerable to buffer overflow attacks as documented at security tracking Web sites. Our compiler eliminates these security vulnerabilities (as well as other memory errors). Our results show that our compiler enables the servers to execute successfully through buffer overflow attacks to continue to correctly service user requests without security vulnerabilities. |
|---|---|
| AbstractList | Buffer overflow vulnerabilities are caused by programming errors that allow an attacker to cause the program to write beyond the bounds of an allocated memory block to corrupt other data structures. The standard way to exploit a buffer overflow vulnerability involves a request that is too large for the buffer intended to hold it. The buffer overflow error causes the program to write part of the request beyond the bounds of the buffer, corrupting the address space of the program and causing the program to execute injected code contained in the request. We have implemented a compiler that inserts dynamic checks into the generated code to detect all out of bounds memory accesses. When it detects an out of bounds write, it stores the value away in a hash table to return as the value for corresponding out of bounds reads. The net effect is to (conceptually) give each allocated memory block unbounded size and to eliminate out of bounds accesses as a programming error. We have acquired several widely used open source servers (Apache, Sendmail, Pine, Mutt, and Midnight Commander). With standard compilers, all of these servers are vulnerable to buffer overflow attacks as documented at security tracking Web sites. Our compiler eliminates these security vulnerabilities (as well as other memory errors). Our results show that our compiler enables the servers to execute successfully through buffer overflow attacks to continue to correctly service user requests without security vulnerabilities. |
| Author | Rinard, M. Leu, T. Roy, D.M. Dumitran, D. Cadar, C. |
| Author_xml | – sequence: 1 givenname: M. surname: Rinard fullname: Rinard, M. organization: Comput. Sci. & Artificial Intelligence Lab., Massachusetts Univ., Cambridge, MA, USA – sequence: 2 givenname: C. surname: Cadar fullname: Cadar, C. organization: Comput. Sci. & Artificial Intelligence Lab., Massachusetts Univ., Cambridge, MA, USA – sequence: 3 givenname: D. surname: Dumitran fullname: Dumitran, D. organization: Comput. Sci. & Artificial Intelligence Lab., Massachusetts Univ., Cambridge, MA, USA – sequence: 4 givenname: D.M. surname: Roy fullname: Roy, D.M. organization: Comput. Sci. & Artificial Intelligence Lab., Massachusetts Univ., Cambridge, MA, USA – sequence: 5 givenname: T. surname: Leu fullname: Leu, T. organization: Comput. Sci. & Artificial Intelligence Lab., Massachusetts Univ., Cambridge, MA, USA |
| BookMark | eNotj8FLwzAYxQNOcJs7efSSox5a8yVt0hxLcSoMPLirjLT94iJtomk36X9vQU8_Hrz3eG9FFj54JOQGWArA9EP1VlYpZyxL-QXZaFUwJXXOec6zBVkCkyKZpboiq2H4ZAy0VrAk7yVtJ29619ARm6N33yekNkSKneudN6PzH7Q-WYuRhjNG24Ufej51HqOpXedGhwO9M76lYTzOnh77ECeKMYY43F-TS2u6ATf_XJP99nFfPSe716eXqtwlTrMxUdrAvFc3slAtNtrYFiQDo0BIAGuEblUjhcwUaJwhVT3_zFst6jnQZGJNbv9qHSIevqLrTZwOIJTiUIhfxc9UPQ |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/CSAC.2004.2 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EndPage | 90 |
| ExternalDocumentID | 1377218 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 5VS 6IE 6IF 6IH 6IK 6IL 6IM 6IN AAJGR AAWTH ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS APO AVWKF BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO I07 IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-i90t-79a19789c687dec9afd1601a713611fa39d7c6364719e36467b2005d93b87dc43 |
| IEDL.DBID | RIE |
| ISBN | 9780769522524 0769522521 |
| ISSN | 1063-9527 |
| IngestDate | Tue Aug 26 18:24:29 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i90t-79a19789c687dec9afd1601a713611fa39d7c6364719e36467b2005d93b87dc43 |
| PageCount | 9 |
| ParticipantIDs | ieee_primary_1377218 |
| PublicationCentury | 2000 |
| PublicationDate | 20040000 |
| PublicationDateYYYYMMDD | 2004-01-01 |
| PublicationDate_xml | – year: 2004 text: 20040000 |
| PublicationDecade | 2000 |
| PublicationTitle | 20th Annual Computer Security Applications Conference |
| PublicationTitleAbbrev | CSAC |
| PublicationYear | 2004 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0019971 ssj0000558104 |
| Score | 1.7803742 |
| Snippet | Buffer overflow vulnerabilities are caused by programming errors that allow an attacker to cause the program to write beyond the bounds of an allocated memory... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 82 |
| SubjectTerms | Artificial intelligence Buffer overflow Computer errors Computer languages Computer science Data structures Dynamic compiler Java Laboratories Programming profession |
| Title | A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors) |
| URI | https://ieeexplore.ieee.org/document/1377218 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NS8NAFHy0xYOnqq34zR48KJg2H5ts9liKxVMp2EMvUvYrUKiJpE3Ff-_bTVoRvHjKJhAIL4TZeZk3A3CvpTCIskhTw8R4NFaxJxgPkaUoyWVK0zCSLmyCTafpYsFnLXg6zMIYY5z4zAzs0v3L14WqbKtsaN3xEJLa0GYsqWe1Dv0UP45TRy2aPwic12QLIdjjcchqyo6rEAGrcd7Zn9NmcC_w-XD8Oho72jgIfwWuOLyZdP_3pCfQ_xncI7MDJJ1Cy-Rn0N0nN5DmQ-7B24joOoqeHExcCW5fiVm7lC-rhSaystkpxGo8s3XxSXbV2lpUOzUt8mvyIHJN3AAXebd63S9iyrIoN499mE-e5-MXrwla8Fbc33qMiwDLwVWSMm0UF5kOkKcJ5K9JEGQi4pqpxBrNB9zgIWHS9qI0jyTeoGh0Dp28yM0FENz-qJQqJUORUJ-KNLaMxac0xnJEmX8JPVus5UdtpbFs6nT19-VrOK6FMrbjcQOdbVmZWzhSu-1qU9659_8NQdupgw |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NS8NAFHzUKuipait-uwcPCqbNx26SPZZiqVhLwR56kbJfgUJtJG0q_nt3N2lE8OIpm0AgPBJm52XeDMCt5ExplNU01Q-Vg4kgDouor1mK4JTHOPYDbsMmotEonk7puAYP1SyMUsqKz1TbLO2_fJmK3LTKOsYdT0PSDuwSjH23mNaqOiouIbElF-U_BEoLuqVB2KHEjwrSrle-hqzSe2d7jsvRPc-lnd5rt2eJY9v_FbliEaff-N-zHkLrZ3QPjStQOoKaWh5DY5vdgMpPuQlvXSSLMHpU2bgivYFFamFzvowaGvHcpKcgo_JMFukn2uQLY1Jt9bSaYaM7tpTIjnChd6PY_UIqy9Jsdd-CSf9x0hs4ZdSCM6fu2oko83Q5qAjjSCpBWSI9zdSYZrCh5yUsoDISobGa96jShzDiphslacD1DQIHJ1Bfpkt1CkhvgESMheA-C7GLWUwMZ3ExJrocQeKeQdMUa_ZRmGnMyjqd_335BvYHk5fhbPg0er6Ag0I2Y_ofl1BfZ7m6gj2xWc9X2bV9F74BSIysyg |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=20th+Annual+Computer+Security+Applications+Conference&rft.atitle=A+dynamic+technique+for+eliminating+buffer+overflow+vulnerabilities+%28and+other+memory+errors%29&rft.au=Rinard%2C+M.&rft.au=Cadar%2C+C.&rft.au=Dumitran%2C+D.&rft.au=Roy%2C+D.M.&rft.date=2004-01-01&rft.pub=IEEE&rft.isbn=9780769522524&rft.issn=1063-9527&rft.spage=82&rft.epage=90&rft_id=info:doi/10.1109%2FCSAC.2004.2&rft.externalDocID=1377218 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1063-9527&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1063-9527&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1063-9527&client=summon |