Testing static analysis tools using exploitable buffer overflows from open source code

Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with and a "OK" case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Poly-Space and Splint which had average detection rates of 87% and 57%, respectively. However, average false alarm rates were high and roughly 50% for these two tools. On patched programs these two tools produce one warning for every 12 to 46 lines of source code and neither tool appears able to accurately distinguished between vulnerable and patched code.

[1]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[2]  Peter M. Broadwell,et al.  A Comparison of Static Analysis and Fault Injection Techniques for Developing Robust System Services , 2002 .

[3]  David A. Wheeler More Than a Gigabuck: Estimating GNU/Linux''s Size , 2002, WWW 2002.

[4]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[5]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[6]  Brian W. Kernighan,et al.  The C Programming Language , 1978 .

[7]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[8]  John Wilander,et al.  A Comparison of Publicly Available Tools for Static Intrusion Prevention , 2002 .

[9]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[10]  Misha Zitser Securing software : an evaluation of static source code analyzers , 2003 .

[11]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[12]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[13]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[14]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[15]  Guillaume Brat,et al.  Static Analysis of the Mars Exploration Rover Flight Software , 2004 .

[16]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[17]  Gerard J. Holzmann,et al.  UNO: Static Source Code Checking for User-Defined Properties 1 , 2002 .

[18]  Daniel M. Roy,et al.  Enhancing Availability and Security Through Failure-Oblivious Computing , 2003 .

[19]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[20]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[21]  Alain Deutsch,et al.  On the complexity of escape analysis , 1997, POPL '97.

[22]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.