Improving network applications security: a new heuristic to generate stress testing data

Buffer overflows cause serious problems in different categories of software systems. For example, if present in network or security applications, they can be exploited to gain unauthorized grant or access to the system. In embedded systems, such as avionics or automotive systems, they can be the cause of serious accidents.This paper proposes to combine static analysis and program slicing with evolutionary testing, to detect buffer overflow threats. Static analysis identifies vulnerable statements, while slicing and data dependency analysis identify the relationship between these statements and program or function inputs, thus reducing the search space.To guide the search towards discovering buffer overflow in this work we define three multi-objective fitness functions and compare them on two open-source systems. These functions account for terms such as the statement coverage, the coverage of vulnerable statements, the distance form buffer boundaries and the coverage of unconstrained nodes of the control flow graph.

[1]  G. W. Snedecor Statistical Methods , 1964 .

[2]  David E. Goldberg,et al.  Genetic Algorithms in Search Optimization and Machine Learning , 1988 .

[3]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[4]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[5]  Michael E. Wall,et al.  Galib: a c++ library of genetic algorithm components , 1996 .

[6]  Bogdan Korel,et al.  Assertion-oriented automated test data generation , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[7]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[8]  Giuliano Antoniol,et al.  A static measure of a subset of intra-procedural data flow testing coverage based on node coverage , 1999, CASCON.

[9]  John A. Clark,et al.  Automated test‐data generation for exception conditions , 2000, Softw. Pract. Exp..

[10]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[11]  Nigel James Tracey,et al.  A search-based automated test-data generation framework for safety-critical software , 2000 .

[12]  John A. Clark,et al.  Automated test‐data generation for exception conditions , 2000 .

[13]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[14]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[15]  Vassilis Prevelakis,et al.  Characterizing the 'security vulnerability likelihood' of software functions , 2003, International Conference on Software Maintenance, 2003. ICSM 2003. Proceedings..

[16]  Matt Bishop,et al.  Testing C Programs for Buffer Overflow Vulnerabilities , 2003, NDSS.

[17]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[18]  Massimiliano Di Penta,et al.  An Evolutionary Testing Approach to detect Buffer Overflows , 2004 .

[19]  Mark Harman,et al.  Analysis and visualization of predicate dependence on formal parameters and global variables , 2004, IEEE Transactions on Software Engineering.

[20]  Phil McMinn,et al.  Search‐based software test data generation: a survey , 2004, Softw. Test. Verification Reliab..