An automated approach to fix buffer overflows

Buffer overflows are one of the most common software vulnerabilities that occur when more data is inserted into a buffer than it can hold. Various manual and automated techniques for detecting and fixing specific types of buffer overflow vulnerability have been proposed, but the solution to fix Unicode buffer overflow has not been proposed yet. Public security vulnerability repository e.g., Common Weakness Enumeration (CWE) holds useful articles about software security vulnerabilities. Mitigation strategies listed in CWE may be useful for fixing the specified software security vulnerabilities. This research contributes by developing a prototype that automatically fixes different types of buffer overflows by using the strategies suggested in CWE articles and existing research. A static analysis tool has been used to evaluate the performance of the developed prototype tools. The results suggest that the proposed approach can automatically fix buffer overflows without inducing errors.

[1]  Claudia Eckert,et al.  IntRepair: Informed Repairing of Integer Overflows , 2018, IEEE Transactions on Software Engineering.

[2]  Alka Agrawal,et al.  A source code perspective framework to produce secure web applications , 2019, Computer Fraud & Security.

[3]  Yousef Farhaoui Intrusion Prevention System Inspired Immune Systems , 2016 .

[4]  Mamdouh Alenezi,et al.  Developer Companion: A Framework to Produce Secure Web Applications , 2016 .

[5]  Aishwarya Iyer,et al.  Vulnerability scanning for buffer overflow , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[6]  Michael Opoku Agyeman,et al.  An Overview of Prevention/Mitigation against Memory Corruption Attack , 2018 .

[7]  Vijay Raghavan,et al.  An Integrative Model of Managing Software Security during Information Systems Development , 2017, Journal of International Technology and Information Management.

[8]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  Nigel McKelvey,et al.  Developing a Secure Programming Module to cope with Modern Vulnerabilities , 2012 .

[11]  Bin Zhang,et al.  Detecting integer overflow in Windows binary executables based on symbolic execution , 2016, 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD).

[12]  Chao Zhang,et al.  IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time , 2010, ESORICS.

[13]  Mamdouh Alenezi,et al.  Security assessment framework for educational ERP systems , 2019 .

[14]  Edward B. Allen,et al.  Human Subject Evaluation of Computer-Security Training Recommender , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[15]  Babak Sadeghiyan,et al.  A Smart Fuzzing Method for Detecting Heap-Based Buffer Overflow in Executable Codes , 2015, 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC).

[16]  Zhifeng Zeng,et al.  A New Detection Method for Stack Overflow Vulnerability Based on Component Binary Code for Third-Party Component , 2018, 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[17]  Mamdouh Alenezi,et al.  Open source web application security: A static analysis approach , 2016, 2016 International Conference on Engineering & MIS (ICEMIS).

[18]  Alex Shaw,et al.  Automatically Fixing C Buffer Overflows Using Program Transformations , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[19]  Jingbo Yuan,et al.  A method for detecting buffer overflow vulnerabilities , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[20]  Yu-ichi Hayashi,et al.  Buffer overflow attack with multiple fault injection and a proven countermeasure , 2017, Journal of Cryptographic Engineering.

[21]  Edward B. Allen,et al.  A Method for Recommending Computer-Security Training for Software Developers: Leveraging the Power of Static Analysis Techniques and Vulnerability Repositories , 2015, 2015 12th International Conference on Information Technology - New Generations.

[22]  Jiadong Ren,et al.  A Buffer Overflow Prediction Approach Based on Software Metrics and Machine Learning , 2019, Secur. Commun. Networks.

[23]  Tao Ye,et al.  An Empirical Study on Detecting and Fixing Buffer Overflow Bugs , 2016, 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[24]  Babak Sadeghiyan,et al.  Smart fuzzing method for detecting stack-based buffer overflow in binary codes , 2016, IET Softw..

[25]  Yeping He,et al.  Static Analysis of Format String Vulnerabilities , 2011, 2011 First ACIS International Symposium on Software and Network Engineering.

[26]  Xuandong Li,et al.  BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).