A New Detection Method for Stack Overflow Vulnerability Based on Component Binary Code for Third-Party Component

Xie, Wanggen; Hu, Jinchang; Kudjo, Patrick Kwaku; Lei, Yu; Zeng, Zhifeng

doi:10.1109/smartworld.2018.00218

Cited by 2 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We used the data in Table II for testing, and the experiment distinguished fragile code from nonfragile code. In contrast to Coyote [11], we can detect problems such as unreleased arrays and pointers that are out of bounds; in contrast to ELAID [17] and SBOD [10], which target only buffer overflow vulnerabilities, we can detect vulnerabilities such as the use of undefined variables.…”

Section: Resultsmentioning

confidence: 96%

“…This paper mainly discusses AST, CFG and DFA techniques under static analysis. Xie et al [10] did not use ASTs, a Correspondence to: Yongjun Li. E-mail: lyj@nwpu.edu.cn School of Computer, Northwestern Polytechnical University, Xi'an, Shaanxi 710072, China CFGs, or DFA but relied only on a scan of the code to identify the buffer declaration and size to identify buffer overflow without paying attention to other vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DFlow: A Data Flow Analysis Tool for C/C++

Yan

et al. 2021

IEEJ Transactions Elec Engng

View full text Add to dashboard Cite

syntax trees (ASTs), control flow graphs (CFGs), and data flow analysis (DFA) are prerequisites for static and dynamic analysis and vulnerability detection for programs; thus, obtaining them is significant. Recently, many tools related to generating ASTs, CFGs, and DFA have been proposed. However, most tools can only construct ASTs, very few can construct ASTs and CFGs, and almost none can construct all three. The vast majority of AST, CFG, and DFA tools are for other languages (e.g., Java and Python), and while a few are for C/C++, they are implemented in other languages, creating complex working environments, and overreliance on other language-related libraries. To address these shortcomings, we present a DFA tool, DFlow, for C/C++. First, a lexical/grammatical analyzer generated by Flex and Bison is used to analyze the program. Second, an AST is constructed from the results; then, a CFG is obtained from the analysis results and the information from the AST. Finally, based on the AST and CFG, DFA is performed, and the vulnerabilities of simple programs are determined. We test some common vulnerable code and common weakness enumeration slicing code, which show the effectiveness of DFlow in program data flow analysis and vulnerability checking. The results show that our tool can implement ASTs, CFGs, and DFA, and we add some rules to the tool for vulnerability detection.

show abstract

Section: Resultsmentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

DFlow: A Data Flow Analysis Tool for C/C++

Yan

et al. 2021

IEEJ Transactions Elec Engng

View full text Add to dashboard Cite

show abstract

“…Stack-based buffer overflow vulnerability detection technique was proposed in binary codes [11]. Different buffers were scanned to find out the risk functions.…”

Section: Introductionmentioning

confidence: 99%

An automated approach to fix buffer overflows

Shahab¹,

Nadeem²,

Alenezi³

et al. 2020

IJECE

View full text Add to dashboard Cite

Buffer overflows are one of the most common software vulnerabilities that occur when more data is inserted into a buffer than it can hold. Various manual and automated techniques for detecting and fixing specific types of buffer overflow vulnerability have been proposed, but the solution to fix Unicode buffer overflow has not been proposed yet. Public security vulnerability repository e.g., Common Weakness Enumeration (CWE) holds useful articles about software security vulnerabilities. Mitigation strategies listed in CWE may be useful for fixing the specified software security vulnerabilities. This research contributes by developing a prototype that automatically fixes different types of buffer overflows by using the strategies suggested in CWE articles and existing research. A static analysis tool has been used to evaluate the performance of the developed prototype tools. The results suggest that the proposed approach can automatically fix buffer overflows without inducing errors.

show abstract

A New Detection Method for Stack Overflow Vulnerability Based on Component Binary Code for Third-Party Component

Cited by 2 publications

References 15 publications

DFlow: A Data Flow Analysis Tool for C/C++

DFlow: A Data Flow Analysis Tool for C/C++

An automated approach to fix buffer overflows

Contact Info

Product

Resources

About