Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects

Pereira, Jose D'Abruzzo; Ivaki, Naghmeh; Vieira, Marco

doi:10.1109/access.2021.3120349

Cited by 11 publications

(4 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“… Undergo training in writing secure code: The findings have indicated a lack of knowledge and practices to find vulnerabilities. This finding has also been confirmed by a recent study [8] that showed that most buffer overflow vulnerabilities are associated with missing checks (e.g., missing if construct around a statement) or incorrect checking (e.g., the wrong logical expression used as a branch condition). Regardless of the PLs used in coding, developers should have the required knowledge, training, and practices of secure source code.…”

Section: Timely Recommendationssupporting

confidence: 69%

“…However, the safer functions are not completely safe because strncpy() was a cause for buffer overflow in CP1 in Table V. This finding has been confirmed by previous researchers [8]. In particular, the unsafe strcpy() takes two arguments-destination and source-and the function copies the source, including the NULL character, to the destination.…”

Section: B Buffer Overflow/xsssupporting

confidence: 66%

“…The tool was tested with many mobile apps and it was found that they contained more than 12,000 and 4,000 backdoor secrets and blacklist secrets, respectively. Pereira et al [8] studied a number of buffer overflow vulnerabilities in the Linux kernel, Mozilla, and Xen open-source C/C++ projects to analyze possible methods of improving their detection. The results showed that most of the vulnerable source code units were with defects in checking and dealing with input data types.…”

Section: Related Workmentioning

confidence: 99%

“…The issue originates when an unallocated area is corrupted, and a fatal error often happens in the coming allocation request. Besides the use of goto in not handling exceptions and input errors [12], there are three main causes of potential memory mismanagement problems [8].…”

Section: A Potential Memory Mismanagementmentioning

confidence: 99%

See 3 more Smart Citations

Investigating the Input Validation Vulnerabilities in C Programs

Ebad¹

2023

IJACSA

View full text Add to dashboard Cite

Input validation is a fairly universal programming practice that helps reduce the chances of producing protectionrelated vulnerabilities in software. In this paper, an experiment is conducted to specifically determine the input validation issues found in programs and the problematic functions that lead to such issues. The experiment evaluated 12 arbitrarily selected open source C projects written by different programmers. The top two most common input validation problems are buffer overflow/XSS and potential memory mismanagement. In addition, the functions that caused the first problem are: (a) strings/text functions (e.g., strcpy and strcmp), and (b) functions that read from standard input, STDIN (e.g., scanf and gets). In contrast, the functions that caused the second problem are (a) memory allocation/deallocation functions (e.g., memmove and malloc), and (b) file manipulation functions (e.g., fopen and fseek). Furthermore, the goto construct-to a small extent-plays a role. The recommendations are that (a) developers are encouraged to use memory-safe programming languages, otherwise, they should perform different types of checks for the validity of inputs as soon as they are entered, and (b) they should have the required knowledge of secure source code and use tools/suites to manage malformed strings.

show abstract

Section: Timely Recommendationssupporting

confidence: 69%

Section: B Buffer Overflow/xsssupporting

confidence: 66%

Section: Related Workmentioning

confidence: 99%

Section: A Potential Memory Mismanagementmentioning

confidence: 99%

See 2 more Smart Citations