Open AccessAuditing buffer overflow vulnerabilities using hybrid static–dynamic analysis
Author(s) -
Padmanabhuni Bindu Madhavi,
Tan Hee Beng Kuan
Publication year - 2016
Publication title -
iet software
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.305
H-Index - 43
eISSN - 1751-8814
pISSN - 1751-8806
DOI - 10.1049/iet-sen.2014.0185
Subject(s) - buffer overflow , computer science , buffer (optical fiber) , audit , static analysis , operating system , programming language , business , accounting , telecommunications
Buffer overflow (BOF) vulnerabilities when present in code can be exploited to violate security objectives such as availability, confidentiality and integrity. They make up substantial portion of input manipulation attacks due to their common presence and ease of exploitation. In this study, the authors propose a hybrid approach combining static and dynamic program analysis with machine learning to audit BOFs. Simple rules to generate test data is proposed to confirm some of the vulnerabilities through dynamic analysis. Confirmed cases can be fixed by developers without further verification. Statements whose vulnerability is not confirmed by dynamic analysis are predicted by mining static code attributes. In the authors’ evaluation using standard benchmarks, their best classifier achieved a recall over 93% and accuracy >94%. Dynamic analysis itself confirmed 34% of known vulnerabilities along with reporting six new bugs, thereby reducing by third, otherwise needed manual auditing effort.