Testing C Programs for Buffer Overflow Vulnerabilities

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2003

Volumn , Issue , 2003, Pages

  Haugh, Eric ^a   Bishop, Matt ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BUFFER STORAGE; C (PROGRAMMING LANGUAGE); INSTRUMENT TESTING; NETWORK SECURITY; OPEN SYSTEMS; PETROLEUM RESERVOIR EVALUATION; SOFTWARE TESTING;

BUFFER OVERFLOWS; CONDITION; KEEP TRACK OF; MEMORY BUFFERS; NORMAL TEST; OPEN-SOURCE SOFTWARES; SECURITY VULNERABILITIES; TEST DATA; TESTING C PROGRAMS; TESTING TECHNIQUE;

OPEN SOURCE SOFTWARE;

EID: 85180532121     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (25)

1. AlephOne. Smashing the stack for fun and profit. Phrack, 7(49), November 1996.
2. Cert coordination center, advisory ca-1999-03. http://www.cert.org/advisories/CA-99-03.html.
3. Cert coordination center, advisory ca-1999-13. http://www.cert.org/advisories/CA-1999-13.html.
4. Cert coordination center, vulnerability note vu#363715. http://www.kb.cert.org/vuls/id/363715.
5. Y. Coady, G. Kiczales, M. Feeley, and G. Smolyn. Using aspectc to improve the modularity of path-specific customization in operating system code. In 9th ACM SIGSOFT Symposium on the Foundations of Software Engineering, Vienna University of Technology, Austria, September 2001.
6. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In Proceedings of the DARPA Information Survivability Conference and Expo, 1999.
7. N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in c programs via integer analysis. In Proceedings of the Eight International Static Analysis Symposium, June 2001.
8. M. Eichin and J. Rochlis. With microscope and tweezers: An analysis of the internet virus of november 1988. In Proceedings of the 1989 IEEE Computer Society Symposium on Security and Privacy, 1989.
9. G. Fink and M. Bishop. Property based testing: A new approach to testing for assurance. ACM SIGSOFT Software Engineering Notes, 22(4), July 1997.
10. G. Fink, M. Helmke, M. Bishop, and K. Levitt. An interface language between specifications and testing. Technical Report CSE-95-15, University of California, Davis, 1995.
11. G. Fink, C. Ko, M. Archer, and K. Levitt. Toward a property-based testing environment with application to security critical software. In Proceedings of the 4th Irvine Software Symposium, pages 39–48, April 1994.
12. A. Ghosh, T. O’Connor, and G. McGraw. An automated approach for identifying potential vulnerabilities in software. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 104–114, May 1998. Oakland, CA.
13. R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, 1992.
14. E. Haugh. Testing c programs for buffer overflow vulnerabilities. Master’s thesis, University of California at Davis, September 2002.
15. O. Kirch. The poisoned nul byte, post to the bugtraq mailing list, October 1998. http://www.securityfocus.com/archive/1/10884.
16. D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In USENIX Security Symposium, Washington, D. C., August 2001.
17. B. Miller, L. Fredricksen, and B. So. Empirical study of the reliability of unix utilities. Communications of the ACM, 33(12):32–44, December 1990.
18. T. C. Miller and T. de Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. In Proceedings of the 1999 USENIX Annual Technical Conference, June 1999. Monterey, California, USA.
19. Nsfocus security advisory, sun solaris xsun “-co” heap overflow. http://online.securityfocus.com/archive/1/265370.
20. Openbsd developers, single-byte buffer overflow vulnerability in ftpd, December 2000. http://www.openbsd.org/advisories/ftpd replydirname.txt.
21. Secure software solutions, rats, the rough auditing tool for security. http://www.securesw.com/rats/.
22. J. Viega, J. Bloch, T. Kohno, and G. McGraw. Its4: A static vulnerability scanner for c and c++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, December 2000.
23. J. Viega and G. McGraw. Building Secure Software. Addison-Wesley, Boston, 2002.
24. D. Wagner. Personal communication, May 2002.
25. D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Symposium on Network and Distributed Systems Security (NDSS’00), pages 3–17, February 2000. San Diego CA.