Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects

Bibliographic Details
Main Author: Pereira, Jose D'Abruzzo
Publication Date: 2021
Other Authors: Ivaki, Naghmeh, Vieira, Marco
Format: Article
Language: eng
Source: Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Download full: https://hdl.handle.net/10316/101176
https://doi.org/10.1109/ACCESS.2021.3120349
Summary: Security vulnerabilities are present in most software systems, especially in projects with a large codebase, with several versions over the years, developed by many developers. Issues with memory management, in particular buffer over ow, are among the most frequently exploited vulnerabilities in software systems developed in C/CCC. Nevertheless, most buffer over ow vulnerabilities are not detectable by vulnerability detection tools and static analysis tools (SATs). To improve vulnerability detection, we need to better understand the characteristics of such vulnerabilities and their root causes. In this study, we analyze 159 vulnerable code units from three representative projects (i.e., Linux Kernel, Mozilla, and Xen). First, the vulnerable code is characterized using the Orthogonal Defect Classi cation (ODC), showing that most buffer over ow vulnerabilities are related to missing or incorrect checking (e.g., missing if construct around statement or incorrect logical expression used as branch condition). Then, we run two widely used C/CCC Static Analysis Tools (SATs) (i.e., CppCheck and Flaw nder) on the vulnerable and neutral (after the vulnerability x) versions of each code unit, showing the low effectiveness of this type of tool in detecting buffer over ow vulnerabilities. Finally, we characterize the vulnerable and neutral versions of each code unit using software metrics, demonstrating that, although such metrics are frequently used as indicators of software quality, there is no clear correlation between them and the existence of buffer over ow in the code. As a result, we highlight a set of observations that should be considered to improve the detection of buffer over ow vulnerabilities.
id RCAP_ade43700c106126b3d0ebbb7ff7c01b7
oai_identifier_str oai:estudogeral.uc.pt:10316/101176
network_acronym_str RCAP
network_name_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str https://opendoar.ac.uk/repository/7160
spelling Characterizing Buffer Overflow Vulnerabilities in Large C/C++ ProjectsSoftware securitybuffer over flowstatic code analysisvulnerability detectionorthogonal defect classification (ODC)software metricsSecurity vulnerabilities are present in most software systems, especially in projects with a large codebase, with several versions over the years, developed by many developers. Issues with memory management, in particular buffer over ow, are among the most frequently exploited vulnerabilities in software systems developed in C/CCC. Nevertheless, most buffer over ow vulnerabilities are not detectable by vulnerability detection tools and static analysis tools (SATs). To improve vulnerability detection, we need to better understand the characteristics of such vulnerabilities and their root causes. In this study, we analyze 159 vulnerable code units from three representative projects (i.e., Linux Kernel, Mozilla, and Xen). First, the vulnerable code is characterized using the Orthogonal Defect Classi cation (ODC), showing that most buffer over ow vulnerabilities are related to missing or incorrect checking (e.g., missing if construct around statement or incorrect logical expression used as branch condition). Then, we run two widely used C/CCC Static Analysis Tools (SATs) (i.e., CppCheck and Flaw nder) on the vulnerable and neutral (after the vulnerability x) versions of each code unit, showing the low effectiveness of this type of tool in detecting buffer over ow vulnerabilities. Finally, we characterize the vulnerable and neutral versions of each code unit using software metrics, demonstrating that, although such metrics are frequently used as indicators of software quality, there is no clear correlation between them and the existence of buffer over ow in the code. As a result, we highlight a set of observations that should be considered to improve the detection of buffer over ow vulnerabilities.Project METRICS through FCT under Grant POCI-01-0145-FEDER-032504, in part by the Project ``AIDA Adaptive, Intelligent and Distributed Assurance Platform'' co- nanced by the European Regional Development Fund (ERDF) and COMPETE 2020 under Grant POCI-01-0247-FEDER-045907, and in part by FCT under Carnegie Mellon University (CMU) Portugal. FCT - 2020.04503.BD.2021info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articlehttps://hdl.handle.net/10316/101176https://hdl.handle.net/10316/101176https://doi.org/10.1109/ACCESS.2021.3120349eng2169-3536Pereira, Jose D'AbruzzoIvaki, NaghmehVieira, Marcoinfo:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2024-12-18T14:59:04Zoai:estudogeral.uc.pt:10316/101176Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-29T05:50:38.405174Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
title Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
spellingShingle Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
Pereira, Jose D'Abruzzo
Software security
buffer over flow
static code analysis
vulnerability detection
orthogonal defect classification (ODC)
software metrics
title_short Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
title_full Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
title_fullStr Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
title_full_unstemmed Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
title_sort Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
author Pereira, Jose D'Abruzzo
author_facet Pereira, Jose D'Abruzzo
Ivaki, Naghmeh
Vieira, Marco
author_role author
author2 Ivaki, Naghmeh
Vieira, Marco
author2_role author
author
dc.contributor.author.fl_str_mv Pereira, Jose D'Abruzzo
Ivaki, Naghmeh
Vieira, Marco
dc.subject.por.fl_str_mv Software security
buffer over flow
static code analysis
vulnerability detection
orthogonal defect classification (ODC)
software metrics
topic Software security
buffer over flow
static code analysis
vulnerability detection
orthogonal defect classification (ODC)
software metrics
description Security vulnerabilities are present in most software systems, especially in projects with a large codebase, with several versions over the years, developed by many developers. Issues with memory management, in particular buffer over ow, are among the most frequently exploited vulnerabilities in software systems developed in C/CCC. Nevertheless, most buffer over ow vulnerabilities are not detectable by vulnerability detection tools and static analysis tools (SATs). To improve vulnerability detection, we need to better understand the characteristics of such vulnerabilities and their root causes. In this study, we analyze 159 vulnerable code units from three representative projects (i.e., Linux Kernel, Mozilla, and Xen). First, the vulnerable code is characterized using the Orthogonal Defect Classi cation (ODC), showing that most buffer over ow vulnerabilities are related to missing or incorrect checking (e.g., missing if construct around statement or incorrect logical expression used as branch condition). Then, we run two widely used C/CCC Static Analysis Tools (SATs) (i.e., CppCheck and Flaw nder) on the vulnerable and neutral (after the vulnerability x) versions of each code unit, showing the low effectiveness of this type of tool in detecting buffer over ow vulnerabilities. Finally, we characterize the vulnerable and neutral versions of each code unit using software metrics, demonstrating that, although such metrics are frequently used as indicators of software quality, there is no clear correlation between them and the existence of buffer over ow in the code. As a result, we highlight a set of observations that should be considered to improve the detection of buffer over ow vulnerabilities.
publishDate 2021
dc.date.none.fl_str_mv 2021
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://hdl.handle.net/10316/101176
https://hdl.handle.net/10316/101176
https://doi.org/10.1109/ACCESS.2021.3120349
url https://hdl.handle.net/10316/101176
https://doi.org/10.1109/ACCESS.2021.3120349
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv 2169-3536
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.source.none.fl_str_mv reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron:RCAAP
instname_str FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str RCAAP
institution RCAAP
reponame_str Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv info@rcaap.pt
_version_ 1833602491053244416

Similar Items