Article

Automatically Fixing C Buffer Overflows Using Program Transformations

Authors:

Alex Shaw,

Dusten Doggett,

Munawar HafizAuthors Info & Claims

DSN '14: Proceedings of the 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Pages 124 - 135

https://doi.org/10.1109/DSN.2014.25

Published: 23 June 2014 Publication History

Abstract

Fixing C buffer overflows at source code level remains a manual activity, at best semi-automated. We present an automated approach to fix buffer overflows by describing two program transformations that automatically introduce two well-known security solutions to C source code. The transformations embrace the difficulties of correctly analyzing and modifying C source code considering pointers and aliasing. They are effective: they fixed all buffer overflows featured in 4,505 programs of NIST's SAMATE reference dataset, making the changes automatically on over 2.3 million lines of code (MLOC). They are also safe: we applied them to make hundreds of changes on four open source programs (1.7 MLOC) without breaking the programs. Automated transformations such as these can be used by developers during coding, and by maintainers to fix problems in legacy code. They can be applied on a case by case basis, or as a batch to fix the root causes behind buffer overflows, thereby improving the dependability of systems.

Cited By

View all

Pasupuleti KLi JSu HZiauddin M(2023)Automatic SQL Error Mitigation in OracleProceedings of the VLDB Endowment10.14778/3611540.361156816:12(3835-3847)Online publication date: 1-Aug-2023
https://dl.acm.org/doi/10.14778/3611540.3611568
Utture APalsberg JChandra SBlincoe KTonella P(2023)From Leaks to Fixes: Automated Repairs for Resource Leak WarningsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616267(159-171)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616267
Oh WOh HRoychoudhury ACadar CKim M(2022)PyTER: effective program repair for Python type errorsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549130(922-934)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549130
Show More Cited By

Recommendations

Program transformations to fix C buffer overflows
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

This paper describes two program transformations to fix buffer overflows originating from unsafe library functions and bad pointer operations. Together, these transformations fixed all buffer overflows featured in 4,505 programs of NIST’s SAMATE ...
Testing static analysis tools using exploitable buffer overflows from open source code

Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each ...
Testing static analysis tools using exploitable buffer overflows from open source code
SIGSOFT '04/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering

Five modern static analysis tools (ARCHER, BOON, Poly-Space C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each ...

Comments

Information & Contributors

Information

Published In

DSN '14: Proceedings of the 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

June 2014

801 pages

ISBN:9781479922338

Publisher

IEEE Computer Society

United States

Publication History

Published: 23 June 2014

Author Tag

buffer, overflow, dependability, security

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Pasupuleti KLi JSu HZiauddin M(2023)Automatic SQL Error Mitigation in OracleProceedings of the VLDB Endowment10.14778/3611540.361156816:12(3835-3847)Online publication date: 1-Aug-2023
https://dl.acm.org/doi/10.14778/3611540.3611568
Utture APalsberg JChandra SBlincoe KTonella P(2023)From Leaks to Fixes: Automated Repairs for Resource Leak WarningsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616267(159-171)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616267
Oh WOh HRoychoudhury ACadar CKim M(2022)PyTER: effective program repair for Python type errorsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549130(922-934)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549130
Lee JHong SOh HDwyer MDamian DZeller A(2022)NPEXProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510186(1532-1544)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510186
Song DLee WOh HSpinellis DGousios GChechik MDi Penta M(2021)Context-aware and data-driven feedback generation for programming assignmentsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468598(328-340)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468598
Hong SLee JLee JOh HRothermel GBae D(2020)SAVERProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380323(271-283)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380323
Collie BGinsbach PWoodruff JRajan AO'Boyle MGrundy JLe Goues CLo D(2020)M3Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering10.1145/3324884.3416618(90-102)Online publication date: 21-Dec-2020
https://dl.acm.org/doi/10.1145/3324884.3416618
Xu XSui YYan HXue JAtlee JBultan TWhittle J(2019)VFixProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00063(512-523)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00063
Yu ZMartinez MDanglot BDurieux TMonperrus M(2019)Alleviating patch overfitting with automatic test generationEmpirical Software Engineering10.1007/s10664-018-9619-424:1(33-67)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s10664-018-9619-4
Lee JHong SOh HLeavens GGarcia APăsăreanu C(2018)MemFix: static analysis-based repair of memory deallocation errors for CProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236079(95-106)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3236024.3236079
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

Program transformations to fix C buffer overflows

Testing static analysis tools using exploitable buffer overflows from open source code

Testing static analysis tools using exploitable buffer overflows from open source code

Comments

Information

Published In

Publisher

Publication History

Author Tag

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations