research-article

Testing for buffer overflows with length abstraction

Authors:

Patrice Godefroid,

Rupak MajumdarAuthors Info & Claims

ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis

Pages 27 - 38

https://doi.org/10.1145/1390630.1390636

Published: 20 July 2008 Publication History

Abstract

We present Splat, a tool for automatically generating inputs that lead to memory safety violations in C programs. Splat performs directed random testing of the code, guided by symbolic execution. However, instead of representing the entire contents of an input buffer symbolically, Splat tracks only a prefix of the buffer symbolically, and a symbolic length that may exceed the size of the symbolic prefix. The part of the buffer beyond the symbolic prefix is filled with concrete random inputs. The use of symbolic buffer lengths makes it possible to compactly summarize the behavior of standard buffer manipulation functions, such as string library functions, leading to a more scalable search for possible memory errors. While reasoning only about prefixes of buffer contents makes the search theoretically incomplete, we experimentally demonstrate that the symbolic length abstraction is both scalable and sufficient to uncover many real buffer overflows in C programs. In experiments on a set of benchmarks developed independently to evaluate buffer overflow checkers, Splat was able to detect buffer overflows quickly, sometimes several orders of magnitude faster than when symbolically representing entire buffers. Splat was also able to find two previously unknown buffer overflows in a heavily-tested storage system.

References

[1]

C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. Exe: automatically generating inputs of death. In CCS, 2006.

Digital Library

[2]

N. Dor, M. Rodeh, and S. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In PLDI, 2003.

Digital Library

[3]

J. C. Foster, V. Osipov, and N. Bhalla. Buffer Overflow Attacks. Syngress, 2005.

Digital Library

[4]

V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV, 2007.

Digital Library

[5]

P. Godefroid. Compositional dynamic test generation. In POPL, 2007.

Digital Library

[6]

P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI, 2005.

Digital Library

[7]

P. Godefroid, M. Y. Levin, and D. Molnar. Active property checking. Technical report, Microsoft, 2007.

[8]

P. Godefroid, M.Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.

[9]

A. Groce, G. J. Holzmann, and R. Joshi. Randomized differential testing as a prelude to formal verification. In ICSE, 2007.

Digital Library

[10]

R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Third International Workshop on Automated Debugging, 1997.

[11]

P. Joshi, K. Sen, and M. Shlimovich. Predictive testing: amplifying the effectiveness of software testing. In FSE, 2007.

Digital Library

[12]

D. Knuth. The Art of Computer Programming, Volume 3: Sorting and Searching. Addison-Wesley, 1997.

Digital Library

[13]

E. Larson and T. Austin. High coverage detection of input-related security faults. In USENIX, 2003.

Digital Library

[14]

R. Ma jumdar and R. Xu. Directed test generation with symbolic grammars. In ASE, 2007.

Digital Library

[15]

N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI, 2007.

Digital Library

[16]

O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In NDSS, 2004.

[17]

K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In FSE, 2005.

Digital Library

[18]

J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In USENIX, 2005.

Digital Library

[19]

D. Sleator and R. Tarjan. Self-adjusting binary search trees. J. ACM, 32(3):652--686, 1985.

Digital Library

[20]

W. Visser, C. S. Pasareanu, and R. Pelánek. Test input generation for Java containers using state matching. In ISSTA, 2006.

Digital Library

[21]

D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS, 2000.

[22]

Y. Xie, A. Chou, and D. Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. In FSE, 2003.

Digital Library

[23]

M. Zhivich, T. Leek, and R. Lippmann. Dynamic buffer overflow detection. In BUGS, 2005.

[24]

M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In FSE, 2004.

Digital Library

Cited By

Yadav AWilson JHuyen PTan SMechtaev SKhurshid S(2024)BOSS: A dataset to train ML-based systems to repair programs with out-of-bounds write flawsProceedings of the 5th ACM/IEEE International Workshop on Automated Program Repair10.1145/3643788.3648013(26-33)Online publication date: 20-Apr-2024
https://dl.acm.org/doi/10.1145/3643788.3648013
Lauko HOlliaro MCortesi ARoc̆kai P(2020)Abstracting Strings for Model Checking of C ProgramsApplied Sciences10.3390/app1021785310:21(7853)Online publication date: 5-Nov-2020
https://doi.org/10.3390/app10217853
Gao FWang YWang LYang ZLi X(2020)Automatic Buffer Overflow Warning ValidationJournal of Computer Science and Technology10.1007/s11390-020-0525-z35:6(1406-1427)Online publication date: 30-Nov-2020
https://doi.org/10.1007/s11390-020-0525-z
Show More Cited By

Index Terms

Testing for buffer overflows with length abstraction
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Modular checking for buffer overflows in the large
ICSE '06: Proceedings of the 28th international conference on Software engineering

We describe an ongoing project, the deployment of a modular checker to statically find and prevent every buffer overflow in future versions of a Microsoft product. Lightweight annotations specify requirements for safely using each buffer, and functions ...
Buffer Overflow Management in QoS Switches

We consider two types of buffering policies that are used in network switches supporting Quality of Service (QoS). In the FIFO type, packets must be transmitted in the order in which they arrive; the constraint in this case is the limited buffer ...
Nearly optimal FIFO buffer management for two packet classes

We consider a FIFO buffer with finite storage space. An arbitrary input stream of packets arrives at the buffer, but the output stream rate is bounded, so overflows may occur. We assume that each packet has value which is either 1 or α, for some α > 1. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis

July 2008

324 pages

ISBN:9781605580500

DOI:10.1145/1390630

General Chair:
Barbara G. Ryder
Virginia Tech, USA
,
Program Chair:
Andreas Zeller
Saarland University, Germany

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 July 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ISSTA '08

Sponsor:

ISSTA '08: International Symposium on Software Testing and Analysis

July 20 - 24, 2008

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
786
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)2

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yadav AWilson JHuyen PTan SMechtaev SKhurshid S(2024)BOSS: A dataset to train ML-based systems to repair programs with out-of-bounds write flawsProceedings of the 5th ACM/IEEE International Workshop on Automated Program Repair10.1145/3643788.3648013(26-33)Online publication date: 20-Apr-2024
https://dl.acm.org/doi/10.1145/3643788.3648013
Lauko HOlliaro MCortesi ARoc̆kai P(2020)Abstracting Strings for Model Checking of C ProgramsApplied Sciences10.3390/app1021785310:21(7853)Online publication date: 5-Nov-2020
https://doi.org/10.3390/app10217853
Gao FWang YWang LYang ZLi X(2020)Automatic Buffer Overflow Warning ValidationJournal of Computer Science and Technology10.1007/s11390-020-0525-z35:6(1406-1427)Online publication date: 30-Nov-2020
https://doi.org/10.1007/s11390-020-0525-z
Cortesi ALauko HOlliaro MRočkai P(2019)String Abstraction for Model Checking of C ProgramsModel Checking Software10.1007/978-3-030-30923-7_5(74-93)Online publication date: 2-Oct-2019
https://doi.org/10.1007/978-3-030-30923-7_5
Chaim MSantos DCruzes D(2018)What Do We Know About Buffer Overflow Detection?International Journal of Systems and Software Security and Protection10.4018/IJSSSP.20180701019:3(1-33)Online publication date: 1-Jul-2018
https://doi.org/10.4018/IJSSSP.2018070101
Gerasimov A(2018)Directed Dynamic Symbolic Execution for Static Analysis Warnings ConfirmationProgramming and Computing Software10.1134/S036176881805002X44:5(316-323)Online publication date: 1-Sep-2018
https://dl.acm.org/doi/10.1134/S036176881805002X
Zhang XGong YWang Y(2017)Heuristic Guided Selective Path Exploration for Loop Structure in Coverage TestingInternational Journal of Open Source Software and Processes10.4018/IJOSSP.20170401048:2(59-75)Online publication date: 1-Apr-2017
https://dl.acm.org/doi/10.4018/IJOSSP.2017040104
Xu ZGupta AMalik S(2017)Trace-based Analysis of Memory Corruption Malware AttacksHardware and Software: Verification and Testing10.1007/978-3-319-70389-3_5(67-82)Online publication date: 12-Nov-2017
https://doi.org/10.1007/978-3-319-70389-3_5
Gao FChen TWang YSitu LWang LLi XMei HLv JJin ZLi X(2016)CarrayboundProceedings of the 8th Asia-Pacific Symposium on Internetware10.1145/2993717.2993724(81-90)Online publication date: 18-Sep-2016
https://dl.acm.org/doi/10.1145/2993717.2993724
Gao FWang LLi XLo DApel SKhurshid S(2016)BovInspector: automatic inspection and repair of buffer overflow vulnerabilitiesProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering10.1145/2970276.2970282(786-791)Online publication date: 25-Aug-2016
https://dl.acm.org/doi/10.1145/2970276.2970282
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten