Article

Using Program Transformation to Secure C Programs Against Buffer Overflows

Authors:

Christopher Dahn,

Spiros MancoridisAuthors Info & Claims

WCRE '03: Proceedings of the 10th Working Conference on Reverse Engineering

Page 323

Published: 13 November 2003 Publication History

Publisher Site

Abstract

Buffer overflows are the most common source of securityvulnerabilities in C programs. This class of vulnerability,which is found in both legacy and modern software, coststhe software industry hundreds of millions of dollars peryear.The most common type of buffer overflow is the run-timestack overflow. It is common because programmersoften use stack allocated arrays. This enables the attackerto change a program's control flow by writing beyond theboundary of an array onto a return address on the run-timestack. If the arrays are repositioned to the heap at compiletime, none of these attacks succeed. Furthermore, repositioningbuffers to the heap should perturb the heap memoryenough to prevent many heap overflows as well.We have created a tool called Gemini that repositionsstack allocated arrays at compile time using TXL. Thetransformation preserves the semantics of the program witha small performance penalty. This paper discusses thesemantics-preserving transformation of stack allocated arraysto heap allocated "pointers to arrays". A program thatis amenable to a buffer overflow attack and several Linuxprograms are used as examples to demonstrate the effectivenessand overhead of our technique.

Cited By

View all

Zieris PHorsch JKim JAhn GKim SKim YLopez JKim T(2018)A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow IntegrityProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196531(369-380)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196531
Pawlak RMonperrus MPetitprez NNoguera CSeinturier L(2016)SPOONSoftware—Practice & Experience10.1002/spe.234646:9(1155-1179)Online publication date: 1-Sep-2016
https://dl.acm.org/doi/10.1002/spe.2346
Dang TManiatis PWagner DBao FMiller SZhou JAhn G(2015)The Performance Cost of Shadow Stacks and Stack CanariesProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714635(555-566)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714635
Show More Cited By

Index Terms

Using Program Transformation to Secure C Programs Against Buffer Overflows
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language types
2. Theory of computation
  1. Logic
    1. Logic and verification

Recommendations

Program transformations to fix C buffer overflows
ICSE Companion 2014: Companion Proceedings of the 36th International Conference on Software Engineering

This paper describes two program transformations to fix buffer overflows originating from unsafe library functions and bad pointer operations. Together, these transformations fixed all buffer overflows featured in 4,505 programs of NIST’s SAMATE ...
Automatically Fixing C Buffer Overflows Using Program Transformations
DSN '14: Proceedings of the 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks

Fixing C buffer overflows at source code level remains a manual activity, at best semi-automated. We present an automated approach to fix buffer overflows by describing two program transformations that automatically introduce two well-known security ...
Buffer overflows of merging streams
SPAA '03: Proceedings of the fifteenth annual ACM symposium on Parallel algorithms and architectures

Consider an Internet service provider (ISP), or a corporate intranet, that connects a large number of users with the Internet backbone using an "uplink." Within such a system, consider the traffic oriented towards the uplink, namely the streams whose ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

WCRE '03: Proceedings of the 10th Working Conference on Reverse Engineering

November 2003

ISBN:0769520278

Publisher

IEEE Computer Society

United States

Publication History

Published: 13 November 2003

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zieris PHorsch JKim JAhn GKim SKim YLopez JKim T(2018)A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow IntegrityProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196531(369-380)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196531
Pawlak RMonperrus MPetitprez NNoguera CSeinturier L(2016)SPOONSoftware—Practice & Experience10.1002/spe.234646:9(1155-1179)Online publication date: 1-Sep-2016
https://dl.acm.org/doi/10.1002/spe.2346
Dang TManiatis PWagner DBao FMiller SZhou JAhn G(2015)The Performance Cost of Shadow Stacks and Stack CanariesProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714635(555-566)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714635
Shahriar HHaddad HVaidya I(2013)Buffer overflow patching for C and C++ programsACM SIGAPP Applied Computing Review10.1145/2505420.250542113:2(8-19)Online publication date: 1-Jun-2013
https://dl.acm.org/doi/10.1145/2505420.2505421
Younan YJoosen WPiessens F(2012)Runtime countermeasures for code injection attacks against C and C++ programsACM Computing Surveys10.1145/2187671.218767944:3(1-28)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187679
Shahriar HZulkernine M(2012)Mitigating program security vulnerabilitiesACM Computing Surveys10.1145/2187671.218767344:3(1-46)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187673
Penta MCerulo LAversano L(2009)The life and death of statically detected vulnerabilitiesInformation and Software Technology10.1016/j.infsof.2009.04.01351:10(1469-1484)Online publication date: 1-Oct-2009
https://dl.acm.org/doi/10.1016/j.infsof.2009.04.013
Lee TChiu KChang D(2009)A Lightweight Buffer Overflow Protection Mechanism with Failure-Oblivious CapabilityProceedings of the 9th International Conference on Algorithms and Architectures for Parallel Processing10.1007/978-3-642-03095-6_62(661-672)Online publication date: 30-Jul-2009
https://dl.acm.org/doi/10.1007/978-3-642-03095-6_62

Abstract

Cited By

Index Terms

Recommendations

Program transformations to fix C buffer overflows

Automatically Fixing C Buffer Overflows Using Program Transformations

Buffer overflows of merging streams

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations