Buffer overflow vulnerabilities are program defects that can cause a buffer to overflow at runtime. Many security attacks exploit buffer overflow vulnerabilities to compromise critical data structures. In this paper, we present a black-box testing approach to detecting buffer overflow vulnerabilities. Our approach is motivated by a reflection on how buffer overflow vulnerabilities are exploited in practice. In most cases the attacker can influence the behavior of a target system only by controlling its external parameters. Therefore, launching a successful attack often amounts to a clever way of tweaking the values of external parameters. We simulate the process performed by the attacker, but in a more systematic manner. A novel aspect of our approach is that it adapts a general software testing technique called combinatorial testing to the domain of security testing. In particular, our approach exploits the fact that combinatorial testing often achieves a high level of code coverage. We have implemented our approach in a prototype tool called Tance. The results of applying Tance to five open-source programs show that our approach can be very effective in detecting buffer overflow vulnerabilities. © 2011 IEEE.
CITATION STYLE
Wang, W., Lei, Y., Liu, D., Kung, D., Csallner, C., Zhang, D., … Kuhn, R. (2011). A combinatorial approach to detecting buffer overflow vulnerabilities. In Proceedings of the International Conference on Dependable Systems and Networks (pp. 269–278). https://doi.org/10.1109/DSN.2011.5958225
Mendeley helps you to discover research relevant for your work.