Abstract
Buffer overrun remains one of the main sources of errors and vulnerabilities in the C/C++ source code. To detect such kind of defects, static analysis is widely used. In this paper, we propose a path-sensitive static analysis based on symbolic execution with state merging. For buffers with compile-time-known sizes, we present an interprocedural path- and context-sensitive overrun detection algorithm that finds program points satisfying a proposed error definition. The described approach was implemented in the Svace static analyzer without significant loss of performance. On Android 5.0.2, these detectors generated 351 warnings, 64% of which were true positives. In addition, we describe a prototype of an intraprocedural heap buffer overflow detector and present an example of a defect found by this detector.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Koshelev, V.K., Formalization of error detection for static symbolic execution, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2016, vol. 28, no. 5, pp. 105–118.
Ivannikov, V.P., Belevantsev, A.A., Borodin, A.E., Ignat’ev, V.N., Zhurikhin, D.M., Avetisyan, A.I., and Leonov, M.I., Svace static analyzer for error detection in the source code of programs, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2014, vol. 26, pp. 231–250.
Koshelev, V.K., Dudina, I.A., Ignat’ev, V.I., and Borzilov, A.I., Path-sensitive error detection in C programs by the example of null pointer dereference, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2015, vol. 27, no. 5, pp. 59–86.
Dudina, I.A., Koshelev, V.K., and Borodin, A.E., Detection of buffer overflows in C/C++ programs, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2016, vol. 28, no. 4, pp. 149–168.
Borodin, A.E., Context-sensitive static interprocedural analysis for error detection in the source code of C/C++ programs, Cand. Sci. (Phys.–Math.) Dissertation, Moscow, 2016.
Borodin, A.E. and Belevantsev, A.A., Svace static analyzer as a collection of analyzers of different complexity levels, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2015, vol. 27, no. 6, pp. 111–134.
Kuznetsov, V., Kinder, J., Bucur, S., and Candea, G., Efficient state merging in symbolic execution, Proc. 33rd ACM SIGPLAN Conf. Programming Language Design and Implementation, 2012, vol. 47, no. 6 pp. 193–204.
Shahriar, H. and Zulkernine, M., Classification of static analysis-based buffer overflow detectors, Proc. SSIRIC 4th IEEE Int. Conf. Secure Software Integration and Reliability Improvement Companion, 2010, pp. 94–101.
Xie, Y., Chou, A., and Engler, D., ARCHER: Using symbolic path-sensitive analysis to detect memory access errors, Proc. 9th European Software Engineering Conference, Helsinki, 2003, pp. 327–336.
Author information
Authors and Affiliations
Corresponding author
Additional information
Original Russian Text © I.A. Dudina, A.A. Belevantsev, 2017, published in Programmirovanie, 2017, Vol. 43, No. 5.
Rights and permissions
About this article
Cite this article
Dudina, I.A., Belevantsev, A.A. Using static symbolic execution to detect buffer overflows. Program Comput Soft 43, 277–288 (2017). https://doi.org/10.1134/S0361768817050024
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1134/S0361768817050024