This Article 
 Bibliographic References 
 Add to: 
Defending against Buffer-Overflow Vulnerabilities
November 2011 (vol. 44 no. 11)
pp. 53-60
Bindu Madhavi Padmanabhuni, Nanyang Technological University, Singapore
Hee Beng Kuan Tan, Nanyang Technological University, Singapore
A survey of techniques ranging from static analysis to hardware modification describes how various defensive approaches protect against buffer overflow, a vulnerability that represents a severe security threat.

1. C. Cowan et al., "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade," Proc. Foundations Intrusion Tolerant Systems [Organically Assured and Survivable Information Systems] (OASIS 03), IEEE CS, 2003, pp. 227-237.
2. J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. 10th Network and Distributed System Security Symp. (NDSS 03), Usenix, 2003, pp. 149-162.
3. D. Nebenzahl, M. Sagiv, and A. Wool, "Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks," IEEE Trans. Dependable and Secure Computing, July-Sept. 2006, pp. 78-90.
4. J. Xu et al., "Architecture Support for Defending against Buffer Overflow Attacks," Proc. 2nd Workshop on Evaluating and Architecting System Dependability (EASY 02), 2002; .
5. H. Ozdoganoglu et al., "SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address," IEEE Trans. Computers, Oct. 2006, pp. 1271-1285.
6. J. Clause, W. Li, and A. Orso, "Dytan: A Generic Dynamic Taint Analysis Framework," Proc. 2007 Int'l Symp. Software Testing and Analysis (ISSTA 07), ACM, 2007, pp. 196-206.
7. M. Rinard et al., "A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors)," Proc. 20th Ann. Computer Security Applications Conf. (ACSAC 04), IEEE CS, 2004, pp. 82-90.
8. A. Smirnov and T. Chiueh, "DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks," Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS 05), Internet Soc., 2005; papersdira.pdf.
9. G. Novark, E.D. Berger, and B.G. Zorn, "Exterminator: Automatically Correcting Memory Errors with High Probability," Proc. 2007 ACM SIGPLAN Conf. Programming Language Design and Implementation (PLDI 07), ACM, 2007, pp. 1-11.
10. D. Larochelle and D. Evans, "Statically Detecting Likely Buffer Overflow Vulnerabilities," Proc. 10th Usenix Security Symp., Usenix, 2001; larochellelarochelle.pdf.
11. V. Ganapathy et al., "Buffer Overrun Detection Using Linear Programming and Static Analysis," Proc. 10th ACM Conf. Computer and Comm. Security (CCS 03), ACM, 2003, pp. 345-354.
12. L. Wang, Q. Zhang, and P. Zhao, "Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking," Proc. 2008 8th IEEE Int'l Working Conf. Source Code Analysis and Manipulations (SCAM 08), IEEE, 2008, pp. 165-173.
13. W. Le and M.L. Soffa, "Marple: A Demand-Driven Path-Sensitive Buffer Overflow Detector," Proc. 16th ACM SIGSOFT Int'l Symp. Foundations of Software Eng. (SIGSOFT 08/FSE-16), ACM, 2008, pp. 272-282.
14. M. Cova et al., "Static Detection of Vulnerabilities in x86 Executables," Proc. 22nd Ann. Computer Security Applications Conf. (ACSAC 06), IEEE CS, 2006, pp. 269-278.
15. A.K. Ghosh and T. O'Connor, "Analyzing Programs for Vulnerability to Buffer Overrun Attacks," Proc. 21st Nat'l Information Systems Security Conf. (NISS 98), 1998; www.ouah.orgghosh98analyzing.pdf.
16. P. Saxena et al., "Loop-Extended Symbolic Execution on Binary Programs," Proc. 18th Int'l Symp. Software Testing and Analysis (ISSTA 09), ACM, 2009, pp. 225-236.
17. J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signal Generation of Exploits on Commodity Software," Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS 05), Internet Soc., 2005; paperstaintcheck.pdf.
18. A. Smirnov, R. Lin, and T. Chiueh, "Automatic Patch Generation for Buffer Overflow Attacks," Proc. 3rd Int'l Symp. Information Assurance and Security (IAS 07), IEEE CS, 2007, pp. 165-170.
19. M. Costa et al., "Vigilante: End-to-End Containment of Internet Worms," Proc. 20th ACM Symp. Operating Systems Principles (SOSP 05), ACM, 2005, pp. 133-147.
20. X. Wang et al., "SigFree: A Signature-Free Buffer Overflow Attack Blocker," Proc. 15th Usenix Security Symp., Usenix, 2006, pp. 225-240.

Index Terms:
Computer security, Buffer overflow, Vulnerabilities
Bindu Madhavi Padmanabhuni, Hee Beng Kuan Tan, "Defending against Buffer-Overflow Vulnerabilities," Computer, vol. 44, no. 11, pp. 53-60, Nov. 2011, doi:10.1109/MC.2011.229
Usage of this product signifies your acceptance of the Terms of Use.