The Community for Technology Leaders
RSS Icon
Subscribe
Hong Kong, China
June 27, 2011 to June 30, 2011
ISBN: 978-1-4244-9232-9
pp: 269-278
Wenhua Wang , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
Yu Lei , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
Donggang Liu , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
David Kung , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
Christoph Csallner , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
Dazhi Zhang , Department of Computer Science and Engineering, The University of Texas at Arlington, 76019, USA
Raghu Kacker , Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, Maryland 20899, USA
Rick Kuhn , Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, Maryland 20899, USA
ABSTRACT
Buffer overflow vulnerabilities are program defects that can cause a buffer to overflow at runtime. Many security attacks exploit buffer overflow vulnerabilities to compromise critical data structures. In this paper, we present a black-box testing approach to detecting buffer overflow vulnerabilities. Our approach is motivated by a reflection on how buffer overflow vulnerabilities are exploited in practice. In most cases the attacker can influence the behavior of a target system only by controlling its external parameters. Therefore, launching a successful attack often amounts to a clever way of tweaking the values of external parameters. We simulate the process performed by the attacker, but in a more systematic manner. A novel aspect of our approach is that it adapts a general software testing technique called combinatorial testing to the domain of security testing. In particular, our approach exploits the fact that combinatorial testing often achieves a high level of code coverage. We have implemented our approach in a prototype tool called Tance. The results of applying Tance to five open-source programs show that our approach can be very effective in detecting buffer overflow vulnerabilities.
CITATION
Wenhua Wang, Yu Lei, Donggang Liu, David Kung, Christoph Csallner, Dazhi Zhang, Raghu Kacker, Rick Kuhn, "A combinatorial approach to detecting buffer overflow vulnerabilities", DSN, 2011, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) 2011, pp. 269-278, doi:10.1109/DSN.2011.5958225
21 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool