HOME > Detail View

Detail View

Generating candidate code for detecting buffer overflow vulnerabilities

Generating candidate code for detecting buffer overflow vulnerabilities

Material type
학위논문
Personal Author
장영수 張瑛洙
Title Statement
Generating candidate code for detecting buffer overflow vulnerabilities / Jang, Young Su
Publication, Distribution, etc
Seoul :   Graduate School, Korea University,   2019  
Physical Medium
v, 103장 : 도표 ; 26 cm
기타형태 저록
Generating Candidate Code for Detecting Buffer Overflow Vulnerabilities   (DCOLL211009)000000084347  
학위논문주기
학위논문(박사)-- 고려대학교 대학원: 컴퓨터·전파통신공학과, 2019. 8
학과코드
0510   6YD36   363  
General Note
지도교수: 최진영  
Bibliography, Etc. Note
참고문헌: 장 95-103
이용가능한 다른형태자료
PDF 파일로도 이용가능;   Requires PDF file reader(application/pdf)  
비통제주제어
Information security , Buffer overflow vulnerability , Software security monitoring,,
000 00000nam c2200205 c 4500
001 000045999162
005 20191017125716
007 ta
008 190625s2019 ulkd bmAC 000c eng
040 ▼a 211009 ▼c 211009 ▼d 211009
085 0 ▼a 0510 ▼2 KDCP
090 ▼a 0510 ▼b 6YD36 ▼c 363
100 1 ▼a 장영수 ▼g 張瑛洙
245 1 0 ▼a Generating candidate code for detecting buffer overflow vulnerabilities / ▼d Jang, Young Su
260 ▼a Seoul : ▼b Graduate School, Korea University, ▼c 2019
300 ▼a v, 103장 : ▼b 도표 ; ▼c 26 cm
500 ▼a 지도교수: 최진영
502 1 ▼a 학위논문(박사)-- ▼b 고려대학교 대학원: ▼c 컴퓨터·전파통신공학과, ▼d 2019. 8
504 ▼a 참고문헌: 장 95-103
530 ▼a PDF 파일로도 이용가능; ▼c Requires PDF file reader(application/pdf)
653 ▼a Information security ▼a Buffer overflow vulnerability ▼a Software security monitoring
776 0 ▼t Generating Candidate Code for Detecting Buffer Overflow Vulnerabilities ▼w (DCOLL211009)000000084347
900 1 0 ▼a Jang, Young-su, ▼e
900 1 0 ▼a 최진영 ▼g 崔振榮, ▼e 지도교수
900 1 0 ▼a Choi, Jin-young, ▼e 지도교수
945 ▼a KLPA

Electronic Information

No. Title Service
1
Generating candidate code for detecting buffer overflow vulnerabilities (29회 열람)
View PDF Abstract Table of Contents
No. Location Call Number Accession No. Availability Due Date Make a Reservation Service
No. 1 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6YD36 363 Accession No. 123062321 Availability Available Due Date Make a Reservation Service B M
No. 2 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6YD36 363 Accession No. 123062322 Availability Available Due Date Make a Reservation Service B M
No. 3 Location Sejong Academic Information Center/Thesis(5F)/ Call Number 0510 6YD36 363 Accession No. 153083339 Availability Available Due Date Make a Reservation Service M
No. Location Call Number Accession No. Availability Due Date Make a Reservation Service
No. 1 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6YD36 363 Accession No. 123062321 Availability Available Due Date Make a Reservation Service B M
No. 2 Location Science & Engineering Library/Stacks(Thesis)/ Call Number 0510 6YD36 363 Accession No. 123062322 Availability Available Due Date Make a Reservation Service B M
No. Location Call Number Accession No. Availability Due Date Make a Reservation Service
No. 1 Location Sejong Academic Information Center/Thesis(5F)/ Call Number 0510 6YD36 363 Accession No. 153083339 Availability Available Due Date Make a Reservation Service M

Contents information

Abstract

The security of a software program critically depends on the prevention of vulnerabilities in the source code; however, conventional computer programs lack the ability to identify vulnerable code in another program. Our research was aimed at developing a technique capable of generating caddidate code for the detection of buffer overflow vulnerability in C/C++ programs. The technique automatically verifies and sanitizes code instrumentation by comparing the result of each candidate variable with that expected from the input data. Our results showed that statements containing buffer overflow vulnerabilities could be detected and prevented by using a candidate variable and by sanitizing code vulnerabilities based on the size of the variables. Thus, faults can be detected prior to execution of the statement, preventing malicious access. 
    For the verification of buffer overflow vulnerability, we designed and implemented the tool, named VDLs (Vulnerability Detection Libraries). The VDLs dynamically locates sensitive API method calls and instruments a set of variables along with safety condition checks to detect buffer overflow vulnerability in a C/C++ program. The instrumented code performs operations on variables as in the original program, and then validates their status to detect security violations. Our approach infers the sizes of different buffers and stores this information, instruments checks before sensitive operations, and performs assertion checks at runtime. The analyses are based on the knowledge of API method semantic analysis to understand the semantic characteristics of instrumented code. Our approach is particularly useful for enhancing software security monitoring, and for designing retrofitting techniques in applications.

Table of Contents

Contents 
Abstract                                                 i 
Contents                                               ii 
List of Tables                                        iv 
List of Figures  v 
1.  Introduction                                                                          1
2. Literature review                                                                    8
3. Research overview                                                                17
 3.1 Typical example 17
 3.2 Research objectives  20
 3.3 Research motivation  23
 3.4 Our approach   28
4. Formal analysis (Symbolic expressions)                                 35
 4.1 Candidate variable definition and verification 39
5. Implementation                                                                       54
 5.1 The tool: VDLs (Vulnerability Detection Libraries) 55
  5.1.1 Transformation of the source code 59
  5.1.2 Tree-based source code transformation 63
  5.1.3 Substitution code estimator using Behavior Knowledge 65
  5.1.4 Customized database and indexing syntax tree 69
  5.1.5 Quality assurance of variable constraint and assertion  70
 5.2 Limitations 77
 5.3 Extensions 78
 5.4 Errors and error handling 79
6. Evaluation                                                                                81
 6.1 Empirical evaluation of the test-suite 81
 6.2 Evaluation of real-world test cases 84
 6.3 Accuracy and performance 89
 6.4 Runtime analysis 90
7. Conclusion                                                                           93
References                                                                                   95