Browse > Article
http://dx.doi.org/10.17662/ksdim.2010.6.1.105

Implementation of a function translator converting vulnerable functions for preventing buffer overflow attacks  

Kim, Ik Su (숭실대학교 컴퓨터학부)
Cho, Yong Yun (국립순천대학교 정보통신공학부)
Publication Information
Journal of Korea Society of Digital Industry and Information Management / v.6, no.1, 2010 , pp. 105-114 More about this Journal
Abstract
C language is frequently used to develop application and system programs. However, programs using C language are vulnerable to buffer overflow attacks. To prevent buffer overflow, programmers have to check boundaries of buffer areas when they develop programs. But vulnerable programs frequently result from improper programming habits and mistakes of programmers. Existing researches for preventing buffer overflow attacks only inform programmers of warnings about vulnerabilities and not remove vulnerabilities in advance so that the programs still include vulnerabilities. In this paper, we propose a function translator which prevents creating programs including buffer overflow vulnerabilities. To prevent creating binary from source including vulnerabilities, the proposed translator searches vulnerable functions which cause buffer overflows, and converts them into secure functions. Accordingly, developing vulnerable programs by programmers which lack in knowledge on security can be prevented.
Keywords
Buffer Overflow; Vulnerable Function; Secure Programming; Security;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 J. Viega, J. Bloch, T. Kohno and G. McGraw, "ITS4: A static vulnerability scanner for c and c++ code," In proceeding of the 16th Annual Computer Security Applications Conference, 2000.
2 D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," In Proceedings of the Network and Distributed System Security Symposium, 2000.
3 Y. Xie, A. Chou, and D. Engler, "ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Acess Errors," In Proceedings of the 9th European Software Engineering Conference, 2003.
4 Available at http://www.coverity.com/
5 Available at http://www.polyspace.com/
6 C. Cowan, C. Pu, D. Maier, H. Ginton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," In proceeding of the 7th conference on USENIX Security, 1998.
7 R. Seacord, "Secure Coding in C and C++," Addison Wesley, 2005.
8 E. Gaugh and M. Bishop, "Testing C Programs for Buffer Overflow Vulnerabilities," In proceedings of the Network and Distributed System Security Symposium, 2003.
9 J. Pincus and B. Baker, "Beyond stack smashing: Recent advances in exploiting buffer overruns," IEEE Security and Privacy, Vol. 2, No. 4, 2004, pp. 20-27.   DOI   ScienceOn
10 김익수, 김명호, "관리자 인증 강화를 위한 추가적인 패스워드를 가지는 보안커널모듈 설계 및 구현," 정보처리학회논문지, 제10-C권, 제6호, 2003, pp. 675-682.   과학기술학회마을
11 Kurt Wall, William Von Hagen, "The GCC Book,"APress, October 2003.