Auditing Buffer Overflow Vulnerabilities Using Hybrid Static-Dynamic Analysis

Abstract

Despite being studied for more than two decades buffer overflow vulnerabilities are still frequently reported in programs. In this paper, we propose a hybrid approach that combines static and dynamic program analysis to audit buffer overflows. Using simple rules, test data are generated to automatically confirm some of the vulnerabilities through dynamic analysis and the remaining cases are predicted by mining static code attributes. Confirmed cases can be directly fixed without further verification whereas predicted cases need to be manually reviewed to confirm existence of vulnerabilities. Since our approach combines the strengths of static and dynamic analyses, it results in an overall accuracy improvement. In our evaluation of approach using the standard benchmark suite, our classifiers achieved a recall over 92% and precision greater than 81%. The dynamic analysis component confirmed 51% of known vulnerabilities along with reporting 2 new bugs, thereby reducing by half, otherwise needed manual auditing effort.