A Taxonomy of Buffer Overflow Characteristics

被引：18

作者：

Bishop, Matt ^{[1
]}

Engle, Sophie ^{[2
]}

Howard, Damien ^{[3
]}

Whalen, Sean ^{[4
]}

机构：

[1] Univ Calif Davis, Dept Comp Sci, Davis, CA 95616 USA

[2] Univ San Francisco, Dept Comp Sci, San Francisco, CA 94117 USA

[3] Knobbe Martens Olson & Bear LLP, Irvine, CA 92614 USA

[4] Columbia Univ, Dept Comp Sci, New York, NY 10027 USA

来源：

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING | 2012年 / 9卷 / 03期

基金：

美国国家科学基金会;

关键词：

Protection mechanisms; software/program verification; security and privacy; arrays;

D O I：

10.1109/TDSC.2012.10

中图分类号：

TP3 [计算技术、计算机技术];

学科分类号：

0812 ;

摘要：

Significant work on vulnerabilities focuses on buffer overflows, in which data exceeding the bounds of an array is loaded into the array. The loading continues past the array boundary, causing variables and state information located adjacent to the array to change. As the process is not programmed to check for these additional changes, the process acts incorrectly. The incorrect action often places the system in a nonsecure state. This work develops a taxonomy of buffer overflow vulnerabilities based upon characteristics, or preconditions that must hold for an exploitable buffer overflow to exist. We analyze several software and hardware countermeasures to validate the approach. We then discuss alternate approaches to ameliorating this vulnerability.

引用

页码：305 / 317

页数：13

共 50 条

[1] Characteristics of Buffer Overflow Attacks Tunneled in HTTP Traffic
Homoliak, Ivan
Ovsonka, Daniel
Koranda, Karel
Hanacek, Petr
2014 INTERNATIONAL CARNAHAN CONFERENCE ON SECURITY TECHNOLOGY (ICCST), 2014,
[2] BUFFER OVERFLOW
Spruth, W. G.
COMPUTER, 2012, 45 (08) : 7 - 7
[3] Buffer overflow and format string overflow vulnerabilities
Lhee, KS
Chapin, SJ
SOFTWARE-PRACTICE & EXPERIENCE, 2003, 33 (05): : 423 - 460
[4] Method of integer overflow detection to avoid buffer overflow
School of Computer Science and Engineering, Southeast University, Nanjing 211189, China
不详
J. Southeast Univ. Engl. Ed., 2009, 2 (219-223):
[5] The Cost of Preventing a Buffer Overflow
Gordonov, Anatoliy S.
2014 ZONE 1 CONFERENCE OF THE AMERICAN SOCIETY FOR ENGINEERING EDUCATION (ASEE ZONE 1), 2014,
[6] Vulnerability scanning for buffer overflow
Iyer, A
Liebrock, LM
ITCC 2004: INTERNATIONAL CONFERENCE ON INFORMATION TECHNOLOGY: CODING AND COMPUTING, VOL 2, PROCEEDINGS, 2004, : 116 - 117
[7] Taxonomy of C Overflow Vulnerabilities Attack
Ahmad, Nurul Haszeli
Aljunid, Syed Ahmad
Ab Manan, Jamalul-lail
SOFTWARE ENGINEERING AND COMPUTER SYSTEMS, PT 2, 2011, 180 : 376 - +
[8] Buffer-overflow protection: The theory
Piromsopa, Krerk
Enbody, Richard J.
2006 IEEE INTERNATIONAL CONFERENCE ON ELECTRO/INFORMATION TECHNOLOGY, 2006, : 454 - 458
[9] New mechanism for buffer overflow prevention
Li, Cheng-Hung
Luo, Chi-Wei
Leu, Show-Wei
Jan, Gene Eu
IMECS 2006: INTERNATIONAL MULTICONFERENCE OF ENGINEERS AND COMPUTER SCIENTISTS, 2006, : 481 - 486
[10] The Principle and Prevention of Windows Buffer Overflow
Liu Feifei
PROCEEDINGS OF 2012 7TH INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE & EDUCATION, VOLS I-VI, 2012, : 1285 - 1288

← 1 2 3 4 5 →