Auditing buffer overflow vulnerabilities using hybrid static-dynamic analysis

Buffer overflow (BOF) vulnerabilities when present in code can be exploited to violate security objectives such as availability, confidentiality and integrity. They make up substantial portion of input manipulation attacks due to their common presence and ease of exploitation. In this study, the authors propose a hybrid approach combining static and dynamic program analysis with machine learning to audit BOFs. Simple rules to generate test data is proposed to confirm some of the vulnerabilities through dynamic analysis. Confirmed cases can be fixed by developers without further verification. Statements whose vulnerability is not confirmed by dynamic analysis are predicted by mining static code attributes. In the authors' evaluation using standard benchmarks, their best classifier achieved a recall over 93% and accuracy >94%. Dynamic analysis itself confirmed 34% of known vulnerabilities along with reporting six new bugs, thereby reducing by third, otherwise needed manual auditing effort.