Journal of Korea Society of Digital Industry and Information Management (디지털산업정보학회논문지)

Korea Society of Digital Industry and Information Management (디지털산업정보학회)
권호 표지
DOI QR코드

DOI QR Code

Implementation of a function translator converting vulnerable functions for preventing buffer overflow attacks

버퍼 오버플로우 공격 방지를 위한 취약 함수 변환기 구현

  • 김익수 (숭실대학교 컴퓨터학부) ;
  • 조용윤 (국립순천대학교 정보통신공학부)
  • Received : 2009.01.04
  • Accepted : 2010.02.17
  • Published : 2010.03.30
Download PDF
⟨ Previous Next ⟩

Abstract

C language is frequently used to develop application and system programs. However, programs using C language are vulnerable to buffer overflow attacks. To prevent buffer overflow, programmers have to check boundaries of buffer areas when they develop programs. But vulnerable programs frequently result from improper programming habits and mistakes of programmers. Existing researches for preventing buffer overflow attacks only inform programmers of warnings about vulnerabilities and not remove vulnerabilities in advance so that the programs still include vulnerabilities. In this paper, we propose a function translator which prevents creating programs including buffer overflow vulnerabilities. To prevent creating binary from source including vulnerabilities, the proposed translator searches vulnerable functions which cause buffer overflows, and converts them into secure functions. Accordingly, developing vulnerable programs by programmers which lack in knowledge on security can be prevented.

Keywords

References

  1. J. Viega, J. Bloch, T. Kohno and G. McGraw, "ITS4: A static vulnerability scanner for c and c++ code," In proceeding of the 16th Annual Computer Security Applications Conference, 2000.
  2. D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," In Proceedings of the Network and Distributed System Security Symposium, 2000.
  3. Y. Xie, A. Chou, and D. Engler, "ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Acess Errors," In Proceedings of the 9th European Software Engineering Conference, 2003.
  4. Available at http://www.coverity.com/
  5. Available at http://www.polyspace.com/
  6. C. Cowan, C. Pu, D. Maier, H. Ginton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," In proceeding of the 7th conference on USENIX Security, 1998.
  7. R. Seacord, "Secure Coding in C and C++," Addison Wesley, 2005.
  8. E. Gaugh and M. Bishop, "Testing C Programs for Buffer Overflow Vulnerabilities," In proceedings of the Network and Distributed System Security Symposium, 2003.
  9. J. Pincus and B. Baker, "Beyond stack smashing: Recent advances in exploiting buffer overruns," IEEE Security and Privacy, Vol. 2, No. 4, 2004, pp. 20-27. https://doi.org/10.1109/MSP.2004.36
  10. 김익수, 김명호, "관리자 인증 강화를 위한 추가적인 패스워드를 가지는 보안커널모듈 설계 및 구현," 정보처리학회논문지, 제10-C권, 제6호, 2003, pp. 675-682.
  11. Kurt Wall, William Von Hagen, "The GCC Book,"APress, October 2003.