CNR Institutional Research Information System

Many of the bugs in distributed software modules are security vulnerabilities, the most common and also the most exploited of which are buffer overflows and they typically arise in programs written in the C language. This paper, focusing on static analysis tools for detecting buffer overflows in C programs, presents a methodology for experimentally evaluating and comparing the main objective features of such tools. The proposed method is based on testing all the tools on a common set of publicly available, open source software packages, and makes use of specific metrics defined to evaluate the main tool features. In particular, the evaluation aims at quantifying how close the tool is to a complete and sound tool. Our approach has been applied for an initial evaluation of the class of static analysis tools that are based on lexical analysis, using as test cases three well known network software packages. The results obtained, illustrated and commented on in this paper, offer some interesting indications

Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software

L Durante;D Pozza;R Sisto;A Valenzano

2006

Abstract

Many of the bugs in distributed software modules are security vulnerabilities, the most common and also the most exploited of which are buffer overflows and they typically arise in programs written in the C language. This paper, focusing on static analysis tools for detecting buffer overflows in C programs, presents a methodology for experimentally evaluating and comparing the main objective features of such tools. The proposed method is based on testing all the tools on a common set of publicly available, open source software packages, and makes use of specific metrics defined to evaluate the main tool features. In particular, the evaluation aims at quantifying how close the tool is to a complete and sound tool. Our approach has been applied for an initial evaluation of the class of static analysis tools that are based on lexical analysis, using as test cases three well known network software packages. The results obtained, illustrated and commented on in this paper, offer some interesting indications

Scheda breve

Scheda completa

Scheda completa (DC)

	Anno
	
				2006
			
	Strutture organizzative
	
				Istituto di Elettronica e di Ingegneria dell'Informazione e delle Telecomunicazioni - IEIIT
			
	Lingua/e
	
				Inglese
			
	Titolo del convegno
	
				1st IEEE International Conference on Communication System Software and Middleware (COMSWARE 2006)
			
	Da pagina
	
				1
			
	A pagina
	
				7
			
	Numero di pagine
	
				7
			
	Codice ISBN
	
				0-7803-9575-1
			
	Codice DOI
	
				https://dx.doi.org/10.1109/COMSWA.2006.1665217
			
	URL
	
				http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1665217
			
	Nome Editore
	
				IEEE-Institute Of Electrical And Electronics Engineers Inc.
			
	Città Editore
	
				Piscataway
			
	Nazione Editore
	
				STATI UNITI D'AMERICA
			
	Referee
	
				Sì, ma tipo non specificato
			
	Periodo del Convegno
	
				8-12 Gennaio 2006
			
	Luogo del Convegno
	
				New Delhi
			
	Parole chiave
	
				static and lexical analysis
buffer overflow
ITS4
Rats
Flawfinder
			
	Codice Scopus
	
				2-s2.0-34247539967
			
	Numero autori
	
				4
			
	Fulltext
	
				none
			
	Tutti gli autori
	
						Durante, L; Pozza, D; Sisto, R; Valenzano, A
					
	Tipologia Login Miur
	
				273
			
	Tipologia
	
				info:eu-repo/semantics/conferenceObject
			
	Tipologia
	
				04 Contributo in convegno::04.01 Contributo in Atti di convegno
			
	Appare nelle tipologie:
	
				04.01 Contributo in Atti di convegno

File in questo prodotto:

Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.14243/14252

Citazioni

ND

18

ND

social impact