TY - GEN
T1 - A preliminary study on common programming mistakes that lead to buffer overflow vulnerability
AU - George, Giovanni
AU - Kotey, Jeremiah
AU - Ripley, Megan
AU - Sultana, Kazi Zakia
AU - Codabux, Zadia
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/7
Y1 - 2021/7
N2 - When vulnerabilities are exploited, the impact can be insignificant or detrimental, depending on the attack’s nature. Research found that buffer overflow is one of the most widespread and frequently reported vulnerabilities that result in system crashes. This study investigates the frequent errors in the source code of production software that lead to buffer overflow such that its causes can be determined. The findings of the study can help guide developers to avoid these programming errors. Therefore, our study’s primary objective is to analyze vulnerable code components of software repositories and extract the developers’ frequent programming mistakes that have resulted in a buffer overflow attack. Sixteen vulnerable code components and relevant resolutions were selected from three popular and well-known systems: Android, Eclipse, and Red Hat, to be analyzed. The results show that lack of input sanitization, improper checking of array bounds and parameters, and the lack of value and range checks on variables are the most common programming issues that lead to a buffer overflow in these systems. We also found improper use of “If” and “While” loop conditions frequently contributed to the errors in bounds and variable checks.
AB - When vulnerabilities are exploited, the impact can be insignificant or detrimental, depending on the attack’s nature. Research found that buffer overflow is one of the most widespread and frequently reported vulnerabilities that result in system crashes. This study investigates the frequent errors in the source code of production software that lead to buffer overflow such that its causes can be determined. The findings of the study can help guide developers to avoid these programming errors. Therefore, our study’s primary objective is to analyze vulnerable code components of software repositories and extract the developers’ frequent programming mistakes that have resulted in a buffer overflow attack. Sixteen vulnerable code components and relevant resolutions were selected from three popular and well-known systems: Android, Eclipse, and Red Hat, to be analyzed. The results show that lack of input sanitization, improper checking of array bounds and parameters, and the lack of value and range checks on variables are the most common programming issues that lead to a buffer overflow in these systems. We also found improper use of “If” and “While” loop conditions frequently contributed to the errors in bounds and variable checks.
KW - Buffer overflow
KW - Programming mistakes
KW - Software vulnerability
UR - http://www.scopus.com/inward/record.url?scp=85115855729&partnerID=8YFLogxK
U2 - 10.1109/COMPSAC51774.2021.00194
DO - 10.1109/COMPSAC51774.2021.00194
M3 - Conference contribution
AN - SCOPUS:85115855729
T3 - Proceedings - 2021 IEEE 45th Annual Computers, Software, and Applications Conference, COMPSAC 2021
SP - 1375
EP - 1380
BT - Proceedings - 2021 IEEE 45th Annual Computers, Software, and Applications Conference, COMPSAC 2021
A2 - Chan, W. K.
A2 - Claycomb, Bill
A2 - Takakura, Hiroki
A2 - Yang, Ji-Jiang
A2 - Teranishi, Yuuichi
A2 - Towey, Dave
A2 - Segura, Sergio
A2 - Shahriar, Hossain
A2 - Reisman, Sorel
A2 - Ahamed, Sheikh Iqbal
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 45th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2021
Y2 - 12 July 2021 through 16 July 2021
ER -