Many of the bugs in distributed software modules are security vulnerabilities, the most common and also the most exploited of which are buffer overflows and they typically arise in programs written in the C language. This paper, focusing on static analysis tools for detecting buffer overflows in C programs, presents a methodology for experimentally evaluating and comparing the main objective features of such tools. The proposed method is based on testing all the tools on a common set of publicly available, open source software packages, and makes use of specific metrics defined to evaluate the main tool features. In particular, the evaluation aims at quantifying how close the tool is to a complete and sound tool. Our approach has been applied for an initial evaluation of the class of static analysis tools that are based on lexical analysis, using as test cases three well known network software packages. The results obtained, illustrated and commented on in this paper, offer some interesting indications

Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software / Pozza, Davide; Sisto, Riccardo; Durante, L; Valenzano, A.. - (2006). (Intervento presentato al convegno COMSWARE 2006 - 1st Int. Conf. on Comunication System Software and Middleware tenutosi a New Delhi, India nel 08-12 January 2006) [10.1109/COMSWA.2006.1665217].

Comparing Lexical Analysis Tools for Buffer Overflow Detection in Network Software

POZZA, DAVIDE;SISTO, Riccardo;DURANTE L;
2006

Abstract

Many of the bugs in distributed software modules are security vulnerabilities, the most common and also the most exploited of which are buffer overflows and they typically arise in programs written in the C language. This paper, focusing on static analysis tools for detecting buffer overflows in C programs, presents a methodology for experimentally evaluating and comparing the main objective features of such tools. The proposed method is based on testing all the tools on a common set of publicly available, open source software packages, and makes use of specific metrics defined to evaluate the main tool features. In particular, the evaluation aims at quantifying how close the tool is to a complete and sound tool. Our approach has been applied for an initial evaluation of the class of static analysis tools that are based on lexical analysis, using as test cases three well known network software packages. The results obtained, illustrated and commented on in this paper, offer some interesting indications
2006
9780780395756
File in questo prodotto:
File Dimensione Formato  
Comparing_Lexical_Analysis_Tools_for_Buffer_Overflow_Detection_in_Network_Software.pdf

non disponibili

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Non Pubblico - Accesso privato/ristretto
Dimensione 755.48 kB
Formato Adobe PDF
755.48 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/1418145