Predicting Buffer Overflow Vulnerabilities through Mining Light-Weight Static Code Attributes

Author

Padmanabhuni, Bindu Madhavi ; Hee Beng Kuan Tan

Author_Institution

Sch. of Electr. & Electron. Eng., Nanyang Technol. Univ., Singapore, Singapore

fYear

2014

fDate

3-6 Nov. 2014

Firstpage

317

Lastpage

322

Abstract

Static code attributes are widely used in defect prediction studies as an abstraction model because they capture general properties of the program. To counter buffer overflow exploits, programmers use buffer size checking and input validation schemes. In this paper, we propose light-weight static code attributes that can be extracted easily, to characterize buffer overflow safety mechanisms and input validation checks implemented in the code for predicting buffer overflows. We then use data mining methods on the collected static code attributes to predict buffer overflows in application programs. In our experiments across five applications, our best classifier could achieve a recall of 95% and precision over 80% suggesting that our proposed static code attributes are effective indicators in predicting buffer overflows.

Keywords

data mining; pattern classification; program diagnostics; buffer overflow safety mechanisms; buffer overflow vulnerability prediction; buffer size checking; classifier; data mining methods; input validation schemes; light-weight static code attribute mining; software defect prediction; Accuracy; Arrays; Buffer overflows; Data mining; Filling; Predictive models; Radiation detectors; Vulnerability; buffer overflow; data mining; input validation; prediction; static analysis; static code attributes;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Reliability Engineering Workshops (ISSREW), 2014 IEEE International Symposium on

Conference_Location

Naples

Type

conf

DOI

10.1109/ISSREW.2014.26

Filename

6983860