Rule-Based Source Level Patching of Buffer Overflow Vulnerabilities

Buffer overflow (BOF) is a notorious vulnerability that leads to non-secure software. The presence of BOF hampers essential security objectives - confidentiality, integrity and availability. A BOF might result in neigh boring data values corruption, application core dumps, etc. This research focuses on the detection and patching of BOF vulnerabilities. The detection includes identifying programming elements that might cause BOF, such as limitations due to languages, associated libraries, and logical errors. This work presents several code patterns that include simple (one statement) and complex (multiple statements) forms of BOF. For prevention, we propose eight rules to fix vulnerable code to avoid BOF without modifying the application functionality. The proposed approach addresses BOF issues not only at the unit level but also at the integrated level by passing buffer length information. The proposed rules are evaluated with 14 benchmark applications that have known BOF vulnerabilities. The results show that the proposed rules are effective in detecting and patching BOF without altering original functionalities of applications. The performance overhead due to the application of the proposed patching rules is negligible.