Characterizing Buffer Overflow Vulnerabilities in Large C/C++ Projects
José D’Abruzzo Pereira, Naghmeh Ivaki, Marco Vieira
Abstract
Security vulnerabilities are present in most software systems, especially in projects with a \nlarge codebase, with several versions over the years, developed by many developers. Issues with memory \nmanagement, in particular buffer over ow, are among the most frequently exploited vulnerabilities in \nsoftware systems developed in C/CCC. Nevertheless, most buffer over ow vulnerabilities are not detectable \nby vulnerability detection tools and static analysis tools (SATs). To improve vulnerability detection, we need \nto better understand the characteristics of such vulnerabilities and their root causes. In this study, we analyze \n159 vulnerable code units from three representative projects (i.e., Linux Kernel, Mozilla, and Xen). First, \nthe vulnerable code is characterized using the Orthogonal Defect Classi cation (ODC), showing that most \nbuffer over ow vulnerabilities are related to missing or incorrect checking (e.g., missing if construct around \nstatement or incorrect logical expression used as branch condition). Then, we run two widely used C/CCC \nStatic Analysis Tools (SATs) (i.e., CppCheck and Flaw nder) on the vulnerable and neutral (after the \nvulnerability x) versions of each code unit, showing the low effectiveness of this type of tool in detecting \nbuffer over ow vulnerabilities. Finally, we characterize the vulnerable and neutral versions of each code \nunit using software metrics, demonstrating that, although such metrics are frequently used as indicators of \nsoftware quality, there is no clear correlation between them and the existence of buffer over ow in the code. \nAs a result, we highlight a set of observations that should be considered to improve the detection of buffer \nover ow vulnerabilities.