Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
SIGSOFT
2004
ACM
2004
ACM
Testing static analysis tools using exploitable buffer overflows from open source code
Five modern static analysis tools (ARCHER, BOON, PolySpace C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a "BAD" case with and a "PATCHED" case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the "BAD" examples were low except for Polyspace C Verifier and Splint which had average detection rates of 87% and 57% respectively. However, average false alarm rates were high and roughly 50% for these two tools. On safe patched programs these two tools produce one false alarm for every 12 to 46 lines of source code and neither tool can accurately distinguish between unsafe source code where b...
Real-time TrafficBuffer Bounds | Buffer Overflows | Exploitable Buffer Overflow | SIGSOFT 2004 | Software Engineering |
Related Content
| Added | 20 Nov 2009 |
| Updated | 20 Nov 2009 |
| Type | Conference |
| Year | 2004 |
| Where | SIGSOFT |
| Authors | Misha Zitser, Richard Lippmann, Tim Leek |
Comments (0)
Researcher Info
|
