Buffer overflow patching for C and C++ programs

Abstract

The presence of buffer overflow (BOF) vulnerabilities in programs hampers essential security objectives such as confidentiality, integrity and availability. In particular, exploitations of BOF might lead to many unwanted consequences including denial of service through program crash, control flow hijacking, and corrupted program state. When BOF vulnerabilities are detected, they need to be patched before the software is redeployed. Source level automatic patching of vulnerabilities has the challenges of finding a set of general rules and consistently applying them without bringing any side effects to intended software. This paper proposes a set of general rules to address the mitigation of BOF vulnerabilities for C/C++ programs. In particular, we developed a set of rules to identify vulnerable code and how to make the code vulnerability free. The proposed rule-based approach addresses both simple (one statement) and complex (multiple statements) forms of code that can be vulnerable to BOF ranging from unsafe library function calls to the pointer usage in control flow structures (loop and conditional statements). We evaluated the proposed approach using two publicly available benchmarks and a number of open source C/C++ applications. The results show that the proposed rules can not only identify previously known BOF vulnerabilities, but also find new vulnerabilities. Moreover, the patching rules impose negligible overhead to the application.