Precise Buffer Overflow Detection via Model Checking

Buffer overflows are the source of a vast majority of vulnerabilities in today’s software. Existing solution for detecting buffer overflow, either statically or dynamically, have serious drawbacks that hinder their wider adoption by practitioners. In this paper we present an automated overflow detection technique based on model checking and iterative refinement. We discuss advantages, and limitations, of our approach with respect to today’s existing solutions. We also describe how our approach may be implemented on top of a model checking technology being developed at the Software Engineering Institute (SEI). Introduction Software vulnerabilities [1, 2] are one of the major causes of concern in today’s information centric world. For example it is estimated [3] that “Hacker attacks cost the world economy a whopping $1.6 trillion in 2000” and that “US virus and worm attacks cost $10.7 billion in the first three quarters of 2001”. This problem is further highlighted by the increasing number of attacks that exploit such vulnerabilities. For example, “The CMU CERT Coordination Center reported 76,404 attack incidents in the first half of 2003, approaching the total of 82,094 for all of 2002 in which the incident count was nearly four times the 2000 total. If anything, the CERT statistics may understate the problem, because the organization counts all related attacks as a single incident. A worm or virus like Blaster or SoBig, a self-replicating program that can infect millions of computers, is but one event.” Buffer overflows are widely recognized [17] to be the prime source of vulnerabilities in commodity software. For example, the CodeRed worm that caused an estimated global damage worth $2.1 billion in 2001 [3] exploited a buffer overflow in Windows. In addition, Wagner et al. [22] report, on the basis of CERT advisories, that “buffer overruns account for up to 50% of today’s vulnerabilities, and this ratio seems to be increasing over time.” 1 http://www.cert.org/advisories/CA-2001-19.html