Static Detection of Real-world Buffer Overflow Induced by Loop

Buffer overflow (BoF) is one of the most dangerous security vulnerabilities. A BoF can be induced by functions, such as the memcpy family, or loops with pointer or array operations. Static detection of BoF is a well-defined method and often performed before system deployment. However, most of previous static techniques either detect the BoFs induced by functions or analyze simple loops that induce BoFs, such as the single loop with a single loop variable. In order to clearly understand the impact of loops on BoF, we perform an empirical study on real-world BoFs detected in the past three years, including 211 BoFs from 60 open-source systems, and find that about a third of these BoFs are induced by loops. Motivated by this observation, we propose a novel static detection technique, DBloop, to localize BoFs induced by loops. The key of DBloop is to get the extremum length of data-movement on the buffer by analyzing target loops and then check whether the buffer overruns using constraint solving. We have implemented DBloop with CIL, and evaluated it on real-world programs detection by comparing with a commercial tool, Checkmarx, and an open-source tool, Splint. DBloop successfully localizes 57 BoFs induced by loops, while Checkmarx and Splint only detect 4 and 3, respectively. Moreover, DBloop has detected 4 new BoFs that have not been reported before.