Discovering buffer overflow vulnerabilities in the wild

Ming Fang, Munawar Hafiz
2014 Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement - ESEM '14  
We performed an empirical study on reporters of buffer overflow vulnerabilities to understand the methods and tools used during the discovery. The participants were reporters featured in the SecurityFocus repository during two sixmonth periods; we collected 58 responses. We found that in spite of many apparent choices, reporters follow similar approaches. Most reporters typically use fuzzing, but their fuzzing tools are created ad hoc; they use a few debugging tools to analyze the crash
more » ... ed by a fuzzer; and static analysis tools are rarely used. We also found a serious problem in the vulnerability reporting process. Most reporters, especially the experienced ones, favor full-disclosure and do not collaborate with the vendors of vulnerable software. They think that the public disclosure, sometimes supported by a detailed exploit, will put pressure on vendors to fix the vulnerabilities. But, in practice, the vulnerabilities not reported to vendors are less likely to be fixed. Ours is the first study on vulnerability repositories that attempts to collect information from the people involved in the process; previous works have overlooked this rich information source. The results are valuable for beginners exploring how to detect and report buffer overflows and for tool vendors and researchers exploring how to automate and fix the process.
doi:10.1145/2652524.2652533 dblp:conf/esem/FangH14 fatcat:jhuevd3amffxtgbdpcwpvsbpmq