Publication Abstract

Zitser, M., Lippmann, R.P., and Leek, T., Testing Static Analysis Tools Using Exploitable Buffer Overflows From Open Source Code. Proceedings ACM Sigsoft 2004/FSE Foundations of Software Engineering Conference, 2004.


Five modern static analysis tools (ARCHER, BOON, PolySpace C Verifier, Splint, and UNO) were evaluated using source code examples containing 14 exploitable buffer overflow vulnerabilities found in various versions of Sendmail, BIND, and WU-FTPD. Each code example included a 'BAD' case with and a 'PATCHED' case without buffer overflows. Buffer overflows varied and included stack, heap, bss and data buffers; access above and below buffer bounds; access using pointers, indices, and functions; and scope differences between buffer creation and use. Detection rates for the 'BAD' examples were low except for Polyspace C Verifier and Splint which had average detection rates of 87% and 57% respectively. However, average false alarm rates were high and roughly 50% for these two tools. On safe patched programs these two tools produce one false alarm for every 12 to 46 lines of source code and neither tool can accurately distinguish between unsafe source code where buffer over-flows can occur and safe patched code.




top of page