A Taxonomy of Buffer Overflow Preconditions

Citation

• M. Bishop, D. Howard, S. Engle, and S. Whalen, “A Taxonomy of Buffer Overflow Preconditions”, Technical Report CSE-2010-1, Dept. of Computer Science, University of California at Davis, Davis, CA 95616-8562 (Jan. 2010).

Paper

• PDF
  
• PS
  

Abstract

Recent work on vulnerabilities has focused on buffer overflows, in which data exceeding the bounds of an array is loaded into the array. The loading continues past the end of the array, causing variables and state information to change. As the process is not programmed to check for these additional changes, the process acts incorrectly. The incorrect action often places the system in a non-secure state. This work develops a taxonomy of buffer overflow vulnerabilities based upon preconditions, or conditions that must hold for an exploitable buffer overflow to exist. We analyze several software and hardware countermeasures to validate the approach. We then discuss alternate approaches to ameliorating this vulnerability.

Background

This presents an alternate model of vulnerabilities, and applies it to buffer overflows.