A Method for detecting buffer Overflow Vulnerabilities
Jingbo Yuan, Shunli Ding
Institute of Information Management Technology and Application
Northeastern university at Qinhuangdao
Qinhuangdao, China
[email protected]
,
[email protected]
Abstract—Buffer overflow vulnerabilities are currently the
most prevalent security vulnerability. The paper presents a
method that combines static analysis with dynamic test to deal
with the problem on buffer overflow vulnerabilities detecting.
By using the method we can identify potential weakness
locations. A buffer overflow vulnerabilities testing system was
developed. The experiment results tested and verified that the
new methodology is feasibility and availability.
Keywords-security vulnerability; Buffer overflow; Static
analysis; Dynamic test
I. INTRODUCTION
The buffer overflow vulnerability is one of the most
dangerous and the most widely distributed software
vulnerability. Hackers always breach security or simply
crash computer systems by using buffer overflow
exploitation. Therefore, it is important to find buffer
overflow, especially those that are not discovered or not
reported or reported but not receive much attention. And it
will play a significant role in the aspect of network security.
So, various solutions have been developed to address the
buffer overflow vulnerability problem [1-4].
There are mainly two ways to find buffer overflow
exploitation traditionally. One is to analysis source code of
program, which is called static analysis. And the other is to
test a program while it is running, which is called dynamic
analysis. However, in fact, except for some open source code
program, most source codes are hardly to be obtained.
Dynamic analysis does not require source code, but it is
inefficient for not having any knowledge about the
program’s internal structure.
This paper presents a method that strikes a proper
balance between static analysis and dynamic analysis to
identify buffer overflow vulnerabilities in binary code
without source code. The method is composed by two steps.
First step is to find some potential weakness locations, and
second step is to test every potential weakness location so as
to eliminate the false positives.
II. THE METHOD FOR DETECTING BUFFER OVERFLOW
VULNERABILITIES
A. The detecting flow
This paper presents a method integrating static and
dynamic analysis for detecting buffer overflow
___________________________________
978-1-61284-486-2/11/$26.00 ©2011 IEEE

vulnerabilities in binary file. The detecting flow is illustrated
in the following.
Step 1: Convert binary file to assembly language;
Step 2: Static analysis of assembly code. Judging whether
there exist overflow points, if no, then end;
Step 3: Save potential overflow points;
Step 4: Dynamic testing. Judging whether can overflow?
If can't, then end;
Step 5: Output report.
First, the binary file is converted to assembly language
file and then through analysis of assembly language syntax
and processes, the overflow point information that possible
exist buffer overflow vulnerability are extracted. The
overflow point is the first address of the function or code
segment that occur overflow. The information includes the
function call relations in binary file and the address of
potential overflow points, the size of the source buffer and
destination buffer. In fact, software programs have
standardized structure. A program is composed of code,
stack and heap. The code is composed of many modules and
each module generally realizes independent function.
Module stores the local variable and can call each other.
Although different programs may have different details, the
structured programming model is suitable for various
platform architectures. Therefore, this method applies to all
kinds of platform architecture and programming models.
This paper takes the Intel 32 bits processor architecture.
B. Looking for potential overflow points
In this stage the binary file is analyzed to look for
potential overflow points. The method doesn't need to know
any additional information of file or debugging information
generated by compilation but only needs to know the entry
address of the program. The purpose is to understand the
basic structure of the test file and stack usage and function
calling relations.
Analysis process is not a simple one by one byte scan for
the program. The binary file is first converted to assembly
language and analysis its instructions sequence to find code
segments that are responsible for copying the data in source
buffer to the destination buffer, and then judges whether the
code lacks buffer bound check. If no bounds checking it is
possible to have buffer overflow vulnerability lead to be
attack. The main task of this step includes:
1) Determining the function call relations
All functions are identified using recursive analysis on
object code. For executable programs starting point of
analysis is entry point of the program. For library files each
exported function is as a starting point. The address behind
each CALL instruction should be added to the function
analysis table unless the address has been analyzed. In this
way we can get a list of all the functions in the program.
2) Analysis stack space
In this step the main task is to make certain whether there
exist buffer in each function stack. There were two judging
conditions. One is the size and layout of stack storage space,
that is, the number of variables and the size of each variable.
Another is the address type of pointer used when the stack
seek.
3) Analysis parameters
This step is to identify the parameter types of potential
overflow function. Pointer type parameter is particularly
worthy of attention. If a function has not local buffer but
receive a pointer as an argument, the pointer likely points to
a buffer address of calling its function.
4) Use of local buffer
This step is to detect functions with local buffer. By
analysis the program code in function, the one hand to
determine the sequence of instruction copy data to the local
buffer by means of detecting whether has loop instruction
that includes MOV instruction or MOV instruction with
special prefix, on the other hand as long as detecting if there
is PUSH REG, LEA REG AND [EBP-OFFSET] in front of
CALL instruction, we shall be able to determine the buffer
address as the instructions sequence of arguments calling.
C. Determining the overflow function
In the phase our work is to identify and test potential
overflow functions in order to exclude unable overflow
functions. It is very difficult using a program to judge the
correctness of another program, so it is necessary to use
special test to exclude unable overflow functions.
III. IMPLEMENT OF BUFFER OVERFLOW VULNERABILITIES
DETECTION
A. The whole structure of system
Detection process is divided into two stages: static
analysis and dynamic testing. The following figure 1 shows
the overall system structure.
Where, before testing it needs to script respectively for
various types of potential overflow functions. The database
system is use to record information of potential overflow
points. This paper uses the built-in arrays to store
information.
B. Static analysis tool
This paper chooses the IDA Pro as the disassembled tool
to do disassembly for the program needs to be analyzed. IDA
Pro is a Windows or Linux or Mac OS X hosted multi-
processor disassembler and debugger [5]. IDA Pro is a
professional disassembly tools and has the strongest ability
to disassemble.
Because common buffer overflow vulnerabilities are
caused by lack of verification on memory replication
operation etc, they have some regularity. We do disassembly
process for the target code using IDA Pro and search the

disassembling results to get potential system overflow risks,
and then do analysis and discrimination to realize effective
mining for system-level security vulnerabilities.
static analysis using the script
script 1 script 2 script 3
database system
dynamic test potential overflow points
Figure 1. The whole structure of system
C. Script Controller
In addition to the extremely powerful disassembly
functions and UI interactive interface, IDA Pro also provides
IDC automatic scripting capabilities. Users can deal with
disassembly database by writing automated scripts with
specific purposes. IDC is an embedded Language. Its
emergence greatly enhances the expansion of IDA so that
many complex tasks may be completed by IDC. At the
automated same time, IDC also may control some special
circumstances.
D. Generating function call diagram
In the paper the function dependencies in the executable
binaries file are extracted by writing IDC script, and then we
mainly analyzed the library functions of format string and
the function calls that may result in buffer overflow
vulnerabilities in order to determine if the program exists in
the security implications, thus to reduce vulnerability false
and improve the quality of vulnerability report. According to
the Depth-First IDC script traverses functions from main
function of program entry in the target binary file, and
simulates the FILO character of stack to get out all the
functions. In the course of traversing called library functions
are not traversed, so as to remove a lot of interference
information and enhance the efficiency of analysis.
E. Detecting potential overflow function
Potential overflow function is a function without
checking buffer border as accessing buffer. We use
BugScam to detect the library function. At present the
BugScam is capable of detecting function as strcpy, strcat,
MultiByteToWideChar, wsprintfA, lstrcatA, sprintf, lstrcpyA
and so on. In order to facilitate the dynamic detection some
information about function need to be recorded, so we
modified IDC scripts. Aiming at the user-defined potential
overflow functions there are mainly two cases.
1) Detecting string operating instruction
 String operating instructions use Rep MOVs command to
realize continuous write to the buffer, and its instruction
and instructions sequence have obvious characteristic. The
detecting flow is as following figure 2, where register CX
controls cycle times.
Start
Read the next instruction
N FOUNDLOO all are set.
Is Rep movs instruction ?
Y conditions of C2,C3 and C4. If exist, continue analyze, or
Y turn to step 3.
CX is a constant ?
N address adjusting instruction queue. If exist, continue
upward seek lea esi,xx or MOV esi,xx instruction,
and calculate the size of source buffer
upward seek lea edi,xx or MOV edi,xx instruction,
and calculate the size of destination buffer
Save the initial address of program
segment and size of the buffer
End
Figure 2. The flow of detecting string operating
2) Detecting MOV + LOOP instruction
The kind of potential overflow function achieves
continuous write to the buffer through MOV instruction
combined with loop command. In general to continuous
write buffer, this type of sequence of instructions must meet
the following several conditions:
C1: Consisting of two or more than two MOV
instructions.
C2: The source operand of one MOV instructions is the
destination operand of another MOV instruction and belongs
to register type.
C3: No other commands take the registers as target
operands between the two MOV instructions.
C4: There are index registers in the MOV instructions
and the index registers can be the same or different.
C5: Exist instruction adjusting index registers and the
registers can be increment or decrement at the same time.
C6: These instructions are in the same loop.
Based on the above these conditions, the algorithm for
recognition this type function is described as follows.
Step 1: Read instruction beginning at the current address
and analyze instruction type.

a) If it is MOV instruction, records in MOV instruction
queue, and sets flag FOUNDMOVS when the number of
MOV instructions is equal or greater than 2;
b) If it is INC, DEC, ADD or SUB instruction, records
in indexed address adjusting instruction queue, and sets flag
FOUNDINC or FOUNDDEC depending on the situation;
c) If it is JMP or LOOP instruction, records loop
instruction and sets flag FOUNDLOOP.
Step 2: Do the following checks when the flags
FOUNDMOVS, FOUNDINC (or FOUNDDEC) and
a) Analysis if exist two MOV instructions to meet the
b) Analysis if exist instruction adjusting in indexed
analyze, or turn to step 3.
c) Analysis the instructions coverage in LOOP
instruction. If all these instructions are within the scope of
their addresses coverage, then continue analyze, or turn to
step 3.
d) Analysis if MOV instruction, index register
adjustment instruction and loop instruction are in the same
loop, if are, turn to step 4, or turn to step 3.
Step 3: Clear FOUNDLOOP flag and read next
instruction. If address is invalid then end or turn to step 1.
Step 4: Detecting succeed. Adjust the analyzed
instruction address. If next address is invalid then end or turn
to step 1.
F. The implementation of static analysis
According to the above analysis the static analysis tool
mainly completes the analysis on five potential overflow
functions and records the function information to the
database for subsequent dynamic testing. We rewrite five
IDC script as following to identify and analyze the potential
overflow functions.
Strcpy.idc-detect string copy function Strcpy( );
Strcat.idc-detect string catination function strcat( );
Sprintf.idc-detect formatted string output function
sprintf( );
Repmov.idc-detec data copy of string operating
instruction;
Movjmp.idc-detect data copy of MOV +loop instruction;
G. The implementation of dynamic test
The implementation of dynamic test uses OllyDbg
debugger [6]. OllyDbg is a user mode analyzing debugger. It
can identify thousands of functions frequently used by C and
Windows and comment arguments. The paper does dynamic
test for the static analyzed program by means of OllyDbg
using gained the potential overflow points information
including address and buffer size. The testing process
includes targeted setting breakpoints and then filling the
destination buffer with different length data and judging truth of the overflow points according to the running results.
TABLE I. TESTING RESULT OF FLAWFINDER

overflow point overflow point overflow

description
(line) (column) function
30 4 sprintf does not check for buffer overflows. Use snprintf or vsnprintf.
46 4 sprintf does not check for buffer overflows. Use snprintf or vsnprintf.
62 4 sprintf does not check for buffer overflows. Use snprintf or vsnprintf.
does not check for buffer overflows. Consider using strncpy or
19 2 strcpy strlcpy. Risk is low because the source is a constant string.
does not check for buffer overflows. Consider using strncat or
24 2 strcat strlcat. Risk is low because the source is a constant string.
does not check for buffer overflows. Consider using strncpy or
35 2 strcpy strlcpy. Risk is low because the source is a constant string.
does not check for buffer overflows. Consider using strncat or
40 2 strcat strlcat. Risk is low because the source is a constant string.
does not check for buffer overflows. Consider using strncpy or
51 2 strcpy strlcpy. Risk is low because the source is a constant string.
does not check for buffer overflows. Consider using strncat or
56 2 strcat strlcat. Risk is low because the source is a constant string.

TABLE II. TESTING RESULT OF TESTBUFFEROVERFLOW

call destinati source overflow

description
address on buffer buffer function
The maximum expansion of the data appears to be larger than the
4011c6 12 40 sprintf target buffer, this might be the cause of a buffer overrun ! Maximum
Expansion: 40 Target Size: 12
The maximum expansion of the data appears to be larger than the
4012b6 20 40 sprintf target buffer, this might be the cause of a buffer overrun ! Maximum
Expansion: 40 Target Size: 20
The maximum possible size of the target buffer (12) is smaller than
401121 12 37 strcpy the minimum possible size of the source buffer (37). This is VERY
likely to be a buffer overrun!
The maximum possible size of the target buffer (20) is smaller than
401211 20 37 strcpy the minimum possible size of the source buffer (37). This is VERY
likely to be a buffer overrun!
UNKNOWN_SOURCE_SIZE: The analyzer was unable to
401aad 4096 0 strcpy determine the size of the data source; This location should be
investigated manually.
The maximum possible size of the target buffer (12) is smaller than
401171 12 37 strcat the minimum possible size of the source buffer (37). This is VERY
likely to be a buffer overrun!
The maximum possible size of the target buffer (20) is smaller than
401261 20 37 strcat the minimum possible size of the source buffer (37). This is VERY
likely to be a buffer overrun!
UNKNOWN_SOURCE_SIZE: The analyzer was unable to
4048d9 160 0 strcat determine the size of the data source; This location should be
investigated manually.
UNKNOWN_SOURCE_SIZE: The analyzer was unable to
404907 160 0 strcat determine the size of the data source; This location should be
investigated manually.
The maximum expansion of the data appears to be larger than the
40120d 16 40 repmov target buffer, this might be the cause of a buffer overrun ! Maximum
Expansion: 40 Target Size: 16



IV. TEST AND ANALYSIS FOR BUFFER OVERFLOW
VULNERABILITY
A. Comparison test of the program with vulnerability
The paper first writes a program with buffer overflow
vulnerability and then uses our tool Testbufferoverflow to
test the program and compare test results with Flawfinder.
Flawfinder is a program that examines C source code and
reports possible security weaknesses sorted by risk level. It's
very useful for quickly finding and removing some security
problems before a program is widely released [7]. The test
results are shown respectively as table 1 and table 2.
The tested program calls ten functions, and functions
strcpy, strcat and sprintf are called respectively three times
and in two of them the destination buffer is less than the
source buffer. Another function uses WHILE loop to copy
data from the source buffer to the destination buffer.
Therefore the correct results are function strcpy, strcat and
sprintf have respectively two overflows and the overflow of
RepMOV type has one time.
When using Flawfinder to detect the program, it finds all
library function and but don't find the overflow of RepMOV
type. Using Testbufferoverflow, it finds six addresses of
possible overflow in functions strcpy, strcat and sprintf and
calculates the size of the source buffer and the size of
destination buffer. For third function call because the
destination buffer is large enough, so functions can't produce
overflow and don't take them as overflow points. In addition,
the tool also finds a overflow point of RepMOV type.
From the results we see that compared with Flawfinder,
our tool is more accurate and effective. It can find all the
functions of the existing problems in the program and
precisely locate all overflow points.
B. Dynamic Testing
Dynamic testing examines program execution to
determine whether buffer overflows occur during that
execution. According to the above static analysis results, we
take an address, for example 401121, as a potential overflow
point to perform dynamic testing. Set break point 00401121
and get following codes in break point.
00401100 push ebp
00401101 MOV ebp, esp
00401103 sub esp, 4C
00401106 push ebx
00401107 push esi
00401108 push edi
00401109 lea edi, dword ptr [ebp-4C]
0040110C MOV ecx, 13
00401111 MOV eax, CCCCCCCC
00401116 rep stos dword ptr es:[edi]
00401118 push 0042201C
0040111D lea eax, dword ptr [ebp-C]
00401120 push eax
00401121 call 00401450

"call 00401450" is to call function strcpy, two push
commands push respectively the source buffer address and
the destination buffer address into stack. The size of the
source buffer and the size of destination buffer are
respectively 37 and 12. The content in address 00402201 is
"this is a test,this is a test". The size of string is greater than
12, because the size of the destination buffer is 12, so an
overflow error occurs at running the program. If the string is
changed to "this" and its size is less than 12, the program can
regular run without error. From this, we can come to a
conclusion: the function strcpy lacks of border checks, that
is, don't check the buffer size, so exist buffer overflow
vulnerability.
In the same way, we can dynamic test each potential
overflow point to seek possible buffer overflow vulnerability.
V. CONCLUTION
Buffer overflow vulnerabilities are caused by
programming errors. Using buffer overflow vulnerability an
attacker can cause the program to write beyond the bounds
of an allocated memory block as a result to corrupt other
data structures. The paper proposes a method for mining
potential buffer overflow vulnerability of binary files in the
case of no knowing the source code and implements a
system to detect vulnerability based on combining static
analysis and dynamic test. Actual programs with buffer
overflow vulnerabilities are tested and the results are
compared with common buffer overrun detection tool
Flawfinder. The test results illustrate that the method
improves the accuracy of static analysis and reduces the rate
of false alarm. The tool Testbufferoverflow also provides a
basis for dynamic testing so then reduces the dynamic test
time and improves the efficiency of dynamic testing.
REFERENCES
[1] C. Cowan, F. Wagle, Calton Pu, S. Beattie, and J. Walpole, “Buffer
overflows: attacks and defenses for the vulnerability of the decade,”
DARPA Information Survivability Conference and Exposition, vol. 2,
pp. 119–129, 2000.
[2] Seon-Ho Park,Young-Ju Han, and Soon-Jwa Hong, “The Dynamic
Buffer Overflow Detection and Prevention Tool for Yindows
Executables Using Binary Rewriting,” The 9th International
Conference on Advanced Communication Technology, vol. 3, pp.
1776–1781, 2007.
[3] B. Salamat, A. Gal, T. Jackson, K. Manivannan, G. Wagner, and M.
Franz, “Multi-variant Program Execution: Using Multi-core Systems
to Defuse Buffer-Overflow Vulnerabilities,” International
Conference on Complex, Intelligent and Software Intensive Systems,
pp. 843–848, 2008.
[4] M. Akbari, S. Berenji, and R. Azmi, “Vulnerability detector using
parse tree annotation,” 2nd International Conference on Education
Technology and Computer (ICETC), vol. 4, pp. 254-257, 2010.
[5] http://www.hex-rays.com/idapro/
[6] http://www.ollydbg.de/
[7] http://sourceforge.net/projects/flawfinder/