English

Combining Static and Dynamic Analysis for Vulnerability Detection

Cryptography and Security 2013-05-17 v1

Abstract

In this paper, we present a hybrid approach for buffer overflow detection in C code. The approach makes use of static and dynamic analysis of the application under investigation. The static part consists in calculating taint dependency sequences (TDS) between user controlled inputs and vulnerable statements. This process is akin to program slice of interest to calculate tainted data- and control-flow path which exhibits the dependence between tainted program inputs and vulnerable statements in the code. The dynamic part consists of executing the program along TDSs to trigger the vulnerability by generating suitable inputs. We use genetic algorithm to generate inputs. We propose a fitness function that approximates the program behavior (control flow) based on the frequencies of the statements along TDSs. This runtime aspect makes the approach faster and accurate. We provide experimental results on the Verisec benchmark to validate our approach.

Keywords

Cite

@article{arxiv.1305.3883,
  title  = {Combining Static and Dynamic Analysis for Vulnerability Detection},
  author = {Sanjay Rawat and Dumitru Ceara and Laurent Mounier and Marie-Laure Potet},
  journal= {arXiv preprint arXiv:1305.3883},
  year   = {2013}
}

Comments

There are 15 pages with 1 figure

R2 v1 2026-06-22T00:17:47.404Z