{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,4]],"date-time":"2025-11-04T16:05:47Z","timestamp":1762272347501,"version":"3.40.5"},"reference-count":98,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018,7,1]]},"abstract":"<p>Buffer overflow (BO) is a well-known and widely exploited security vulnerability. Despite the extensive body of research, BO is still a threat menacing security-critical applications. The authors present a comprehensive systematic review on techniques intended to detecting BO vulnerabilities before releasing a software to production. They found that most of the studies addresses several vulnerabilities or memory errors, being not specific to BO detection. The authors organized them in seven categories: program analysis, testing, computational intelligence, symbolic execution, models, and code inspection. Program analysis, testing and code inspection techniques are available for use by the practitioner. However, program analysis adoption is hindered by the high number of false alarms; testing is broadly used but in ad hoc manner; and code inspection can be used in practice provided it is added as a task of the software development process. New techniques combining object code analysis with techniques from different categories seem a promising research avenue towards practical BO detection.<\/p>","DOI":"10.4018\/ijsssp.2018070101","type":"journal-article","created":{"date-parts":[[2019,1,23]],"date-time":"2019-01-23T17:06:49Z","timestamp":1548263209000},"page":"1-33","source":"Crossref","is-referenced-by-count":4,"title":["What Do We Know About Buffer Overflow Detection?"],"prefix":"10.4018","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7157-5141","authenticated-orcid":true,"given":"Marcos Lordello","family":"Chaim","sequence":"first","affiliation":[{"name":"School of Arts, Sciences and Humanities, University of Sao Paulo, Sao Paulo, Brazil"}]},{"given":"Daniel Soares","family":"Santos","sequence":"additional","affiliation":[{"name":"Institute of Mathematical Sciences and Computing, University of Sao Paulo, S\u00e3o Carlos, Brazil"}]},{"given":"Daniela Soares","family":"Cruzes","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Safety & Security, SINTEF Digital, Trondheim, Norway"}]}],"member":"2432","reference":[{"journal-title":"Compilers: Principles, Techniques, and Tools","year":"2007","author":"A. V.Aho","key":"IJSSSP.2018070101-0"},{"key":"IJSSSP.2018070101-1","doi-asserted-by":"publisher","DOI":"10.1109\/ICETC.2010.5529688"},{"key":"IJSSSP.2018070101-2","first-page":"151","article-title":"A static comprehensive analytical method for buffer overflow vulnerability detection.","author":"S.Bilin","year":"2016","journal-title":"International Conference on Computer Science and Electronic Technology (CSET) ("},{"key":"IJSSSP.2018070101-3","first-page":"104","author":"D.Binkley","year":"2007","journal-title":"Source Code Analysis: A Road Map. In Future of Software Engineering (FOSE)"},{"key":"IJSSSP.2018070101-4","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0055853"},{"key":"IJSSSP.2018070101-5","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985995"},{"key":"IJSSSP.2018070101-6","article-title":"Model Checking One Million Lines of C Code.","author":"H.Chen","year":"2004","journal-title":"Network and Distributed System Security Symposium (NDSS)"},{"key":"IJSSSP.2018070101-7","doi-asserted-by":"crossref","unstructured":"Chen, J., & Mao, X. (2012). Bodhi: Detecting Buffer Overflows with a Game. In 2012 IEEE Sixth International Conference on Software Security and Reliability Companion (SERE-C) (pp. 168-173).","DOI":"10.1109\/SERE-C.2012.35"},{"key":"IJSSSP.2018070101-8","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2012.07.005"},{"key":"IJSSSP.2018070101-9","first-page":"605","author":"S.Chen","year":"2003","journal-title":"A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. In Dependable Systems and Networks (DSN)"},{"key":"IJSSSP.2018070101-10","doi-asserted-by":"publisher","DOI":"10.1109\/ICIS.2009.158"},{"key":"IJSSSP.2018070101-11","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2002.1004369"},{"key":"IJSSSP.2018070101-12","unstructured":"Constantin, L. (2012). Artema Hybrid Point-of-sale Devices Can Be Hacked Remotely, Researchers Say. PCWorld."},{"key":"IJSSSP.2018070101-13","unstructured":"DaCosta, D., Dahn, C., Mancoridis, S., & Prevelakis, V. (4 de 6 de 2003). Characterizing the 'Security Vulnerability Likelihood' of Software Functions. In International Conference on Software Maintenance (ICSM) (p. 266). IEEE Computer Society."},{"key":"IJSSSP.2018070101-14","doi-asserted-by":"publisher","DOI":"10.1109\/C-M.1978.218136"},{"key":"IJSSSP.2018070101-15","first-page":"195","author":"B.Ding","year":"2012","journal-title":"Baggy Bounds with Accurate Checking"},{"key":"IJSSSP.2018070101-16","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-47764-0_12"},{"key":"IJSSSP.2018070101-17","doi-asserted-by":"publisher","DOI":"10.1145\/781131.781149"},{"key":"IJSSSP.2018070101-18","unstructured":"Drayton, P., Albahari, B., & Merrill, B. (2001). C# Essentials. Sebastobol, CA: O\u2019Reilley & Associates."},{"key":"IJSSSP.2018070101-19","doi-asserted-by":"publisher","DOI":"10.1007\/11572329_5"},{"key":"IJSSSP.2018070101-20","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74810-6_4"},{"key":"IJSSSP.2018070101-21","doi-asserted-by":"publisher","DOI":"10.1109\/52.976940"},{"key":"IJSSSP.2018070101-22","doi-asserted-by":"publisher","DOI":"10.1145\/2652524.2652533"},{"key":"IJSSSP.2018070101-23","doi-asserted-by":"crossref","unstructured":"Ferrara, P., Logozzo, F., & F\u00e4hndrich, M. (2008). Safer unsafe code for. NET. In Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA) (pp. 329-346). ACM.","DOI":"10.1145\/1449955.1449791"},{"year":"2018","author":"J.Foster","key":"IJSSSP.2018070101-24"},{"key":"IJSSSP.2018070101-25","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948155"},{"key":"IJSSSP.2018070101-26","doi-asserted-by":"publisher","DOI":"10.1145\/2993717.2993724"},{"key":"IJSSSP.2018070101-27","first-page":"786","article-title":"BovInspector: Automatic inspection and repair of buffer overflow vulnerabilities.","author":"F.Gao","year":"2016"},{"key":"IJSSSP.2018070101-28","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1998.674827"},{"key":"IJSSSP.2018070101-29","doi-asserted-by":"publisher","DOI":"10.1016\/j.cor.2007.01.013"},{"key":"IJSSSP.2018070101-30","first-page":"263","article-title":"Locating faulty code using failure-inducing chops.","author":"N.Gupta","year":"2005"},{"key":"IJSSSP.2018070101-31","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134319"},{"key":"IJSSSP.2018070101-32","first-page":"7","author":"M.Harman","year":"2010","journal-title":"Why Source Code Analysis and Manipulation Will Always be Important. In Source Code Analysis and Manipulation (SCAM)"},{"key":"IJSSSP.2018070101-33","first-page":"387","article-title":"Augmenting Counterexample-Guided Abstraction Refinement with Proof Templates.","author":"T. E.Hart","year":"2008"},{"journal-title":"Testing C Programs for Buffer Overflow Vulnerabilities. Network and Distributed System Security (NDSS)","year":"2003","author":"E.Haugh","key":"IJSSSP.2018070101-34"},{"key":"IJSSSP.2018070101-35","unstructured":"Hentschel, M. (2016). Integrating Symbolic Execution, Debugging and Verification [Ph.D. dissertation]. Technische Universit\u00e4t Darmstadt."},{"journal-title":"Core Java 2","year":"2005","author":"C. S.Horstmann","key":"IJSSSP.2018070101-36"},{"key":"IJSSSP.2018070101-37","unstructured":"Ibing, A. (11 de 2014). A Backtracting Simbolic Execution Engine with Sound Path Merging. In SECURWARE:The Eighth International Conference on Emerging Security Information, Systems and Technologies (pp. 180-185)."},{"key":"IJSSSP.2018070101-38","first-page":"133","article-title":"Software Analysis: A Roadmap.","author":"D.Jackson","year":"2000","journal-title":"International Conference on Software Engineering"},{"key":"IJSSSP.2018070101-39","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2008.4658084"},{"key":"IJSSSP.2018070101-40","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"IJSSSP.2018070101-41","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2009.10.004"},{"key":"IJSSSP.2018070101-42","doi-asserted-by":"publisher","DOI":"10.1145\/360248.360252"},{"key":"IJSSSP.2018070101-43","unstructured":"Kitchenham, B., & Charters, S. (2007). Guidelines for performing Systematic Literature Reviews in Software Engineering. Tech. rep., Keele University and Durham University Joint Report."},{"key":"IJSSSP.2018070101-44","unstructured":"Larochelle, D., & Evans, D. (2001). Statically Detecting Likely Buffer Overflow Vulnerabilities. In International Information Security Conference (SEC), Washington, D.C."},{"key":"IJSSSP.2018070101-45","article-title":"High Coverage Detection of Input-Related Security Faults.","author":"E.Larson","year":"2003","journal-title":"USENIX Security Symposium"},{"key":"IJSSSP.2018070101-46","doi-asserted-by":"publisher","DOI":"10.1145\/1453101.1453137"},{"key":"IJSSSP.2018070101-47","doi-asserted-by":"publisher","DOI":"10.1145\/2001420.2001459"},{"key":"IJSSSP.2018070101-48","doi-asserted-by":"publisher","DOI":"10.1002\/spe.515"},{"key":"IJSSSP.2018070101-49","first-page":"165","author":"B.-H.Li","year":"2011","journal-title":"RELEASE: Generating Exploits Using Loop-Aware Concolic Execution. In Secure Software Integration and Reliability Improvement (SSIRI)"},{"key":"IJSSSP.2018070101-50","doi-asserted-by":"publisher","DOI":"10.1145\/1882291.1882338"},{"key":"IJSSSP.2018070101-51","doi-asserted-by":"publisher","DOI":"10.1109\/NSWCTC.2009.10"},{"key":"IJSSSP.2018070101-52","doi-asserted-by":"publisher","DOI":"10.1145\/940071.940114"},{"key":"IJSSSP.2018070101-53","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23702-7_11"},{"key":"IJSSSP.2018070101-54","doi-asserted-by":"publisher","DOI":"10.1109\/CISP-BMEI.2016.7853039"},{"key":"IJSSSP.2018070101-55","unstructured":"MITRE. (2017). Common Weakness Enumeration (CWE)---a community-developed list of software weakness type. Retrieved from https:\/\/cwe.mitre.org\/"},{"key":"IJSSSP.2018070101-56","doi-asserted-by":"publisher","DOI":"10.1109\/PRDC.2015.10"},{"key":"IJSSSP.2018070101-57","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2015.0039"},{"key":"IJSSSP.2018070101-58","first-page":"441","article-title":"Automated Generation of Buffer Overflow Quick Fixes Using Symbolic Execution and SMT. Computer Safety, Reliability, &","volume":"9337","author":"P.Muntean","year":"2015","journal-title":"Security"},{"key":"IJSSSP.2018070101-59","doi-asserted-by":"publisher","DOI":"10.1145\/1542476.1542504"},{"key":"IJSSSP.2018070101-60","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-03811-6"},{"key":"IJSSSP.2018070101-61","first-page":"1","author":"G.Novark","year":"2007","journal-title":"Exterminator: automatically correcting memory errors with high probability. In Programming Language Design and Implementation (PLDI)"},{"key":"IJSSSP.2018070101-62","unstructured":"OWASP. (2016). Mobile Top 10 2016. Retrieved from https:\/\/www.owasp.org\/index.php\/Mobile_Top_10_2016-Top_10"},{"key":"IJSSSP.2018070101-63","doi-asserted-by":"publisher","DOI":"10.1134\/S0361768815060055"},{"key":"IJSSSP.2018070101-64","doi-asserted-by":"publisher","DOI":"10.1109\/ISSREW.2014.26"},{"key":"IJSSSP.2018070101-65","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2015.78"},{"key":"IJSSSP.2018070101-66","first-page":"48","author":"B. M.Padmanabhuni","year":"2015","journal-title":"Light-Weight Rule-Based Test Case Generation for Detecting Buffer Overflow Vulnerabilities. In ICSE: Automation of Software Test (AST)"},{"key":"IJSSSP.2018070101-67","doi-asserted-by":"publisher","DOI":"10.1049\/iet-sen.2014.0185"},{"key":"IJSSSP.2018070101-68","first-page":"851","article-title":"A Lightweight Security Analyzer inside GCC.","author":"D.Pozza","year":"2008","journal-title":"International Conference on Availability, Reliability and Security (ARES)"},{"key":"IJSSSP.2018070101-69","first-page":"1","author":"D.Pozza","year":"2006","journal-title":"Comparing lexical analysis tools for buffer overflow detection in network software. In Communication Systems Software and Middleware (COMSWARE)"},{"key":"IJSSSP.2018070101-70","doi-asserted-by":"publisher","DOI":"10.1109\/EC2ND.2010.14"},{"key":"IJSSSP.2018070101-71","first-page":"177","author":"S.Rawat","year":"2012","journal-title":"Finding Buffer Overflow Inducing Loops in Binary Executables. In Software Security and Reliability (SERE)"},{"key":"IJSSSP.2018070101-72","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2016.2615307"},{"journal-title":"Concepts of Programming Languages","year":"2012","author":"R.Sebesta","key":"IJSSSP.2018070101-73"},{"key":"IJSSSP.2018070101-74","first-page":"979","article-title":"Mutation-Based Testing of Buffer Overflow Vulnerabilities.","author":"H.Shahriar","year":"2008","journal-title":"Computer Software and Applications Conference (COMPSAC)"},{"key":"IJSSSP.2018070101-75","first-page":"137","author":"H.Shahriar","year":"2011","journal-title":"A Fuzzy Logic-Based Buffer Overflow Vulnerability Auditor. In Dependable, Autonomic and Secure Computing (DASC)"},{"key":"IJSSSP.2018070101-76","first-page":"124","author":"A.Shaw","year":"2014","journal-title":"Automatically Fixing C Buffer Overflows Using Program Transformations. In Dependable Systems and Networks (DSN)"},{"key":"IJSSSP.2018070101-77","unstructured":"Skerret, I. (2017). IoT Developer Trends 2017 Edition. Retrieved from https:\/\/ianskerrett.wordpress.com\/2017\/04\/19\/iot-developer-trends-2017-edition\/"},{"key":"IJSSSP.2018070101-78","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254327"},{"key":"IJSSSP.2018070101-79","doi-asserted-by":"publisher","DOI":"10.1145\/2737095.2737097"},{"key":"IJSSSP.2018070101-80","doi-asserted-by":"publisher","DOI":"10.1145\/1013886.1007528"},{"key":"IJSSSP.2018070101-81","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2000.898880"},{"key":"IJSSSP.2018070101-82","first-page":"29","article-title":"Ensuring Safe Usage of Buffers in Programming Language C.","author":"M.Vujosevic-Janicic","year":"2008","journal-title":"International Conference on Software Technologies (ICSOFT)"},{"key":"IJSSSP.2018070101-83","first-page":"3","article-title":"A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities.","author":"D.Wagner","year":"2000","journal-title":"Proc. Network and Distributed Systems Security Conference"},{"key":"IJSSSP.2018070101-84","first-page":"3","author":"M.Weber","year":"2001","journal-title":"A Case Study in Detecting Software Security Vulnerabilities Using Constraint Optimization. In Source Code Analysis and Manipulation (SCAM)"},{"key":"IJSSSP.2018070101-85","doi-asserted-by":"crossref","unstructured":"Weiser, M. (7 de 1984). Program Slicing. IEEE Computer Society Trans. Software Engineering, 10, 352-357.","DOI":"10.1109\/TSE.1984.5010248"},{"key":"IJSSSP.2018070101-86","unstructured":"Wheeler, D. A. (2018). Flawfinder. Retrieved from https:\/\/www.dwheeler.com\/flawfinder\/"},{"journal-title":"A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention. Network and Distributed System Security (NDSS)","year":"2003","author":"J.Wilander","key":"IJSSSP.2018070101-87"},{"key":"IJSSSP.2018070101-88","doi-asserted-by":"publisher","DOI":"10.1145\/1982185.1982493"},{"key":"IJSSSP.2018070101-89","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985960"},{"key":"IJSSSP.2018070101-90","doi-asserted-by":"publisher","DOI":"10.1145\/1390630.1390636"},{"key":"IJSSSP.2018070101-91","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"IJSSSP.2018070101-92","doi-asserted-by":"publisher","DOI":"10.1109\/CompComm.2015.7387532"},{"key":"IJSSSP.2018070101-93","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2016.21"},{"key":"IJSSSP.2018070101-94","doi-asserted-by":"publisher","DOI":"10.1145\/2187671.2187679"},{"journal-title":"Why Programs Fail - A Guide to Systematic Debugging","year":"2009","author":"A.Zeller","key":"IJSSSP.2018070101-95"},{"key":"IJSSSP.2018070101-96","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15497-3_5"},{"key":"IJSSSP.2018070101-97","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2011-0434"}],"container-title":["International Journal of Systems and Software Security and Protection"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=221929","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,6]],"date-time":"2022-05-06T22:32:16Z","timestamp":1651876336000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/IJSSSP.2018070101"}},"subtitle":["A Survey on Techniques to Detect A Persistent Vulnerability"],"short-title":[],"issued":{"date-parts":[[2018,7,1]]},"references-count":98,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2018,7]]}},"URL":"https:\/\/doi.org\/10.4018\/ijsssp.2018070101","relation":{},"ISSN":["2640-4265","2640-4273"],"issn-type":[{"type":"print","value":"2640-4265"},{"type":"electronic","value":"2640-4273"}],"subject":[],"published":{"date-parts":[[2018,7,1]]}}}