Mutation-based testing of integer overflow vulnerabilities

Authors:
Fanping Zeng;Liangliang Mao;Zhide Chen;Qing Cao
Affiliations:
Department of Computer, University of Science and Technology of China and Anhui Province Key Lab of Software in Computer and Communication, Hefei, Anhui, PR China;Department of Computer, University of Science and Technology of China, Hefei, Anhui, PR China;Department of Computer, University of Science and Technology of China, Hefei, Anhui, PR China;Department of Computer, University of Science and Technology of China, Hefei, Anhui, PR China
Venue:
WiCOM'09 Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing
Year:
2009

Citing 6
Cited 0

Can Source Code Auditing Software Identify Common Vulnerabilities and Be Used to Evaluate Software Security?

HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 9 - Volume 9
Hints on Test Data Selection: Help for the Practicing Programmer

Computer
The Csaw C Mutation Tool: Initial Results

TAICPART-MUTATION '07 Proceedings of the Testing: Academic and Industrial Conference Practice and Research Techniques - MUTATION
Secure programming with static analysis

Secure programming with static analysis
Mutation-Based Testing of Buffer Overflow Vulnerabilities

COMPSAC '08 Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference
Foundations of Software Testing

Foundations of Software Testing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Integer overflow vulnerability is a kind of common software vulnerabilities, there has been no effective way to detect integer overflow vulnerabilities. Because of the lack of dynamic execution, static analysis can not determine the run-time distribution of memory, and may miss the detection of possible security issues; source code auditing is an expensive and time consuming process. Although there has been applying mutation analysis for testing ANSI C programs, and lots of mutation operators have been designed with respect to specific questions, there are not any of operators specifically designed for integer overflow. In this paper, we propose some new mutation operators to force the generation of adequate test data set for integer overflow vulnerabilities. The results indicate that the proposed operators are effective for detecting integer overflow vulnerabilities.