Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Finding and Preventing Buffer Overflows

File name
File size
20.8 MB

A talk that will present academic tools, which are designed to find or disarm security problems in C code The last years have proven that humans are notorious producers of insecure code. They also seem to have problems security bigs on their own. For this reason scientist spend a reasonable amount of time in developing ideas how to automate the process of finding those security bugs (using static analysis) or how to fix those bugs automatically (with dynamic measures which take effect on runtime). The talk will give an introduction to both approaches. The presented tools are aimed at problems that belong to the programming language C: Buffer Overflows, Format String Exploits and their friends. Static tools examine the source code before the compilation. Depending on the tool methods like functional verification, finite automatons or lattice theory are used to find security bugs. The talk will try to show, how these tools work and what their shortcomings are (e.g. to many false positives, no weighting, hard to configure,...) Dynamic tools alter the source code before or during the compilation. They try to add constructs to the control flow with additions that are supposed to prevent the exploitation of security flaws. Classic examples (Stack Guard) and modern approaches (StoBo) are presented and discussed. Only tools and methods that are applicable by the programmer are addressed. Methods of preventing exploitation by altering the underlying infrastructure (i.e. the OS) are omitted. The focus is on measures that can be employed by the actual programmer. We think it is important that the usage of these kind of tools (esp. static analysis) grows in the open source community. Commercial companies are employing static analysis on a broad basis nowadays (for example Microsoft requires their coders to use the tools PreFast and PreFix daily). Otherwise the security advantage, that open source claims to possess, may diminish.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !