Call for Paper - November 2021 Edition
IJCA solicits original research papers for the November 2021 Edition. Last date of manuscript submission is October 20, 2021. Read More

An Empirical Study on Stack Overflow Security Vulnerability in Well-known Open Source Software Systems

Print
PDF
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2020
Authors:
Md. Masudur Rahman, Abdus Satter, B. M. Mainul Hossain
10.5120/ijca2020920492

Md. Masudur Rahman, Abdus Satter and Mainul B M Hossain. An Empirical Study on Stack Overflow Security Vulnerability in Well-known Open Source Software Systems. International Journal of Computer Applications 176(39):11-16, July 2020. BibTeX

@article{10.5120/ijca2020920492,
	author = {Md. Masudur Rahman and Abdus Satter and B. M. Mainul Hossain},
	title = {An Empirical Study on Stack Overflow Security Vulnerability in Well-known Open Source Software Systems},
	journal = {International Journal of Computer Applications},
	issue_date = {July 2020},
	volume = {176},
	number = {39},
	month = {Jul},
	year = {2020},
	issn = {0975-8887},
	pages = {11-16},
	numpages = {6},
	url = {http://www.ijcaonline.org/archives/volume176/number39/31458-2020920492},
	doi = {10.5120/ijca2020920492},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}
}

Abstract

Stack overflow is one of the most common security vulnerabilities in software systems. It occurs when a program tries to load more data in a buffer than its allocated limit. It may result in serious security issue when a program having the vulnerability is run with administrator privileges. Attackers can inject malicious code into the running program through overflowing its stack. When the malicious code is executed, it allows the attackers to take control of the program. So, this security vulnerability is considered as one of the easiest and reliable techniques to gain unauthorized access to a computer system. In this article, it has been shown that how stack overflow occurs in a software system. Besides, a survey has been conducted on three popular open source projects - Linux, Git and PHP. The survey results show that the projects contain such code portions in which it is possible to overflow the stacks and inject malicious script to harm the normal execution of processes. In addition, this article raises a concern to avoid writing such codes which are potentially sources for the security attack.

References

  1. “GitHub - torvalds/linux: Linux kernel source tree”, https://github.com/torvalds/linuxl, Online; accessed 06 May, 2019.
  2. “GitHub - git/git: Git Source Code Mirror”, https://github.com/git/git, Online; accessed 06 May, 2019.
  3. “GitHub - php/php-src: The PHP Interpreter”, https://github.com/php/ php-src, Online; accessed 06 May, 2019.
  4. Silberschatz, A., Galvin, P.B. and Gagne, G., 2009. Operating system concepts with Java. Wiley Publishing.
  5. Cowan C, Wagle F, Pu C, Beattie S, Walpole J. Buffer overflows: Attacks and defenses for the vulnerability of the decade. InProceedings DARPA Information Survivability Conference and Exposition. DISCEX'00 2000 Jan 25 (Vol. 2, pp. 119-129). IEEE..
  6. One, Aleph. ”Smashing the stack for fun and profit.” Phrack. vol. 7. 1996.
  7. Cowan C, Pu C, Maier D, Walpole J, Bakke P, Beattie S, Grier A, Wagle P, Zhang Q, Hinton H. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. InUSENIX security symposium 1998 Jan 26 (Vol. 98, pp. 63-78).
  8. Cowan, Crispin, and Calton Pu. ”Survivability from a Sow’s ear: The retrofit security requirement.” Proceedings of the 1998 Information Survivability Workshop. 1998.
  9. Cowan, Crispin, et al. ”Protecting systems from stack smashing attacks with StackGuard.” Linux Expo. 1999.
  10. Litchfield, David. ”Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server.” 2003.
  11. Silberschatz, Abraham, J. L. Peterson, and P. B. Galvin. ”Operating systems.” Publication By John Wiley & Sons 1991.
  12. Usman S, Niaz H. Building Secure Web-Applications Using Threat Model. International Journal of Information Technology and Computer Science (IJITCS). 2018;10(3):52-62.
  13. Sariman G, Küçüksille EU. SASMEDU: Security assessment method of software in engineering education. International Journal of Information Technology and Computer Science. 2018:1-2.
  14. Luo P, Zou D, Du Y, Jin H, Liu C, Shen J. Static detection of real-world buffer overflow induced by loop. Computers & Security. 2020 Feb 1;89:101616.
  15. Khwaja AA, Murtaza M, Ahmed HF. A security feature framework for programming languages to minimize application layer vulnerabilities. Security and Privacy. 2020 Jan 1:e95.
  16. Silverstone A, inventor; Computer Protection Ip, Llc, assignee. Protecting computing devices from unauthorized access. United States patent application US 16/520,051. 2020 Jan 9.
  17. AlHarbi KN, Lin X, inventors; NORTHERN BORDERS UNIVERSITY, assignee. Preventing stack buffer overflow attacks. United States patent US 9,251,373. 2016 Feb 2.
  18. Ye T, Zhang L, Wang L, Li X. An empirical study on detecting and fixing buffer overflow bugs. In 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST) 2016 Apr 11 (pp. 91-101). IEEE.
  19. Satter A, Hossain BM. Vulnerabilities assessment of emerging web-based services in developing countries. International Journal of Information Engineering and Electronic Business. 2016 Sep 1;8(5):1.
  20. Pincus, Jonathan, and Brandon Baker. "Beyond stack smashing: Recent advances in exploiting buffer overruns." IEEE Security & Privacy 2.4 (2004): 20-27.

Keywords

Computer Security Vulnerability, Buffer Overflow Attack, Stack Overflow, Open Source Projects, Software Security.