The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability has been widely exploited by attackers to cause severe damages to computer systems. Automatically identifying this kind of vulnerability is critical for software security. Despite many works have been done to mitigate integer overflow, existing tools either report large number of false positives or introduce unacceptable time consumption. To address this problem, in this article we present a static analysis framework. It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities. Then it uses a light-weight method to further filter out false positives. Specifically, it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered, and feeds the constraints to SMT solver to decide their satisfiability. We have implemented a prototype system ELAID based on LLVM, and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world. The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.

中文翻译：

---

ELAID：通过轻量级和准确的静态分析检测整数溢出到缓冲区溢出漏洞

整数溢出到缓冲区溢出 (IO2BO) 漏洞已被攻击者广泛利用，对计算机系统造成严重破坏。自动识别此类漏洞对于软件安全至关重要。尽管已经做了许多工作来减轻整数溢出，但现有工具要么报告大量误报，要么引入不可接受的时间消耗。为了解决这个问题，在本文中，我们提出了一个静态分析框架。它首先构建一个过程间调用图，并利用污点分析来准确识别潜在的 IO2BO 漏洞。然后它使用轻量级的方法进一步过滤掉误报。具体来说，它会生成表示可以触发潜在 IO2BO 漏洞的条件的约束，并将约束提供给 SMT 求解器以确定它们的可满足性。我们已经实现了一个基于 LLVM 的原型系统 ELAID，并在 NIST 的 SAMATE Juliet 测试套件的 228 个程序和现实世界中的 14 个已知 IO2BO 漏洞上对其进行了评估。实验结果表明，我们的系统可以有效地检测所有已知的 IO2BO 漏洞。