Research On Finding Windows Buffer Overflow Vulnerabilities By Security Patch Comparison

The buffer overflow vulnerability is one of the most dangerous and widely distributed software vulnerability. Finding buffer overflow vulnerabilities is very important, especially finding the ones that are not discovered or not reported or reported but not receive much attention. And it will play a significant role in the aspect of network security.The article first thoroughly analyzed the cause of formation of the buffer overflow vulnerability, and then brought a finding model of the buffer overflow vulnerability which is based on the security patch comparison technique. The model is mainly used to find buffer overflow vulnerabilities which are reported but not published. For these vulnerabilities the exact positions of the vulnerabilities are unknown. But the positions can be cursorily located using the binary executable file comparing technique and precisely located through dynamic analysis. Two methods of comparing binary executable files were introduced in the article. After comparing these two methods, we chose structural comparison to implement the software. The article also disserted the design and implementation of the patch files comparison tool. The software is composed of four modules which are disassembling module, structural information procuring module, structural comparison module and result displaying module. In the implementation of the disassembling module, debugging information was used to improve the disassembling result. And in the structural comparison module, several matching methods were concluded based on the structural comparison, and some new matching methods were added in order to successfully match the functions which have been modified. For these functions their structural signatures may be changed a bit, so methods like same in-degree and exclusive similar signature matching method were added. And that improved the match result in some extent. In order to reduce the manual work of analyzing the comparison result, filtering function was added to the result displaying module. By searching the vulnerabilities that are related to the buffer overflow, the period of finding vulnerability was shortened.After implementing the tool, the performance of the tool was tested. Lately reported vulnerabilities by Microsoft were analyzed using the tool, and performance comparison was done between the tool and the IDACompare software of the iDefense company. The outcome of the comparison showed that the function match rate of our tool was higher and the performance was better. In the end, the finding processes of two vulnerabilities were documented.