Security vulnerabilities in C++ programs

[1] A. Al‐boghdady, K. Wassif, M. El‐ramly, The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices, Sensors 21(7) (2021) 1-22, https://doi.org/10.3390/S21072329. DOI: https://doi.org/10.3390/s21072329

[2] A. Sheikh, Buffer Overflow, Certified Ethical Hacker (CEH) Preparation Guide, Apress, Berkeley, 2021, https://doi.org/10.1007/978-1-4842-7258-9_14. DOI: https://doi.org/10.1007/978-1-4842-7258-9

[3] Unvalidated Redirects and Forwards Cheat Sheet, https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html, [30.12.2024].

[4] Bjarne Stroustrup’s FAQ, https://www.stroustrup.com/bs_faq.html, [18.01.2025].

[5] C++26, https://en.cppreference.com/w/cpp/26, [10.01.2025]. DOI: https://doi.org/10.1055/a-2453-6017

[6] Standardization - Current Status, https://isocpp.org/std/status, [10.01.2025].

[7] What are the most secure Programming languages?, https://www.mend.io/most-secure-programming-languages/, [30.12.2024].

[8] M.A. Butt, Z. Ajmal, Z.I. Khan, M. Idrees, Y. Javed, An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques, Applied Sciences 12(13) (2022) 1-31, https://doi.org/10.3390/APP12136702. DOI: https://doi.org/10.3390/app12136702

[9] Memory leak, https://owasp.org/www-community/vulnerabilities/Memory_leak, [30.12.2024].

[10] W. Li, D. Xu, W. Wu, X. Gong, X. Xiang, Y. Wang, F. Gu, Q. Zeng, Memory access integrity: detecting fine-grained memory access errors in binary code, Cybersecurity 2 (2019) 1–18, https://doi.org/10.1186/S42400-019-0035-X. DOI: https://doi.org/10.1186/s42400-019-0035-x

[11] Integer overflow, https://cplusplus.com/articles/DE18T05o/, [30.12.2024].

[12] M. Alqaradaghi, G. Morse, T. Kozsik, Detecting security vulnerabilities with static analysis – A case study, Pollack Periodica 17(2) (2021) 1–7, https://doi.org/10.1556/606.2021.00454. DOI: https://doi.org/10.1556/606.2021.00454

[13] F. Pastore, L. Mariani, A. Goffi, M. Oriol, M. Wahler, Dynamic analysis of upgrades in C/C++ software, In IEEE 23rd International Symposium on Software Reliability Engineering (2012) 91–100, https://doi.org/10.1109/ISSRE.2012.9. DOI: https://doi.org/10.1109/ISSRE.2012.9

[14] Best Practices for Secure Programming in C++, https://www.mayhem.security/blog/best-practices-for-secure-programming-in-c, [30.12.2024].

[15] M.I. Mihailescu, S.L. Nita, Secure Coding Guidelines, Pro Cryptography and Cryptanalysis with C++23, Apress, Berkeley, 2023, https://doi.org/10.1007/978-1-4842-9450-5_7. DOI: https://doi.org/10.1007/978-1-4842-9450-5_7

[16] X. Zhao, H. Qu, J. Xu, X. Li, W. Lv, G.G. Wang, A systematic review of fuzzing, Soft Computing 28 (2024) 5493–5522, https://doi.org/10.1007/S00500-023-09306-2. DOI: https://doi.org/10.1007/s00500-023-09306-2

[17] M. Skublewska-Paszkowska, M. Milosz, P. Powroznik, E. Lukasik, 3D technologies for intangible cultural heritage preservation—literature review for selected databases, Heritage Science 10 (2022) 1–24, https://doi.org/10.1186/s40494-021-00633-x. DOI: https://doi.org/10.1186/s40494-021-00633-x

[18] D. Blackwell, I. Becker, D. Clark, Hyperfuzzing: black-box security hypertesting with a grey-box fuzzer, Empirical Software Engineering 30 (2025) 1-28, https://doi.org/10.1007/S10664-024-10556-3. DOI: https://doi.org/10.1007/s10664-024-10556-3

[19] K. Song, M.R. Gadelha, F. Brauße, R.S. Menezes, L.C. Cordeiro, ESBMC v7.3: Model Checking C++ Programs Using Clang AST, Lecture Notes in Computer Science 14414 (2024) 141–152, https://doi.org/10.1007/978-3-031-49342-3_9. DOI: https://doi.org/10.1007/978-3-031-49342-3_9

[20] C. Seas, G. Fitzpatrick, J.A. Hamilton, M.C. Carlisle, Automated Vulnerability Detection in Source Code Using Deep Representation Learning, In IEEE 14th Annual Computing and Communication Workshop and Conference (2024) 484–490, https://doi.org/10.1109/CCWC60891.2024.10427574. DOI: https://doi.org/10.1109/CCWC60891.2024.10427574

[21] K. Alshmrany, M. Aldughaim, A. Bhayat, L.C. Cordeiro, FuSeBMC v4: Improving Code Coverage with Smart Seeds via BMC, Fuzzing and Static Analysis, Formal Aspects of Computing 36(2) (2024) 1–25, https://doi.org/10.1145/3665337. DOI: https://doi.org/10.1145/3665337

[22] F. Kasten, P. Zieris, J. Horsch, Integrating Static Analyses for High-Precision Control-Flow Integrity, In RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses (2024) 419–434, https://doi.org/10.1145/3678890.3678920. DOI: https://doi.org/10.1145/3678890.3678920

[23] J. Kaivo, T. Devine, Defending the Heap: Diagnosing Undefined Behavior in Dynamic Memory with jkmalloc, In International Conference on Computational Science and Computational Intelligence (2023) 1572–1577, https://doi.org/10.1109/CSCI62032.2023.00259. DOI: https://doi.org/10.1109/CSCI62032.2023.00259

[24] P. Liu, Y. Lu, W. Yang, M. Pan, VALAR: Streamlining Alarm Ranking in Static Analysis with Value-Flow Assisted Active Learning, In 38th IEEE/ACM International Conference on Automated Software Engineering (2023) 1940–1951, https://doi.org/10.1109/ASE56229.2023.00098. DOI: https://doi.org/10.1109/ASE56229.2023.00098

[25] S.H. Park, R. Pai, T. Melham, A Formal CHERI-C Semantics for Verification, Lecture Notes in Computer Science 13993 (2023) 549–568, https://doi.org/10.1007/978-3-031-30823-9_28. DOI: https://doi.org/10.1007/978-3-031-30823-9_28

[26] Q. Shen, H. Sun, G. Meng, K. Chen, Y. Zhang, Detecting API Missing-Check Bugs Through Complete Cross Checking of Erroneous Returns, Lecture Notes in Computer Science 13837 (2023) 391–407, https://doi.org/10.1007/978-3-031-26553-2_21. DOI: https://doi.org/10.1007/978-3-031-26553-2_21

[27] K. Hohentanner, P. Zieris, J. Horsch, CryptSan: Leveraging ARM Pointer Authentication for Memory Safety in C/C++, In SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing (2023) 1530–1539, https://doi.org/10.1145/3555776.3577635. DOI: https://doi.org/10.1145/3555776.3577635

[28] K.M. Alshmrany, M. Aldughaim, A. Bhayat, L.C. Cordeiro, FuSeBMC v4: Smart Seed Generation for Hybrid Fuzzing, Lecture Notes in Computer Science 13241 (2022) 336–340, https://doi.org/10.1007/978-3-030-99429-7_19. DOI: https://doi.org/10.1007/978-3-030-99429-7_19

[29] S. Godboley, A. Dutta, R.K. Pisipati, D.P. Mohapatra, SSG-AFL: Vulnerability detection for Reactive Systems using Static Seed Generator based AFL, In IEEE 46th Annual Computers, Software, and Applications Conference (2022) 1728–1733, https://doi.org/10.1109/COMPSAC54236.2022.00275. DOI: https://doi.org/10.1109/COMPSAC54236.2022.00275

[30] F.R. Monteiro, M.R. Gadelha, L.C. Cordeiro, Model checking C++ programs, Software Testing, Verification and Reliability 32(1) (2022) 1-30, https://doi.org/10.1002/stvr.1793. DOI: https://doi.org/10.1002/stvr.1793

[31] Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu, Z. Chen, SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities, IEEE Transactions on Dependable and Secure Computing 19(4) (2022) 2244–2258, https://doi.org/10.1109/TDSC.2021.3051525. DOI: https://doi.org/10.1109/TDSC.2021.3051525

[32] A. Machiry, J. Kastner, M. McCutchen, A. Eline, K. Headley, M. Hicks, C to checked C by 3c, Proceedings of the ACM on Programming Languages 6(OOPSLA1) (2022) 1-29, https://doi.org/10.1145/3527322. DOI: https://doi.org/10.1145/3527322

[33] K.M. Alshmrany, R.S. Menezes, M.R. Gadelha, L.C. Cordeiro, FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution), Lecture Notes in Computer Science 12649 (2021) 363–367, https://doi.org/10.1007/978-3-030-71500-7_19. DOI: https://doi.org/10.1007/978-3-030-71500-7_19

[34] S. Zaharia, T. Rebedea, Ş. Trăuşăn-Matu, CWE Pattern Identification using Semantical Clustering of Programming Language Keywords, In 23rd International Conference on Control Systems and Computer Science (2021) 119–126, https://doi.org/10.1109/CSCS52396.2021.00027. DOI: https://doi.org/10.1109/CSCS52396.2021.00027

[35] K.M. Alshmrany, M. Aldughaim, A. Bhayat, L.C. Cordeiro, FuSeBMC: An Energy-Efficient Test Generator for Finding Security Vulnerabilities in C Programs, Lecture Notes in Computer Science 12740 (2021) 85–105, https://doi.org/10.1007/978-3-030-79379-1_6. DOI: https://doi.org/10.1007/978-3-030-79379-1_6

[36] Y. Iqbal, M.A. Sindhu, M.H. Arif, M.A. Javed, Enhancement in Buffer Overflow (BOF) Detection Capability of Cppcheck Static Analysis Tool, In International Conference on Cyber Warfare and Security (2021) 112–117, https://doi.org/10.1109/ICCWS53234.2021.9703043. DOI: https://doi.org/10.1109/ICCWS53234.2021.9703043

[37] F.J. Gao, Y. Wang, L.Z. Wang, Z. Yang, X.D. Li, Automatic Buffer Overflow Warning Validation, Journal of Computer Science and Technology 35 (2020) 1406–1427, https://doi.org/10.1007/S11390-020-0525-Z. DOI: https://doi.org/10.1007/s11390-020-0525-z

[38] Y. Rong, P. Chen, H. Chen, Integrity: Finding integer errors by targeted fuzzing, Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering 335 (2020) 360–380, https://doi.org/10.1007/978-3-030-63086-7_20. DOI: https://doi.org/10.1007/978-3-030-63086-7_20

[39] J. Giet, L. Mauborgne, D. Kästner, C. Ferdinand, Towards zero alarms in sound static analysis of finite state machines, Lecture Notes in Computer Science 11698 (2019) 3–18, https://doi.org/10.1007/978-3-030-26601-1_1. DOI: https://doi.org/10.1007/978-3-030-26601-1_1

[40] C. Zou, Y. Sui, H. Yan, J. Xue, TCD: Statically Detecting Type Confusion Errors in C++ Programs, In IEEE 30th International Symposium on Software Reliability Engineering (2019) 292–302, https://doi.org/10.1109/ISSRE.2019.00037. DOI: https://doi.org/10.1109/ISSRE.2019.00037

[41] X. Liu, X. Li, R. Prajapati, D. Wu, DeepFuzz: Automatic Generation of Syntax Valid C Programs for Fuzz Testing, In 33rd AAAI Conference on Artificial Intelligence (2019) 1044-1051, https://doi.org/10.1609/aaai.v33i01.33011044. DOI: https://doi.org/10.1609/aaai.v33i01.33011044

[42] Z. Gu, J. Wu, J. Liu, M. Zhou, M. Gu, An Empirical Study on API-Misuse Bugs in Open-Source C Programs, In IEEE 43rd Annual Computer Software and Applications Conference (2019) 11–20, https://doi.org/10.1109/COMPSAC.2019.00012. DOI: https://doi.org/10.1109/COMPSAC.2019.00012

[43] B. Lu, W. Dong, L. Yin, L. Zhang, Evaluating and Integrating Diverse Bug Finders for Effective Program Analysis, Lecture Notes in Computer Science 11293 (2018) 51–67, https://doi.org/10.1007/978-3-030-04272-1_4. DOI: https://doi.org/10.1007/978-3-030-04272-1_4

[44] M. Hermeling, Software Input Validation Secure and Pro-active Protection Against Hacker Attacks, ATZelektronik Worldwide 13 (2018) 26–31, https://doi.org/10.1007/S38314-017-0096-0. DOI: https://doi.org/10.1007/s38314-017-0096-0

[45] X.B.D. Le, F. Thung, D. Lo, C. Le Goues, Overfitting in semantics-based automated program repair, Empirical Software Engineering 23 (2018) 3007–3033, https://doi.org/10.1007/S10664-017-9577-2. DOI: https://doi.org/10.1007/s10664-017-9577-2

[46] A.Y. Gerasimov, L.V. Kruglov, M.K. Ermakov, S.P. Vartanov, An Approach to Reachability Determination for Static Analysis Defects with the Help of Dynamic Symbolic Execution, Programming and Computer Software 44 (2018) 467–475, https://doi.org/10.1134/S0361768818060051. DOI: https://doi.org/10.1134/S0361768818060051

[47] F. Biondi, M.A. Enescu, A. Heuser, A. Legay, K.S. Meel, J. Quilbeuf, Scalable approximation of quantitative information flow in programs, Lecture Notes in Computer Science 10747 (2018) 71–93, https://doi.org/10.1007/978-3-319-73721-8_4. DOI: https://doi.org/10.1007/978-3-319-73721-8_4

[48] M. Dimjašević, F. Howar, K. Luckow, Z. Rakamarić, Study of integrating random and symbolic testing for object-oriented software, Lecture Notes in Computer Science 11023 (2018) 89–109, https://doi.org/10.1007/978-3-319-98938-9_6. DOI: https://doi.org/10.1007/978-3-319-98938-9_6

[49] F. Maurica, D.R. Cok, J. Signoles, Runtime Assertion Checking and Static Verification: Collaborative Partners, Lecture Notes in Computer Science 11245 (2018) 75–91, https://doi.org/10.1007/978-3-030-03421-4_6. DOI: https://doi.org/10.1007/978-3-030-03421-4_6

[50] A.Y. Gerasimov, Directed Dynamic Symbolic Execution for Static Analysis Warnings Confirmation, Programming and Computer Software 44 (2018) 316–323, https://doi.org/10.1134/S036176881805002X. DOI: https://doi.org/10.1134/S036176881805002X

[51] M. Ye, J. Sherman, W. Srisa-An, S. Wei, TZSlicer: Security-aware dynamic program slicing for hardware isolation, In IEEE International Symposium on Hardware Oriented Security and Trust (2018) 17–24, https://doi.org/10.1109/HST.2018.8383886. DOI: https://doi.org/10.1109/HST.2018.8383886

[52] A. Bican, R. Deaconescu, W.N. Chin, Q.T. Ta, Verification of C Buffer Overflows in C Programs, In 17th RoEduNet Conference: Networking in Education and Research (2018) 1–6, https://doi.org/10.1109/ROEDUNET.2018.8514126. DOI: https://doi.org/10.1109/ROEDUNET.2018.8514126

[53] K. Vorobyov, N. Kosmatov, J. Signoles, Detection of security vulnerabilities in C code using runtime verification: An experience report, Lecture Notes in Computer Science 10889 (2018) 139–156, https://doi.org/10.1007/978-3-319-92994-1_8. DOI: https://doi.org/10.1007/978-3-319-92994-1_8

[54] B. Cook, K. Khazem, D. Kroening, S. Tasiran, M. Tautschnig, M.R. Tuttle, Model checking boot code from AWS data centers, Lecture Notes in Computer Science 10982 (2018) 467–486, https://doi.org/10.1007/978-3-319-96142-2_28. DOI: https://doi.org/10.1007/978-3-319-96142-2_28

[55] B. Chen, C. Havlicek, Z. Yang, K. Cong, R. Kannavara, F. Xie, CRETE: A versatile binary-level concolic testing framework, Lecture Notes in Computer Science 10802 (2018) 281–298, https://doi.org/10.1007/978-3-319-89363-1_16. DOI: https://doi.org/10.1007/978-3-319-89363-1_16