Ping CHEN,Hao HAN,Xiao-bing SHEN,Xin-chun YIN,Bing MAO,Li XIE

2010-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:In recent years, Integer bugs have been rising sharply and become a potential threat as it is often hidden behind other bugs. In this paper, we propose a tool which can automatically detect Integer bugs. We implement the tool based on static and dynamic program analysis. In the static phase, the tool decompiles a binary and creates the suspect instruction set. In the dynamic phase, it monitors the instructions in the suspect set and generates the test cases to further detect which instructions are real Integer bugs. Our tool has two advantages. First, it provides more accurate and sufficient type information. Second, static analysis reduces the instructions which are monitored at runtime. Experimental results shows that our tool can efficiently detect the Integer bugs in several real-world programs. In addition, our tool has no false negatives and low false positives.

Xi Cheng,Min Zhou,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/tdsc.2019.2913862

2019-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:C language plays a key role in system programming and applications. Integer error is a common yet important C program defect because arithmetic operations may produce unrepresentable values in certain integer types. Integer error is one of the major sources of software failures and vulnerabilities. Due to the complex semantics of C integers, manually repairing integer errors is prone to introducing additional errors even for experienced programmers. This paper presents an approach to automatically generate fixes for integer errors. Our approach infers, for each expression, a type that is capable of representing its possible values, and utilizes inferred types as program fixes based on common fix patterns codified from real world. We have developed our system IntPTI which is evaluated on the largest public benchmark of integer errors and 7 widely-used open-source projects. The evaluation results demonstrate the superior performance of IntPTI in terms of accuracy, scalability, runtime overhead and robustness of fixes. In addition, IntPTI is applied on the embedded software of a realistic train control system. It succeeds in both detecting 67 new integer errors and generating 101 fixes confirmed by developers. The study substantiates the feasibility and effectiveness of the proposed methodology.

Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou

2009-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, we present a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries before an attacker does, with the goal of finally eliminating the vulnerabilities. IntScope first translates the disassembled code into our own intermediate representation (IR), and then performs a path sensitive data flow analysis on the IR by leveraging symbolic execution and taint analysis to identify the vulnerable point of integer overflow. Compared with other approaches, IntScope does not run the binary directly, and is scalable to large software as it can just symbolically execute the interesting program paths. Experimental results show IntScope is quite encouraging: it has detected more than 20 zero-day integer overflows (e.g., CVE-2008-4201, FrSIRT/ADV-2008-2919) in widely-used software such as QEMU, Xen and Xine.

Hao Sun,Xiangyu Zhang,Chao Su,Qingkai Zeng

DOI: https://doi.org/10.1145/2714576.2714605

2015-01-01

Abstract:Integer-Overflow-to-Buffer-Overflow ( IO2BO ) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for detecting IO2BO vulnerabilities in C/C++ programs. IntTracker utilizes a static taint analysis to select potential overflow sites that are integer operations along critical paths, from sources that are program points reading values from users, to sinks that are memory allocation sites. It then instruments overflow checks at the selected sites. Instead of producing warnings once integer overflows occur, IntTracker replaces the overflown value with a very large and rarely used integer value ( dirty value), and treats such the value as an overflow tag. Tag propagation is performed by the existing program operations without any instrumentation as operations on dirty values often produce dirty values. Propagation can be automatically cut off by sanitization routines as they could prevent dirty values from affecting further program execution. IntTracker monitors whether any dirty value is used at a sink to detect IO2BO vulnerabilities. We evaluate IntTracker on 3444 programs of the NIST's SAMATE reference dataset, the SPEC CINT2000 benchmarks and 34 IO2BO bugs in real world. The experimental results show that IntTracker is effective in detecting harmful IO2BO vulnerabilities while bypassing false positives introduced by sanitization routines. Meanwhile, the runtime overhead is negligible, averaging about 0.69%. In contrast, IntPatch, the state of the art, produces a lot more false positives and has a higher overhead.

Ping Chen,Yi Wang,Zhi Xin,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/ARES.2009.77

2009-01-01

Abstract:Integer-based vulnerability is an extremely serious bug for programs written in languages such as C/C++. However in practice, very few software security tools can efficiently detect and accurately locate such vulnerability. In addition, previous methods mainly depend on source code analysis and recompilation which are impractical when protecting the program without source code. In this paper we present the design, implementation, and evaluation of BRICK (Binary Run-time Integer-based vulnerability ChecKer), a tool for run-time detecting and locating integer-based vulnerability) Given an integer-based vulnerability exploit, BRICK is able to catch the value which falls out of the range of its corresponding type, then find the root cause for this vulnerability, and finally locate the vulnerability code and give a warning, based on its checking scheme. BRICK is implemented on the dynamic binary instrumentation framework Valgrind and its type inference plug-in: Catchconv. Preliminary experimental results are quit promising: BRICK can detect and locate most of integer-based vulnerability in real software, and has very low false positives and negatives.

Xi Cheng,Min Zhou,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ase.2017.8115718

2017-01-01

Abstract:Integer errors in C/C++ are caused by arithmetic operations yielding results which are unrepresentable in certain type. They can lead to serious safety and security issues. Due to the complicated semantics of C/C++ integers, integer errors are widely harbored in real-world programs and it is errorprone to repair them even for experts. An automatic tool is desired to 1) automatically generate fixes which assist developers to correct the buggy code, and 2) provide sufficient hints to help developers review the generated fixes and better understand integer types in C/C++. In this paper, we present a tool IntPTI that implements the desired functionalities for C programs. IntPTI infers appropriate types for variables and expressions to eliminate representation issues, and then utilizes the derived types with fix patterns codified from the successful human-written patches. IntPTI provides a user-friendly web interface which allows users to review and manage the fixes. We evaluate IntPTI on 7 real-world projects and the results show its competitive repair accuracy and its scalability on large code bases. The demo video for IntPTI is available at: https://youtu.be/9Tgd4A_FgZM.

Xi Cheng,Min Zhou,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/COMPSAC.2016.70

2016-01-01

Abstract:Integer errors in C program may lead to serious failures and vulnerabilities. They are harbored in a wide range of programs including mature software such as Linux kernel. Code reviewing is laborious and cannot guarantee reliable fixes for errors. Addressing potential errors in the development phase is error-prone even for experts and essentially hinders developing efficiency. In this paper we propose a novel approach to automate fix for C integer errors. Our approach directly replaces original C integers with dynamic-precision integers to fix potential errors without detecting them in advance. Many errors can be fixed by precision improvement without changing the design of application. We implement a tool CIntFix to automatically fix C integer errors. CIntFix succeeds in fixing all 5414 programs in NIST's Juliet test suite from 7 weakness categories. Meanwhile, on Juliet test suite and SPEC CINT2000 benchmarks, CIntFix processes C source code at the rate of 0.157s/KLOC and the fixed programs have 18.0% slowdown on average. The results show that CIntFix is capable to fix integer errors in real-world C programs.

Xi Lu

2010-01-01

Journal of Software

Abstract:This paper presents an automatic testing method,DAIDT(dynamic automatic integer-overflow detection and testing),for finding integer overflow fatal bugs in binary code.DAIDT can thoroughly test the binary code and automatically find unknown integer overflow bugs without necessarily knowing their symbol tables.It is formally proved in this paper that DAIDT can theoretically detect all the high-risk integer overflow bugs with no false positives and no false negatives.In additional,any bugs find by DAIDT can be replayed.To demonstrate the effectiveness of this theory,IntHunter has been implemented.It has found 4 new high risk integer overflow bugs in the latest releases of three high-trusted applications(two Microsoft WINS services in Windows 2000 and 2003 Server,Baidu Hi Instant Messager) by testing each for 24 hours.Three of these bugs allow arbitrary code execution and have received confirmed vulnerabilities numbers,CVE-2009-1923,CVE-2009-1924 from Microsoft Security Response Center and CVE-2008-6444 from Baidu.

Chao Zhang,Tielei Wang,Tao Wei,Yu Chen,Wei Zou

DOI: https://doi.org/10.1007/978-3-642-15497-3_5

2010-01-01

Abstract:The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In tins paper, we present the design and implementation of IntPatch, a. compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and datafiow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.

Hao Sun,Xiangyu Zhang,Yunhui Zheng,Qingkai Zeng

DOI: https://doi.org/10.1145/2884781.2884820

2016-01-01

Abstract:Integer overflow (IO) vulnerabilities can be exploited by attackers to compromise computer systems. In the mean time, IOs can be used intentionally by programmers for benign purposes such as hashing and random number generation. Hence, differentiating exploitable and harmful IOs from intentional and benign ones is an important challenge. It allows reducing the number of false positives produced by IO vulnerability detection techniques, helping developers or security analysts to focus on fixing critical IOs without inspecting the numerous false alarms. The difficulty of recognizing benign IOs mainly lies in inferring the intent of programmers from source code.In this paper, we present a novel technique to recognize benign IOs via equivalence checking across multiple precisions. We determine if an IO is benign by comparing the effects of an overflowed integer arithmetic operation in the actual world (with limited precision) and the same operation in the ideal world (with sufficient precision to evade the IO). Specifically, we first extract the data flow path from the overflowed integer arithmetic operation to a security related program point (i.e., sink) and then create a new version of the path using more precise types with sufficient bits to represent integers so that the IO can be avoided. Using theorem proving we check whether these two versions are equivalent, that is, if they yield the same values at the sink under all possible inputs. If so, the IO is benign. We implement a prototype, named IntEQ, based on the GCC compiler and the Z3 solver, and evaluate it using 26 harmful IO vulnerabilities from 20 real-world programs, and 444 benign IOs from SPECINT 2000, SPECINT 2006, and 7 real-world applications. The experimental results show that IntEQ does not misclassify any harmful IO bugs (no false negatives) and recognizes 355 out of 444 (about 79.95%) benign IOs, whereas the state of the art can only recognize 19 benign IOs.

Chao Zhang,Wei Zou,Tielei Wang,Yu Chen,Tao Wei

DOI: https://doi.org/10.3233/jcs-2011-0434

2011-01-01

Journal of Computer Security

Abstract:One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. Many programmers have not realized the existence of IO2BO and its harm. Even for those who are aware of IO2BO, locating and fixing IO2BO vulnerabilities are still tedious and error-prone. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities, and then uses backward slicing to find out related vulnerable arithmetic operations, and finally instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers who want to check integer overflows manually. We evaluated IntPatch on a few real-world applications. It caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have negligible runtime performance losses which are on average 1%.

Paul Muntean,Martin Monperrus,Hao Sun,Jens Grossklags,Claudia Eckert

DOI: https://doi.org/10.1109/tse.2019.2946148

IF: 7.4

2021-10-01

IEEE Transactions on Software Engineering

Abstract:Integer overflows have threatened software applications for decades. Thus, in this paper, we propose a novel technique to provide automatic repairs of integer overflows in C source code. Our technique, based on static symbolic execution, fuses detection, repair generation and validation. This technique is implemented in a prototype named IntRepair. We applied IntRepair to 2,052 C programs (approx. 1 million lines of code) contained in SAMATE's Juliet test suite and 50 synthesized programs that range up to 20 KLOC. Our experimental results show that IntRepair is able to effectively detect integer overflows and successfully repair them, while only increasing the source code (LOC) and binary (Kb) size by around 1 percent, respectively. Further, we present the results of a user study with 30 participants which shows that IntRepair repairs are more than 10x efficient as compared to manually generated code repairs.

engineering, electrical & electronic,computer science, software engineering

Hao Sun,Chao Su,Yue Wang,Qingkai Zeng

DOI: https://doi.org/10.1142/s0218194015400331

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Integer signedness errors can be exploited by adversaries to cause severe damages to computer systems. Despite the significant advances in automating the detection of integer signedness errors, accurately differentiating exploitable and harmful signedness errors from unharmful ones is an important challenge. In this paper, we present the design and implementation of SignFlow, an instrumentation-based integer signedness error detector to reduce the reports for unharmful signedness errors. SignFlow first utilizes static data flow analysis to identify unharmful integer sign conversions from the view of where the source operands originate and whether the conversion results can propagate to security-related program points, and then inserts security checks for the remaining conversions so as to accomplish runtime protection. We evaluated SignFlow on 8 real-world harmful integer signedness bugs, SPECint 2006 benchmarks together with 5 real-world applications. The experimental results show that SignFlow correctly detected all harmful integer signedness bugs (i.e. no false negatives) and achieved a reduction of 41% in false positives over IntFlow, the state of the art.

Liang He,Hong Hu,Purui Su,Yan Cai,Zhenkai Liang

2022-01-01

Abstract:Memory-safety issues in operating systems and popular applications are still top security threats. As one widely exploited vulnerability, Use After Free (UAF) resulted in hundreds of new incidents every year. Existing bug diagnosis techniques report the locations that allocate or deallocate the vulnerable object, but cannot provide sufficient information for developers to reason about a bug or synthesize a correct patch. In this work, we identified incorrect reference counting as one common root cause of UAF bugs: if the developer forgets to increase the counter for a newly created reference, the program may prematurely free the actively used object, rendering other references dangling pointers. We call this problem reference miscounting. By proposing an omission-aware counting model, we developed an automatic method, FREEWILL, to diagnose UAF bugs. FREEWILL first reproduces a UAF bug and collects related execution trace. Then, it identifies the UAF object and related references. Finally, FREEWILL compares reference operations with our model to detect reference miscounting. We evaluated FREEWILL on 76 real-world UAF bugs and it successfully confirmed reference miscounting as root causes for 48 bugs and dangling usage for 18 bugs. FREEWILL also identified five null-pointer dereference bugs and failed to analyze five bugs. FREEWILL can complete its analysis within 15 minutes on average, showing its practicality for diagnosing UAF bugs.

Yizhuo Zhai,Yu Hao,Hang Zhang,Daimeng Wang,Chengyu Song,Zhiyun Qian,Mohsen Lesani,Srikanth V. Krishnamurthy,Paul Yu

DOI: https://doi.org/10.1145/3368089.3409686

2020-11-07

Abstract:Use-before-Initialization (UBI) bugs in the Linux kernel have serious security impacts, such as information leakage and privilege escalation. Developers are adopting forced initialization to cope with UBI bugs, but this approach can still lead to undefined behaviors (e.g., NULL pointer dereference). As it is hard to infer correct initialization values, we believe that the best way to mitigate UBI bugs is detection and manual patching. Precise detection of UBI bugs requires path-sensitive analysis. The detector needs to track an associated variable’s initialization status along all the possible program execution paths to its uses. However, such exhaustive analysis prevents the detection from scaling to the whole Linux kernel. This paper presents UBITect, a UBI bug finding tool which combines flow-sensitive type qualifier analysis and symbolic execution to perform precise and scalable UBI bug detection. The scalable qualifier analysis guides symbolic execution to analyze variables that are likely to cause UBI bugs. UBITect also does not require manual effort for annotations and hence, it can be directly applied to the kernel without any source code or intermediate representation (IR) change. On the Linux kernel version 4.14, UBITect reported 190 bugs, among which 78 bugs were deemed by us as true positives and 52 were confirmed by Linux maintainers.

Qingyang Zhou,Qiushi Wu,Dinghao Liu,Shouling Ji,Kangjie Lu

DOI: https://doi.org/10.1145/3548606.3560661

2022-01-01

Abstract:Security bugs like memory errors are constantly introduced to software programs, and recent years have witnessed an increasing number of reported security bugs. Traditional detection approaches are mainly specification-based---detecting violations against a specified rule as security bugs. This often does not work well in practice because specifications are difficult to specify and generalize, leaving complicated and new types of bugs undetected. Recent research thus leans toward deviation-based detection which finds a substantial number of similar cases and detects deviating cases as potential bugs. This, however, suffers from two other problems. First, it requires enough similar cases to find deviations and thus cannot work for custom code that does not have similar cases. Second, code-similarity analysis is probabilistic and challenging, so the detection can be unreliable. Sometimes, similar cases can normally have deviating behaviors under different contexts. In this paper, we propose a novel approach for detecting security bugs based on a new concept called Non-Distinguishable Inconsistencies (NDI). The insight is that if two code paths in a function exhibit inconsistent security states (such as being freed or initialized) that are non-distinguishable from the external, such as the callers, there is no way to recover from the inconsistency from the external, which results in a bug. Such an approach has several strengths. First, it is specification-free and thus can support complicated and new types of bugs. Second, it does not require similar cases and by its nature is deterministic. Third, the analysis is practical by minimizing complicated and lengthy data-flow analysis. We implemented NDI and applied it to well-tested programs, including the OpenSSL library, the FreeBSD kernel, the Apache httpd server, and the PHP interpreter. The results show that NDI works for both large and small programs, and it effectively found 51 new bugs, most of which are otherwise missed by the state-of-the-art detection tools.

Ebrima N. Ceesay,Jingmin Zhou,Michael Gertz,Karl Levitt,Matt Bishop

DOI: https://doi.org/10.1007/11790754_1

2006-01-01

Abstract:Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications

Guang Wang,Ziyuan Zhu,Xu Cheng,Dan Meng

DOI: https://doi.org/10.1109/tc.2023.3288762

2023-01-01

Abstract:The processors have long been treated as trusted black boxes for running software. However, processors may have undocumented instructions and instruction flaws, which increase the attack surface of the computing system. Hardware-related attack surfaces can bypass malware detection tools, resulting in undefined system behavior, instability, and insecurity. Unfortunately, the existing testing methods for undocumented instructions and instruction flaws have issues of insufficient test coverage and low test efficiency. We proposed an approach Skipscan to address these issues, which tests both the legal instructions and the reserved instructions. For the first time, to improve the test coverage, Skipscan leverages an optimized combination algorithm to generate instruction prefix combinations, which covers the entire types of legal prefix combinations. To improve the test efficiency, Skipscan skips a considerable number of redundant legal instructions by leveraging the minimal test set of immediate and displacement operands. We evaluated Skipscan on eight x86 processors from Intel and AMD. The number of legal instructions and reserved instructions tested by Skipscan are 121.4 and 259.55 times that of Sandsifter on average, respectively. The test efficiency of Skipscan is on average 4 times that of Sandsifter. The ratio of legal instructions is reduced from 78.2% to 20.1% on average. Furthermore, we found more undocumented instructions on x86 processors and instruction flaws in x86 disassemblers.

Junjie Mao,Yu Chen,Qixue Xiao,Yuanchun Shi

DOI: https://doi.org/10.1145/2980024.2872389

2016-01-01

Abstract:Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always paired with a decrement. This paper proposes inconsistent path pair checking, a novel technique that can statically discover bugs related to reference counts without knowing how reference counts should be changed in a function. A prototype called RID is implemented and evaluations show that RID can discover more than 80 bugs which were confirmed by the developers in the latest Linux kernel. The results also show that RID tends to reveal bugs caused by developersu0027 misunderstanding on API specifications or error conditions that are not handled properly.

Xi Cheng,Min Zhou,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/tc.2018.2866388

IF: 3.183

2018-01-01

IEEE Transactions on Computers

Abstract:In C programs, integer error is a common yet important kind of defect due to arithmetic operations that produce unrepresentable values in certain types. Integer errors are harbored in a wide range of applications and possibly lead to serious software failures and exploitable vulnerabilities. Due to the complicated semantics of C, manually preventing integer errors is challenging even for experienced developers. In this paper we propose a novel approach to automate C integer error repair by elevating the precision of arithmetic operations according to a set of code transformation rules. A large portion of integer errors can be repaired by recovering expected results (i.e., tolerance) instead of removing program functionality. Our approach is fully automatic without requiring code specifications. Furthermore, the transformed code is ensured to be well-typed and has conservativeness property with respect to the original code. Our approach is implemented as a prototype CIntFix which succeeds in repairing all the integer errors from 7 categories in NIST's Juliet Test Suite. Furthermore, CIntFix is evaluated on large code bases in SPEC CINT2000, scaling to 366 KLOC within 126 seconds while the transformed code has 10.5 percent slowdown on average. The evaluation results substantiate the potential of our approach in real-world scenarios.