XIA Jian-jun,SUN Le-chang,LIU Jing-ju,ZHANG Min,CAI Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.09.095

2011-01-01

Abstract:Buffer overflow(BOF) is always one of the most dangerous vulnerabilities to computer security.This paper proposed multi-dimentional Fuzzing of buffer overflow(MFBOF),which was based on multi-dimentional Fuzzing technology,combined the structure knowledge of target's input,static binary code analysis and dynamic I/O analysis technique,generated test cases using adaptive simulated annealing genetic algorithm.The results of testing Libpng validate that MFBOF is effective.At last,this paper gave its further improvement directions.

Rui Wang,Shitang Wu,Ning Li,Zhanhuai Li

DOI: https://doi.org/10.13245/j.hust.150615

2015-01-01

Abstract:The main difficulties of floating‐point programs analysis based on abstract interpretation ex‐ist in costly computation brought by the real number arithmetic w hen constructing the complex ab‐stract domain .In this paper ,a compensation‐based floating‐point number representation and relative arithmetic were proposed based on IEEE754 standard for octagon abstract domain .The method could reduce the complexity of floating‐point arithmetic ,and extend the traditional octagon abstract domain to sound floating‐point octagon abstract domain ,achieving a trade‐off between efficiency and preci‐sion .Experimental results show that using the compensation‐based floating‐point octagon abstract do‐main rather than real number can significantly improve the efficiency ,and ensure the reliability of analy sis .

Si-Hao SHAO,Qing GAO,Sen MA,Fu-Yao DUAN,Xiao MA,Shi-Kun ZHANG,Jin-Hua HU

DOI: https://doi.org/10.13328/j.cnki.jos.005504

2018-01-01

Abstract:First,in this paper,the breadth and risk of buffer overflow vulnerabilities are introduced.Then,from the aspect of how to exploit a buffer overflow vulnerability,an overview is provided on the definition of buffer overflow vulnerabilities,memory organization in operation systems,and classification of buffer overflow attacks.Based on the research,buffer overflow analysis technologies are classified into three categories:automatic detection,automatic repair,and run-time protection.Each types of technologies are introduced,analyzed and discussed according to the classification.Finally,three possible research directions in the field of buffer overflow vulnerability analysis are discussed:(1) analyzing binary code;(2) using machine learning algorithms;(3) combining multiple technologies for analysis.

Lanlan Qi,Jiangtao Wen,Yu Chen,Qixue Xiao

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2014.09.020

2014-01-01

Abstract:Different software vulnerabilities have different characteristics.220 integer overflow vulnerabilities are analyzed to develop three kinds of detection strategies to reduce the false positives from static analyses.Static analyses identify the type of integer overflow while dynamic analyses accurately identify the integer overflow vulnerability.This method combines the advantages of the two analyses to detect vulnerabilities.The static analysis is used to detect the integer overflow and obtain the integer overflow type and related information.This information is then used by the dynamic analysis to insert hooks into the code using the automatic pile technique.Then,the algorithm calls the integer overflow marker interface and performs symbolic execution with the reconstruction expressions.This method is used to analyze the Lighttpd-1.4.29 and Linux kernel 3.4 systems.This method can greatly reduce the number of false positives.The number of false positives for Lighttpd-1.4.29 is reduced by 374,accounting for 67.3％ of the total.The number of false positives for Linux kernel 3.4 is reduced by 159 761,accounting for 98.2％ of the total.This system also successfully finds the CVE-2011-4362 and CVE-2013-1763 integer overflow vulnerabilities.

SUN Hao,ZENG Qing-Kai

DOI: https://doi.org/10.13328/j.cnki.jos.004793

2015-01-01

Journal of Software

Abstract:In C/C++ language, limited rages represented by integer types and castings between different signs or widths cause integer-based weakness, including integer overflow, integer underflow, signedness error and truncation error. Attackers usually exploit them indirectly to commit damaging acts such as arbitrary code execution and denial of service. This paper presents a survey on integer-based vulnerabilities. A novel security model is proposed in view of behaviors resulting from the weakness occurrence, and the sufficient conditions in determining integer-based vulnerabilities are also presented. A thorough comparison among detecting methods is further conducted in consideration of covering sufficient conditions. Through an empirical study on real-world integer bug cases, the characteristics and distributions are discussed. Finally, the challenges and research directions of integer-based vulnerabilities are explored.

Xi Lu

2010-01-01

Journal of Software

Abstract:This paper presents an automatic testing method,DAIDT(dynamic automatic integer-overflow detection and testing),for finding integer overflow fatal bugs in binary code.DAIDT can thoroughly test the binary code and automatically find unknown integer overflow bugs without necessarily knowing their symbol tables.It is formally proved in this paper that DAIDT can theoretically detect all the high-risk integer overflow bugs with no false positives and no false negatives.In additional,any bugs find by DAIDT can be replayed.To demonstrate the effectiveness of this theory,IntHunter has been implemented.It has found 4 new high risk integer overflow bugs in the latest releases of three high-trusted applications(two Microsoft WINS services in Windows 2000 and 2003 Server,Baidu Hi Instant Messager) by testing each for 24 hours.Three of these bugs allow arbitrary code execution and have received confirmed vulnerabilities numbers,CVE-2009-1923,CVE-2009-1924 from Microsoft Security Response Center and CVE-2008-6444 from Baidu.

Zihan Yu,Jintao Xue,Xin Sun,Wen Wang,Yubo Song,Liquan Chen,Zhongyuan Qin

DOI: https://doi.org/10.1109/cis58238.2022.00087

2022-01-01

Abstract:The increasing number of software vulnerabilities pose serious security attacks and lead to system compromise, information leakage or denial of service. It is a challenge to further improve the vulnerability detection technique. Nowadays most applications are implemented using C/C++. In this paper we focus on the detection of overflow vulnerabilities in C/C++ source code. A novel scheme named VulMiningBGS (Vulnerability Mining Based on Graph Similarity) is proposed. We convert the source code into Top N-Weighted Range Sum Feature Graph (TN-WRSFG), and graph similarity comparisons based on source code level can be effectively carried on to detect possible vulnerabilities. Three categories of vulnerabilities in the Juliet test suite are used, i.e., CWE121, CWE122 and CWE190, with four indicators for performance evaluation (precision, recall, accuracy and F1_score). Experimental results show that our scheme outperforms the traditional methods, and is effective in the overflow vulnerability detection for C/C++ source code.

Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou

2009-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, we present a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries before an attacker does, with the goal of finally eliminating the vulnerabilities. IntScope first translates the disassembled code into our own intermediate representation (IR), and then performs a path sensitive data flow analysis on the IR by leveraging symbolic execution and taint analysis to identify the vulnerable point of integer overflow. Compared with other approaches, IntScope does not run the binary directly, and is scalable to large software as it can just symbolically execute the interesting program paths. Experimental results show IntScope is quite encouraging: it has detected more than 20 zero-day integer overflows (e.g., CVE-2008-4201, FrSIRT/ADV-2008-2919) in widely-used software such as QEMU, Xen and Xine.

Hao Sun,Xiangyu Zhang,Yunhui Zheng,Qingkai Zeng

DOI: https://doi.org/10.1145/2884781.2884820

2016-01-01

Abstract:Integer overflow (IO) vulnerabilities can be exploited by attackers to compromise computer systems. In the mean time, IOs can be used intentionally by programmers for benign purposes such as hashing and random number generation. Hence, differentiating exploitable and harmful IOs from intentional and benign ones is an important challenge. It allows reducing the number of false positives produced by IO vulnerability detection techniques, helping developers or security analysts to focus on fixing critical IOs without inspecting the numerous false alarms. The difficulty of recognizing benign IOs mainly lies in inferring the intent of programmers from source code.In this paper, we present a novel technique to recognize benign IOs via equivalence checking across multiple precisions. We determine if an IO is benign by comparing the effects of an overflowed integer arithmetic operation in the actual world (with limited precision) and the same operation in the ideal world (with sufficient precision to evade the IO). Specifically, we first extract the data flow path from the overflowed integer arithmetic operation to a security related program point (i.e., sink) and then create a new version of the path using more precise types with sufficient bits to represent integers so that the IO can be avoided. Using theorem proving we check whether these two versions are equivalent, that is, if they yield the same values at the sink under all possible inputs. If so, the IO is benign. We implement a prototype, named IntEQ, based on the GCC compiler and the Z3 solver, and evaluate it using 26 harmful IO vulnerabilities from 20 real-world programs, and 444 benign IOs from SPECINT 2000, SPECINT 2006, and 7 real-world applications. The experimental results show that IntEQ does not misclassify any harmful IO bugs (no false negatives) and recognizes 355 out of 444 (about 79.95%) benign IOs, whereas the state of the art can only recognize 19 benign IOs.

Fanping Zeng,Liangliang Mao,Zhide Chen,Qing Cao

DOI: https://doi.org/10.1109/WICOM.2009.5302048

2009-01-01

Abstract:Integer overflow vulnerability is a kind of common software vulnerabilities, there has been no effective way to detect integer overflow vulnerabilities. Because of the lack of dynamic execution, static analysis can not determine the run-time distribution of memory, and may miss the detection of possible security issues; source code auditing is an expensive and time consuming process. Although there has been applying mutation analysis for testing ANSI C programs, and lots of mutation operators have been designed with respect to specific questions, there are not any of operators specifically designed for integer overflow. In this paper, we propose some new mutation operators to force the generation of adequate test data set for integer overflow vulnerabilities. The results indicate that the proposed operators are effective for detecting integer overflow vulnerabilities.

Chao Zhang,Wei Zou,Tielei Wang,Yu Chen,Tao Wei

DOI: https://doi.org/10.3233/jcs-2011-0434

2011-01-01

Journal of Computer Security

Abstract:One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. Many programmers have not realized the existence of IO2BO and its harm. Even for those who are aware of IO2BO, locating and fixing IO2BO vulnerabilities are still tedious and error-prone. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities, and then uses backward slicing to find out related vulnerable arithmetic operations, and finally instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers who want to check integer overflows manually. We evaluated IntPatch on a few real-world applications. It caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have negligible runtime performance losses which are on average 1%.

Enyi Tang,Earl T. Barr,Xuandong Li,Zhendong Su

DOI: https://doi.org/10.1145/1831708.1831724

2010-01-01

Abstract:ABSTRACTWriting reliable software is difficult. It becomes even more difficult when writing scientific software involving floating-point numbers. Computers provide numbers with limited precision; when confronted with a real whose precision exceeds that limit, they introduce approximation and error. Numerical analysts have developed sophisticated mathematical techniques for performing error and stability analysis of numerical algorithms. However, these are generally not accessible to application programmers or scientists who often do not have in-depth training in numerical analysis and who thus need more automated techniques to analyze their code. In this paper, we develop a novel, practical technique to help application programmers (or even numerical experts) obtain high-level information regarding the numerical stability and accuracy of their code. Our main insight is that by systematically altering (or perturbing) the underlying numerical calculation, we can uncover potential pitfalls in the numerical code. We propose two complementary perturbations to statistically measure numerical stability: value perturbation and expression perturbation. Value perturbation dynamically replaces the least significant bits of each floating-point value, including intermediate values, with random bits to statistically induce numerical error in the code. Expression perturbation statically changes the numerical expressions in the user program to mathematically equivalent (in the reals, likely not in floating-point numbers), but syntactically different forms. We then compare the executions of these "equivalent" forms to help discover and remedy potential instabilities. Value perturbation can overstate error, while expression perturbation is relatively conservative, so we use value perturbation to generate candidates for expression perturbation. We have implemented our technique, and evaluation results on various programs from the literature and the GNU Scientific Library (GSL) show that our technique is effective and offers a practical alternative for understanding numerical stability in scientific software.

Roberto Bagnara,Matthieu Carlier,Roberta Gori,Arnaud Gotlieb

DOI: https://doi.org/10.48550/arXiv.1308.3847

2015-08-01

Abstract:Floating-point computations are quickly finding their way in the design of safety- and mission-critical systems, despite the fact that designing floating-point algorithms is significantly more difficult than designing integer algorithms. For this reason, verification and validation of floating-point computations is a hot research topic. An important verification technique, especially in some industrial sectors, is testing. However, generating test data for floating-point intensive programs proved to be a challenging problem. Existing approaches usually resort to random or search-based test data generation, but without symbolic reasoning it is almost impossible to generate test inputs that execute complex paths controlled by floating-point computations. Moreover, as constraint solvers over the reals or the rationals do not natively support the handling of rounding errors, the need arises for efficient constraint solvers over floating-point domains. In this paper, we present and fully justify improved algorithms for the propagation of arithmetic IEEE 754 binary floating-point constraints. The key point of these algorithms is a generalization of an idea by B. Marre and C. Michel that exploits a property of the representation of floating-point numbers.

Artificial Intelligence,Software Engineering

Chenghu Ma,Liqian Chen,Xin Yi,Guangsheng Fan,Ji Wang

DOI: https://doi.org/10.1109/APSEC57359.2022.00046

2022-01-01

Abstract:It is difficult to write a numerical program that does not incur floating-point exceptions in practice. To detect floating-point exceptions, most existing methods use static analysis, which may induce false alarms (due to over-approximation), or suffer from scalability issues (since solving floating-point constraints is expensive). Fuzzing is a widely used technique to finding bugs, but existing fuzzing techniques have not yet considered the specific format of floating-point and are lack of guidance for detecting floating-point exceptions. In this paper, we propose a floating-point format aware coverage-based grey-box fuzzing to detect floating-point exceptions for numerical programs. More specifically, we propose a novel mutation strategy for floating-point format aiming at producing valid floating-point test inputs. Moreover, we present a new guidance aiming to search for test inputs that are closer to exposing exceptions. We implement our approach as a tool, named NUMFUZZ, based on AFL. We have conducted experiments to evaluate NUMFUZZ on GNU Scientific Library (GSL) and Sun's C math library respectively. The preliminary experimental results suggest that our approach has promising ability in detecting floating-point exceptions and achieving high floating-point branch coverage in real-world numerical programs.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

David Monniaux

DOI: https://doi.org/10.1145/1353445.1353446

IF: 1.714

2008-05-01

ACM Transactions on Programming Languages and Systems

Abstract:Current critical systems often use a lot of floating-point computations, and thus the testing or static analysis of programs containing floating-point operators has become a priority. However, correctly defining the semantics of common implementations of floating-point is tricky, because semantics may change according to many factors beyond source-code level, such as choices made by compilers. We here give concrete examples of problems that can appear and solutions for implementing in analysis software.

computer science, software engineering

Sun Ding,Hee Beng Kuan Tan,Hongyu Zhang

DOI: https://doi.org/10.1007/978-3-319-22348-3_12

2015-01-01

Abstract:Buffer overflow vulnerability is one of the commonly found significant security vulnerabilities. This vulnerability may occur if a program does not sufficiently prevent input from exceeding intended size and accessing unintended memory locations. Researchers have put effort in different directions to address this vulnerability. How, authorized reports and data showed that as more sophisticated attack vectors are being discovered, efforts on a single direction are not sufficient to resolve this critical issue well. In this paper, we characterize buffer overflow vulnerability in four patterns and propose ABOR, a framework to remove buffer overflow vulnerabilities from source code automatically. It only patches identified code segments, which means it is an optimized solution that eliminates buffer overflows at the maximum while adds runtime overhead at the minimum. We have implemented the proposed approach and evaluated ABOR over a set of real world C/C++ applications. The results prove ABOR’s effectiveness in practice.

Sun Ding,Hee Beng Kuan Tan,Hongyu Zhang

DOI: https://doi.org/10.5220/0004888000490059

2014-01-01

Abstract:Buffer overflow vulnerability is one of the commonly found significant security vulnerabilities. This vulnerability may occur if a program does not sufficiently prevent input from exceeding intended size or accessing unintended memory locations. Researchers have put effort in different directions to address this vulnerability, including creating a run-time defence mechanism, proposing effective detection methods or automatically modifying the original program to remove the vulnerabilities. These techniques share many commonalities and also have differences. In this paper, we characterize buffer overflow vulnerability in the form of four patterns and propose ABOR--a framework that integrates, extends and generalizes existing techniques to remove buffer overflow vulnerability more effectively and accurately. ABOR only patches identified code segments; thus it is an optimized solution that can eliminate buffer overflows while keeping a minimum runtime overhead. We have implemented the proposed approach and evaluated it through experiments on a set of benchmarks and three industrial C/C++ applications. The experiment result proves ABORâ s effectiveness in practice.

Junjie Hou,Yongxin Zhu,Yulan Shen,Mengjun Li,Han Wu,Han Song

DOI: https://doi.org/10.1109/HPCC-SmartCity-DSS.2017.82

2017-01-01

Abstract:Floating-point arithmetic is an important form in numerical computation, IEEE Standard for Floating-Point Arithmetic - IEEE 754 floats has been applied in overwhelming majority of microprocessors. However, as the increasing of data size and accuracy requirement of applications, bandwidth and precision are highly valued in floating-point computing, optimizing existing floating-point arithmetic is a way to improve current situation. Unum (universal number) arithmetic is a new floating-point arithmetic presented by John L. Gustafson in 2013, being compared with IEEE 754 floats, the outstanding features of unum are clearance of rounding errors, high information-per-bit and variable precision. However, unum was only implemented in software before due to technical complexity, we implement unum arithmetic on FPGA for the first time. We contrast the precision and bit width in computing with IEEE 754 floats, the comparison results show that unum need less bit width than IEEE 754 floats under same precision, it can decrease bandwidth requirement in computing.

Fanping Zeng,Minghui Chen,Kaitao Yin,Xufa Wang

DOI: https://doi.org/10.1109/cit.2009.90

2009-01-01

Abstract:Buffer overflow (BOF) is one of the major vulnerabilities that lead to non-secure software. Testing an implementation for BOF vulnerabilities is challenging as the underlying reasons of buffer overflow vary widely. This paper presents a novel method for BOF test for ANSI C language, which uses program instrumentation and mutation test technology to test the BOF vulnerabilities, on the basis of analyzing the invariants for BOF vulnerabilities. The implementation shows that it can check the attack of BOF vulnerabilities adequately and accurately, in the circumstances of no large losses in performance.