Chao Zhang,Tielei Wang,Tao Wei,Yu Chen,Wei Zou

DOI: https://doi.org/10.1007/978-3-642-15497-3_5

2010-01-01

Abstract:The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In tins paper, we present the design and implementation of IntPatch, a. compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and datafiow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.

Hao Sun,Xiangyu Zhang,Yunhui Zheng,Qingkai Zeng

DOI: https://doi.org/10.1145/2884781.2884820

2016-01-01

Abstract:Integer overflow (IO) vulnerabilities can be exploited by attackers to compromise computer systems. In the mean time, IOs can be used intentionally by programmers for benign purposes such as hashing and random number generation. Hence, differentiating exploitable and harmful IOs from intentional and benign ones is an important challenge. It allows reducing the number of false positives produced by IO vulnerability detection techniques, helping developers or security analysts to focus on fixing critical IOs without inspecting the numerous false alarms. The difficulty of recognizing benign IOs mainly lies in inferring the intent of programmers from source code.In this paper, we present a novel technique to recognize benign IOs via equivalence checking across multiple precisions. We determine if an IO is benign by comparing the effects of an overflowed integer arithmetic operation in the actual world (with limited precision) and the same operation in the ideal world (with sufficient precision to evade the IO). Specifically, we first extract the data flow path from the overflowed integer arithmetic operation to a security related program point (i.e., sink) and then create a new version of the path using more precise types with sufficient bits to represent integers so that the IO can be avoided. Using theorem proving we check whether these two versions are equivalent, that is, if they yield the same values at the sink under all possible inputs. If so, the IO is benign. We implement a prototype, named IntEQ, based on the GCC compiler and the Z3 solver, and evaluate it using 26 harmful IO vulnerabilities from 20 real-world programs, and 444 benign IOs from SPECINT 2000, SPECINT 2006, and 7 real-world applications. The experimental results show that IntEQ does not misclassify any harmful IO bugs (no false negatives) and recognizes 355 out of 444 (about 79.95%) benign IOs, whereas the state of the art can only recognize 19 benign IOs.

Cui Baojiang,Liang Xiaobing,Zhao Bing,Zhai Feng,Wang Jianxin

2014-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, a smart software vulnerability detection technology is presented, which is used for the identification of integer overflow vulnerabilities in binary executables. The proposed algorithm is combined with Target filtering and dynamic taint tracing (TFDTT). Dynamic taint tracing is used to reduce the mutation space and target filtering function is used to filter test cases during the process of test case generation. Theory analysis indicates that the efficiency of TFDTT is higher than NonTF-DTT and random Fuzzing technology. And the experiment results indicate that the detection technology based upon TFDTT can identify the possible integer vulnerabilities in binary program, meanwhile, it is more efficiency than other two technologies.

Chao Zhang,Wei Zou,Tielei Wang,Yu Chen,Tao Wei

DOI: https://doi.org/10.3233/jcs-2011-0434

2011-01-01

Journal of Computer Security

Abstract:One of the top two causes of software vulnerabilities in operating systems is the integer overflow. A typical integer overflow vulnerability is the Integer Overflow to Buffer Overflow IO2BO for short vulnerability. IO2BO is an underestimated threat. Many programmers have not realized the existence of IO2BO and its harm. Even for those who are aware of IO2BO, locating and fixing IO2BO vulnerabilities are still tedious and error-prone. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this article, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and a dataflow analysis framework to identify potential IO2BO vulnerabilities, and then uses backward slicing to find out related vulnerable arithmetic operations, and finally instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers who want to check integer overflows manually. We evaluated IntPatch on a few real-world applications. It caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have negligible runtime performance losses which are on average 1%.

Lanlan Qi,Jiangtao Wen,Yu Chen,Qixue Xiao

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2014.09.020

2014-01-01

Abstract:Different software vulnerabilities have different characteristics.220 integer overflow vulnerabilities are analyzed to develop three kinds of detection strategies to reduce the false positives from static analyses.Static analyses identify the type of integer overflow while dynamic analyses accurately identify the integer overflow vulnerability.This method combines the advantages of the two analyses to detect vulnerabilities.The static analysis is used to detect the integer overflow and obtain the integer overflow type and related information.This information is then used by the dynamic analysis to insert hooks into the code using the automatic pile technique.Then,the algorithm calls the integer overflow marker interface and performs symbolic execution with the reconstruction expressions.This method is used to analyze the Lighttpd-1.4.29 and Linux kernel 3.4 systems.This method can greatly reduce the number of false positives.The number of false positives for Lighttpd-1.4.29 is reduced by 374,accounting for 67.3％ of the total.The number of false positives for Linux kernel 3.4 is reduced by 159 761,accounting for 98.2％ of the total.This system also successfully finds the CVE-2011-4362 and CVE-2013-1763 integer overflow vulnerabilities.

Xi Lu

2010-01-01

Journal of Software

Abstract:This paper presents an automatic testing method,DAIDT(dynamic automatic integer-overflow detection and testing),for finding integer overflow fatal bugs in binary code.DAIDT can thoroughly test the binary code and automatically find unknown integer overflow bugs without necessarily knowing their symbol tables.It is formally proved in this paper that DAIDT can theoretically detect all the high-risk integer overflow bugs with no false positives and no false negatives.In additional,any bugs find by DAIDT can be replayed.To demonstrate the effectiveness of this theory,IntHunter has been implemented.It has found 4 new high risk integer overflow bugs in the latest releases of three high-trusted applications(two Microsoft WINS services in Windows 2000 and 2003 Server,Baidu Hi Instant Messager) by testing each for 24 hours.Three of these bugs allow arbitrary code execution and have received confirmed vulnerabilities numbers,CVE-2009-1923,CVE-2009-1924 from Microsoft Security Response Center and CVE-2008-6444 from Baidu.

Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou

2009-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, we present a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries before an attacker does, with the goal of finally eliminating the vulnerabilities. IntScope first translates the disassembled code into our own intermediate representation (IR), and then performs a path sensitive data flow analysis on the IR by leveraging symbolic execution and taint analysis to identify the vulnerable point of integer overflow. Compared with other approaches, IntScope does not run the binary directly, and is scalable to large software as it can just symbolically execute the interesting program paths. Experimental results show IntScope is quite encouraging: it has detected more than 20 zero-day integer overflows (e.g., CVE-2008-4201, FrSIRT/ADV-2008-2919) in widely-used software such as QEMU, Xen and Xine.

Xiangkun Jia,Chao Zhang,Purui Su,Yi Yang,Huafeng Huang,Dengguo Feng

2017-01-01

Abstract:Heap overflow is a prevalent memory corruption vulnerability, playing an important role in recent attacks. Finding such vulnerabilities in applications is thus critical for security. Many state-of-art solutions focus on runtime detection, requiring abundant inputs to explore program paths in order to reach a high code coverage and luckily trigger security violations. It is likely that the inputs being tested could exercise vulnerable program paths, but fail to trigger (and thus miss) vulnerabilities in these paths. Moreover, these solutions may also miss heap vulnerabilities due to incomplete vulnerability models.In this paper, we propose a new solution HOTracer to discover potential heap vulnerabilities. We model heap overflows as spatial inconsistencies between heap allocation and heap access operations, and perform an indepth offline analysis on representative program execution traces to identify heap overflows. Combining with several optimizations, it could efficiently find heap overflows that are hard to trigger in binary programs. We implemented a prototype of HOTracer, evaluated it on 17 real world applications, and found 47 previously unknown heap vulnerabilities, showing its effectiveness.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1109/isca.2008.18

2008-01-01

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Ping Chen,Hao Han,Yi Wang,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-11145-7_26

2009-01-01

Abstract:Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.

Haibo Chen,Xi Wu,Liwei Yuan,Binyu Zang,Pen-chung Yew,Frederic T. Chong

DOI: https://doi.org/10.1145/1394608.1382156

2008-01-01

ACM SIGARCH Computer Architecture News

Abstract:Dynamic information flow tracking (also known as taint tracking) is an appealing approach to combat various security attacks. However, the performance of applications can severely degrade without hardware support for tracking taints. This paper observes that information flow tracking can be efficiently emulated using deferred exception tracking in microprocessors supporting speculative execution. Based on this observation, we propose SHIFT, a low-overhead, software-based dynamic information flow tracking system to detect a wide range of attacks. The key idea is to treat tainted state (describing untrusted data) as speculative state (describing deferred exceptions). SHIFT leverages existing architectural support for speculative execution to track tainted state in registers and needs to instrument only load and store instructions to track tainted state in memory using a bitmap, which results in significant performance advantages. Moreover, by decoupling mechanisms for taint tracking from security policies, SHIFT can detect a wide range of exploits, including high-level semantic attacks. We have implemented SHIFT using the Itanium processor, which has support for deferred exceptions, and by modifying GCC to instrument loads and stores. A security assessment shows that SHIFT can detect both low-level memory corruption exploits as well as high-level semantic attacks with no false positives. Performance measurements show that SHIFT incurs about 1% overhead for server applications. The performance slowdown for SPEC-INT2000 is 2.81X and 2.27X for tracking at byte-level and wordlevel respectively. Minor architectural improvements to the Itanium processor (adding three simple instructions) can reduce the performance slowdown down to 2.32X and 1.8X for byte-level and word-level tracking, respectively.

Baojiang Cui,XiaoBing Liang,Jianxin Wang

2010-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recently years. The path explosion problem caused by the complicated conditional branches in the software results in many difficulties in the detection of integer overflow vulnerabilities. A smart software vulnerability detection technology was developed to identify integer overflow vulnerabilities in binary executables. The algorithm uses symbolic execution technology to obtain path constraint conditions in the binary executables and uses a fitness function to guide the generation of inputs to the detection technology. Tests indicate that the smart detection technology based upon symbolic execution and an integer-valued genetic algorithm more quickly identifies integer overflow vulnerabilities in the object program than conventional Fuzzing detection methods.

张实睿,许蕾,徐宝文

DOI: https://doi.org/10.3969/j.issn.1003-7985.2009.02.016

2009-01-01

Abstract:A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow. Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables. After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables. The effectiveness of this method is demonstrated in a case study. Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.

Wenbing XIE,Xiaodong MA,Zhongsheng LI,Xiamu NIU

DOI: https://doi.org/10.3778/j.issn.1002-8331.1407-0160

2016-01-01

Abstract:Due to the lack of boundary checking mechanism, buffer overflow is one of the most serious attacks against C/C++programs. This paper presents a runtime countermeasure for buffer overflow attack. Through duplicating the control flow information with array which declared in the dynamic link libraries, including the return address and the frame pointer of each function, illegal overwriting can be detected dynamically. This method can both detect direct and indirect attack in the buffer overflow attack. Experiments based on the RIPE testbed and two practical tests as well as theoretical analysis show the effectiveness of this method.

Fanping Zeng,Minghui Chen,Kaitao Yin,Xufa Wang

DOI: https://doi.org/10.1109/cit.2009.90

2009-01-01

Abstract:Buffer overflow (BOF) is one of the major vulnerabilities that lead to non-secure software. Testing an implementation for BOF vulnerabilities is challenging as the underlying reasons of buffer overflow vary widely. This paper presents a novel method for BOF test for ANSI C language, which uses program instrumentation and mutation test technology to test the BOF vulnerabilities, on the basis of analyzing the invariants for BOF vulnerabilities. The implementation shows that it can check the attack of BOF vulnerabilities adequately and accurately, in the circumstances of no large losses in performance.

Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Hui HUANG,Yuliang LU,Lintao LIU,Jun ZHAO

DOI: https://doi.org/10.3969/j.issn.0253-2778.2015.07.006

2015-01-01

Journal of University of Science and Technology of China

Abstract:Limited by incomplete call graph analysis and path feasibility analysis ,current static integer overflow defect detection methods generally return results with high false positives . To reduce this inefficiency ,aiming at automatic exploration of the external input triggering integer overflow defects ,a new source code oriented detection method was proposed combining call graph analysis , static taint analysis and static symbolic execution ,in which a field‐sensitive and flow‐sensitive pointer analysis method was proposed for constructing an over‐approximation of the target program’s real call graph ,with a static taint‐sink propagation analysis carried out for calculating the potential external input reachable integer overflow defects , on which flow‐sensitive static symbolic execution is conducted to reduce the false positives introduced by the detection system through justifying the satisfiability of the corresponding defect constraint . Experiments prove the effectiveness of the methodin real‐world integer overflow defect detection and false alarm reduction .

Baojiang Cui,Xiaobing Liang,Jianxin Wang

DOI: https://doi.org/10.1007/978-3-642-25664-6_30

2011-01-01

Abstract:The automatic identification of security vulnerabilities in the binary code is still a young but important research area for the security researchers. In recent years, the number of identified integer overflow vulnerabilities has been increasing rapidly. In this paper, we present a smart software vulnerability detection technology, which is used for the identification of integer overflow vulnerabilities in the binary executables. The proposed algorithm is combined with debugger module, static analysis module and genetic algorithm module. We use the fitness function to guide the generation of the tested data and use static analysis to provide the information that the genetic module needs. Theory analyses and experiment results indicate that the detection technology based upon genetic algorithm can identify the exceptions in the object program and is more efficient than the common Fuzzing technology.

Ping CHEN,Hao HAN,Xiao-bing SHEN,Xin-chun YIN,Bing MAO,Li XIE

2010-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:In recent years, Integer bugs have been rising sharply and become a potential threat as it is often hidden behind other bugs. In this paper, we propose a tool which can automatically detect Integer bugs. We implement the tool based on static and dynamic program analysis. In the static phase, the tool decompiles a binary and creates the suspect instruction set. In the dynamic phase, it monitors the instructions in the suspect set and generates the test cases to further detect which instructions are real Integer bugs. Our tool has two advantages. First, it provides more accurate and sufficient type information. Second, static analysis reduces the instructions which are monitored at runtime. Experimental results shows that our tool can efficiently detect the Integer bugs in several real-world programs. In addition, our tool has no false negatives and low false positives.