Zhang Xing,Zhang Bin,Feng Chao,Zhang Quan

DOI: https://doi.org/10.1051/itmconf/20160703003

2016-01-01

ITM Web of Conferences

Abstract:Nowadays binary static analysis uses dangerous system library function to detect stack overflow vulnerary in program and there is no effective way to dig out the function which can cause stack overflow issue. List necessarily characteristics of the function which may cause stack overflow vulnerary and define stack overflow dangerous function(SODF). Then introduce static taint analysis to detect SODF include taint introduction, taint propagation and taint checking stragety. Next describe the particular process of detecting SODF in the program with static taint analysis. Finally choose 4 runtime library and 2 binary software, and detect whether the chosen software has SODF and locate the name of SODF with static taint analysis. Testing result shows that the algorithm can detect and locate plenty of SODF in test program which means the algorithm can work efficiently.

Yong Wang,Hailin Yan,Zhenyan Liu,Jingfeng Xue,Changzhen Hu,Ming Li

DOI: https://doi.org/10.1109/3pgcic.2015.102

2015-01-01

Abstract:Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

Gang Chen,Hai Jin,Deqing Zou,Bing Bing Zhou,Zhenkai Liang,Weide Zheng,Xuanhua Shi

DOI: https://doi.org/10.1109/TDSC.2013.25

2013-01-01

Abstract:AbstractBuffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.

LIU Jia-xiang,JIANG Jian-hui,CHEN Lin-bo

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.017

2012-01-01

Abstract:In the paper,the basic attack patterns for Intel 80X86 are classified in the viewpoint of assemble language programs.The weak-ness of the existing dynamic buffer-overflow prevention mechanisms is discussed.A new dynamic stack buffer-overflow prevention mechanism based on return-address translation is proposed.The new mechanism is proved to be able to defend multiple patterns attacks with an acceptable performance tradeoff.We present experimental results of both the penetration resistance and the performance impact of the propsed mechanism.With simple modification,the mechanism is suitable for different security and performance needs.

Cui Baojiang,Liang Xiaobing,Zhao Bing,Zhai Feng,Wang Jianxin

2014-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, a smart software vulnerability detection technology is presented, which is used for the identification of integer overflow vulnerabilities in binary executables. The proposed algorithm is combined with Target filtering and dynamic taint tracing (TFDTT). Dynamic taint tracing is used to reduce the mutation space and target filtering function is used to filter test cases during the process of test case generation. Theory analysis indicates that the efficiency of TFDTT is higher than NonTF-DTT and random Fuzzing technology. And the experiment results indicate that the detection technology based upon TFDTT can identify the possible integer vulnerabilities in binary program, meanwhile, it is more efficiency than other two technologies.

Shenglin Xu,Yongjun Wang

DOI: https://doi.org/10.1155/2022/1251987

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Stack buffer overflow vulnerability is a common software vulnerability that can overwrite function return addresses and hijack program control flow, causing serious system problems. Existing automated exploit generation (AEG) solutions cannot bypass position-independent executable (PIE) exploit mitigation and cannot cope with the situation where the standard output function is not introduced into the program. In this paper, we propose a solution to alleviate the above difficulties: BofAEG, which is based on symbolic execution and dynamic analysis to automatically detect stack buffer overflow vulnerability and generate exploit. We used to capture the flag (CTF) and common vulnerabilities and exposures (CVE) programs for experiments. Results show that BofAEG can not only detect and generate exploits effectively but also implement more exploit techniques and is faster than existing AEG solutions.

Bo Wu,Yufeng Ma,Qian Zhang,Fengchen Qian

DOI: https://doi.org/10.23977/meet.2019.93720

2019-01-01

Abstract:Buffer overflows in C and C++ programs are among the most common and serious classes of software vulnerabilities for two decades. To mitigate and to eradicate this security threat, many detection approaches based on static and dynamic analysis techniques have been proposed. This paper aims to provide an alternative and multipath solution to existing symbolic execution approaches by catching the red-zones in memory, rather than the strict memory object bounds, which are absolute vulnerable to buffer overflows. From the observations of buffer overflow attacks that are commonly overwrite a special position to exploit the vulnerabilities, in this paper, we propose a multipath dynamic buffer overflow detecting approach (symbolic-execution-based), relying on catching the red-zones in the stack and heap memory. We examine every memory store operation both in concrete addresses and symbolic pointers, whose writing size should never overlap or cross a red-zone position. We implement a practical dynamic checking tool called MACBin based on S2E platform. We apply it to test several real world software, the results show that MACBin is useful and effective at detecting buffer overflow vulnerabilities.

Tielei Wang,Tao Wei,Zhiqiang Lin,Wei Zou

2009-01-01

Abstract:The number of identified integer overflow vulnerabilities has been increasing rapidly in recent years. In this paper, we present a system, IntScope, which can automatically detect integer overflow vulnerabilities in x86 binaries before an attacker does, with the goal of finally eliminating the vulnerabilities. IntScope first translates the disassembled code into our own intermediate representation (IR), and then performs a path sensitive data flow analysis on the IR by leveraging symbolic execution and taint analysis to identify the vulnerable point of integer overflow. Compared with other approaches, IntScope does not run the binary directly, and is scalable to large software as it can just symbolically execute the interesting program paths. Experimental results show IntScope is quite encouraging: it has detected more than 20 zero-day integer overflows (e.g., CVE-2008-4201, FrSIRT/ADV-2008-2919) in widely-used software such as QEMU, Xen and Xine.

XIA Chao,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.065

2008-01-01

Abstract:This paper proposes a method to detect buffer-overflow vulnerabilities for executables.Combining dynamic analysis and static analysis, it makes further detection of buffer-overflow vulnerabilities.Static methods mainly deal with the internal semantic relationship of assembly instructions and the properties of a function's stack frame for executables.Dynamic emulation provides a virtual run-time environment,which enables the program to combine its static properties while virtually executed,and then it can get the function's semantic results on buffer manipulation,and determine whether there is a buffer-overflow vulnerability.

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

CHEN Linbo,JIANG Jianhui,ZHANG Danqing

DOI: https://doi.org/10.3969/j.issn.0253-374x.2012.03.021

2012-01-01

Abstract:An analysis is made of the classical buffer overflow prevention methods for Intel 80X86 architecture and C/C++.A new stack buffer overflow prevention method based on dual-stack is proposed due to the shortcomings of classical methods.Besides,an object file reconstructing tool for ELF format files is implemented with the dual-stack structure.Experiment results show that the proposed method and the tool are efficient for buffer overflow attack prevention with low overhead.

Chien-Ming Chen,Shaui-Min Chen,Wei-Chih Ting,Chi-Yi Kao,Hung-Min Sun

DOI: https://doi.org/10.1016/j.csi.2014.08.008

IF: 3.721

2014-01-01

Computer Standards & Interfaces

Abstract:Stack smashing is one of the most popular techniques for hijacking program controls. Various techniques have been proposed, but most techniques need to alter compilers or require hardware support, and only few of them are developed for Windows. In this paper, we design a Secure Return Address Stack to defeat stack smashing attacks on Windows. Our approach does not need source code and hardware support We also extend our approach to instrument a DLL, a multi-thread application, and DLLs used by multi-thread applications. Benchmark GnuWin32 shows that the relative performance overhead of our approach is only between 3.47% and 8.59%. (C) 2014 Elsevier B.V. All rights reserved.

Hao Sun,Xiangyu Zhang,Chao Su,Qingkai Zeng

DOI: https://doi.org/10.1145/2714576.2714605

2015-01-01

Abstract:Integer-Overflow-to-Buffer-Overflow ( IO2BO ) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for detecting IO2BO vulnerabilities in C/C++ programs. IntTracker utilizes a static taint analysis to select potential overflow sites that are integer operations along critical paths, from sources that are program points reading values from users, to sinks that are memory allocation sites. It then instruments overflow checks at the selected sites. Instead of producing warnings once integer overflows occur, IntTracker replaces the overflown value with a very large and rarely used integer value ( dirty value), and treats such the value as an overflow tag. Tag propagation is performed by the existing program operations without any instrumentation as operations on dirty values often produce dirty values. Propagation can be automatically cut off by sanitization routines as they could prevent dirty values from affecting further program execution. IntTracker monitors whether any dirty value is used at a sink to detect IO2BO vulnerabilities. We evaluate IntTracker on 3444 programs of the NIST's SAMATE reference dataset, the SPEC CINT2000 benchmarks and 34 IO2BO bugs in real world. The experimental results show that IntTracker is effective in detecting harmful IO2BO vulnerabilities while bypassing false positives introduced by sanitization routines. Meanwhile, the runtime overhead is negligible, averaging about 0.69%. In contrast, IntPatch, the state of the art, produces a lot more false positives and has a higher overhead.

ZHANG Lantu,WANG Ying

DOI: https://doi.org/10.3778/j.issn.1002-8331.2012.15.014

2012-01-01

Computer Engineering and Applications Journal

Abstract:The basic attack patterns of stack buffer overflow are introduced based on the principles of stack buffer overflow. A new dynamic stack buffer overflow prevention method based on protection of control-flow related data is proposed due to the weakness of the existing dynamic buffer overflow prevention methods. At the same time, two encryption algorithms are introduced to protect the control-flow related data. The new method is proved to be able to defend multiple patterns of attacks with an acceptable performance tradeoff. At the same time, an object file reconstructing tool for binary is implemented using this new method. Experimental results of both the penetration resistance and the performance impact of the proposed method are presented.

Zhenquan Xu,Gongshen Liu

DOI: https://doi.org/10.1109/compcomm.2018.8780675

2018-01-01

Abstract:An uninitialized use vulnerability occurs when a memory region is accessed before initialized. This kind of vulnerability is common in C and C++ but sometimes it is not easy to detect. In this paper, we propose a byte-level model to detect uninitialized use vulnerabilities in the source code and build STACKEEPER, a flow-sensitive, path-sensitive and byte-sensitive static analyze tool against source code. By scanning the XNU source code we discovered several known or previously unknown uninitialized use vulnerabilities.

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

Jing Qiu,Xiao Hong Su,Pei Jun Ma

DOI: https://doi.org/10.4028/www.scientific.net/amr.989-994.1782

2014-01-01

Advanced Materials Research

Abstract:Instruction traces are essential for dynamic analysis in reverse engineering. Code in instruction traces is often obfuscated to hinder analysts from understanding and analyzing in malware and binaries that protected by packers. Non-returning calls and call-stack tampering are two typical kinds of such obfuscation. We propose a deobfuscation approach to fight against these two kinds of obfuscated code. We first apply static analysis on instruction traces to identify obfuscated code. Then we transform obfuscated code into semantically equivalent instructions to make the code be easy to understand. Evaluations results on some packed binaries indicate that our approach works well in deobfuscate instruction traces with non-returning calls and call-stack tampering in high precision.

Baojiang Cui,Xiaobing Liang,Jianxin Wang

DOI: https://doi.org/10.1007/978-3-642-25664-6_30

2011-01-01

Abstract:The automatic identification of security vulnerabilities in the binary code is still a young but important research area for the security researchers. In recent years, the number of identified integer overflow vulnerabilities has been increasing rapidly. In this paper, we present a smart software vulnerability detection technology, which is used for the identification of integer overflow vulnerabilities in the binary executables. The proposed algorithm is combined with debugger module, static analysis module and genetic algorithm module. We use the fitness function to guide the generation of the tested data and use static analysis to provide the information that the genetic module needs. Theory analyses and experiment results indicate that the detection technology based upon genetic algorithm can identify the exceptions in the object program and is more efficient than the common Fuzzing technology.