Lei Zhao,Run Wang,Lina Wang,Yueqiang Cheng

DOI: https://doi.org/10.1109/compsac.2015.32

2015-01-01

Abstract:Exploits diagnosis requires great manual effort and desires to be automated as much as possible. In this paper, we investigate how the syntactic format of program inputs, as well as reverse engineering of data structures, could be used to identify overwritten data structures, and propose a binary-level exploit diagnosis approach, deExploit, that is generic to attack types and effective in identifying key attack steps. In details, we design to use a fine-grained dynamic tainting technique to model how the exploit is dynamically processed during program execution, dynamically reverse corresponding data structures of program input and then identify overwritten data structures by detecting the deviation between dynamic processing of exploit and that of benign input. We implement deExploit and perform it to diagnose multiple exploits in the wild. The results show that deExploit works well to diagnose memory corruption exploits.

Run Wang,Pei Liu,Lei Zhao,Yueqiang Cheng,Lina Wang

DOI: https://doi.org/10.1016/j.jss.2016.11.026

IF: 3.5

2017-01-01

Journal of Systems and Software

Abstract:Abstract Memory-corruption exploits are one of the major threats to the Internet security. Once an exploit has been detected, exploit diagnosis techniques can be used to identify the unknown vulnerability and attack vector. In the security landscape, exploit diagnosis is always performed by third-party security experts who cannot access the source code. This makes binary-level exploit diagnosis a time-consuming and error-prone process. Despite considerable efforts to defend against exploits, automatic exploit diagnosis remains a significant challenge. In this paper, we propose a novel insight for detecting memory corruption at the binary level by identifying the misuses of input data and present an exploit diagnosis approach called deExploit . Our approach requires no knowledge of the source code or debugging information. For exploit diagnosis, deExploit is generic in terms of the detection of both control-flow-hijack and data-oriented exploits. In addition, deExploit automatically provides precise information regarding the corruption point, the memory operation that causes the corruption, and the key attack steps used to bypass existing defense mechanisms. We implement deExploit and perform it to diagnose multiple realistic exploits. The results show that deExploit is able to diagnose memory-corruption exploits.

Lei Zhao,Debin Gao,Lina Wang

DOI: https://doi.org/10.1007/978-3-642-33383-5_10

2012-01-01

Abstract:Inputs to many application and server programs contain rich and consistent structural information. The propagation of such input in program execution could serve as accurate and reliable signatures for detecting memory corruptions. In this paper, we propose a novel approach to detect memory corruptions at the binary level. The basic insight is that different parts of an input are usually processed in different ways, e.g., by different instructions. Identifying individual parts in an input and learning the pattern in which they are processed is an attractive approach to detect memory corruptions. We propose a fine-grained dynamic taint analysis system to detect different fields in an input and monitor the propagation of these fields, and show that deviations from the execution pattern learned signal a memory corruption. We implement a prototype of our system and demonstrate its success in detecting a number of memory corruption attacks in the wild. In addition, we evaluate the overhead of our system and discuss its advantages over existing approaches and limitations.

Zhi Liu,Xiaosong Zhang,Yue Wu,Ting Chen

DOI: https://doi.org/10.1108/03321641311296873

2013-01-01

Abstract:PurposeThe purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approachCurrent dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.FindingsConversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/valueThis paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.

房陈,茅兵,谢立

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.07.047

2010-01-01

Abstract:This paper proposes an efficient mechanism to detect and locate the program vulnerability based on the binary taint analysis and program analysis techniques.The method adopts the data flow analysis and taint analysis.The taint analysis method records the instruction which propagates the taint flag as well as the memory address it writes to.When it detects the attack,it locates the bug by searching the malicious write instruction through the memory address it records.Results of experiments show that the system can localize popular vulnerabilities successfully,and it is able to localize library function call point.

Lei Zhao,Keyang Jiang,Yuncong Zhu,Lina Wang,Jiang Ming

DOI: https://doi.org/10.1109/tdsc.2022.3145022

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Memory corruption diagnosis, especially at the binary level where all high-level program abstractions are missing, is a tedious and time-consuming task. Given a crash, memory corruption diagnosis is expected to not only locate the root cause of the vulnerability, but also deliver rich semantics to understand the vulnerability. However, existing techniques can barely satisfy the above requirements. In this article, we present ${{\sf MemRay}}$ , a dynamic memory corruption diagnosis technique. The insight behind our approach is that most memory corruption is caused by malformed inputs, which further leads the vulnerable program to manipulate inputs by referencing invalid data structures. We design the “data structure reference sequence” to characterize how a program references various data structures to manipulate program inputs. Then, we identify memory corruptions by detecting violations in the input manipulations via data structures. We demonstrate the effectiveness of ${{\sf MemRay}}$ on a wide range of memory-corruption vulnerabilities. The result shows that ${{\sf MemRay}}$ precisely locates the root cause of vulnerabilities. Moreover, the “data structure reference” enables ${{\sf MemRay}}$ to deliver rich semantics and context information to assist vulnerability diagnosis on binary code.

Tian Zhihong,Sun Qi,Lu Hui,Huang Dongqiu,Yang Jiageng,Jin Chengjie,He-Lu Xiaohan,Zhang Xinguo,Sun Yanbin,Su Shen

2020-01-01

Abstract:The invention discloses a memory analysis method and device based on dynamic taint analysis, terminal equipment and a readable storage medium. The method comprises the steps: enabling a preset input function to be designated as a pollution source, marking the data read by the input function as pollution, and recording a polluted address through a set object; carrying out instrumentation on all thememory operation instructions so as to carry out memory operation check, and carrying out marking processing on a target operAccording to the pollution condition of the source operand; and performinginstrumentation on the ret instruction to check the stack top memory, and performing stack overflow detection according to the pollution condition of the current stack top memory. According to the method, the program can be analyzed under the condition of the passive code, and the memory overflow problem is detected, so that the key information required for generating vulnerability utilization isextracted.

Runhao Li,Bin Zhang,Chaojing Tang

DOI: https://doi.org/10.1049/ell2.13136

2024-02-27

Electronics Letters

Abstract:The study proposes a novel method for identifying potential exploitable memory objects. It focuses on corrupted data propagation processes and designs a corrupted data‐oriented fuzzing method. Exploiting an out‐of‐bounds write vulnerability in general‐purpose applications has become a current research focus. Given the large scale of code in programs, selecting appropriate memory objects for exploitation is challenging. This letter proposes a corrupted data propagation‐guided fuzzing method. By tracking the propagation process of corrupted data among memory objects, a multi‐level fuzzing schedule is proposed to search the execution paths. Experimental results show that this proposed method, EMOFuzz, can effectively identify exploitable objects under various overflow lengths, significantly enhancing the efficiency of exploitability analysis.

engineering, electrical & electronic

So Shizukuishi,Yoshitaka Arahori,Katsuhiko Gondow

DOI: https://doi.org/10.48550/arXiv.2302.07717

2023-02-15

Abstract:Although numerous defenses against memory vulnerability exploits have been studied so far, highly-compatible, precise, and efficient defense is still an open problem. In fact, existing defense methods have at least one of the following problems: they (1) cannot precisely protect structure fields, (2) incur high protection overheads, and/or (3) cannot maintain compatibility with existing code due to imposing memory layout change on the protected program. In this paper, we propose a novel memory-protection method FIX-Sense that aims to solve all of these problems simultaneously. Our key idea is to perform memory protection based on field-sensitive data-flow integrity. Specifically, our method (1) computes a safe write-read relation for each memory object, at the structure-field granularity, based on field-sensitive value-flow analysis at the compile-time of the protected program. (2) At run-time, lightweight verification is performed to determine whether each memory read executed by the protected program belong to the safe write-read relation calculated for the memory object at compile time. (3) This verification is implemented by lightweight metadata management that tracks memory writes at the structure field granularity without changing the memory layout of the target program (especially the structure field layout).

Cryptography and Security,Software Engineering

Haijun Wang,Xiaofei Xie,Shang-Wei Lin,Yun Lin,Yuekang Li,Shengchao Qin,Yang Liu,Ting Liu

DOI: https://doi.org/10.1145/3338906.3338966

2019-01-01

Abstract:Locating vulnerabilities is an important task for security auditing, exploit writing, and code hardening. However, it is challenging to locate vulnerabilities in binary code, because most program semantics (e.g., boundaries of an array) is missing after compilation. Without program semantics, it is difficult to determine whether a memory access exceeds its valid boundaries in binary code. In this work, we propose an approach to locate vulnerabilities based on memory layout recovery. First, we collect a set of passed executions and one failed execution. Then, for passed and failed executions, we restore their program semantics by recovering fine-grained memory layouts based on the memory addressing model. With the memory layouts recovered in passed executions as reference, we can locate vulnerabilities in failed execution by memory layout identification and comparison. Our experiments show that the proposed approach is effective to locate vulnerabilities on 24 out of 25 DARPA’s CGC programs (96%), and can effectively classifies 453 program crashes (in 5 Linux programs) into 19 groups based on their root causes.

Wang Lei,Fang Chen,Mao Bing,Xie Li

DOI: https://doi.org/10.1109/DEPEND.2009.33

2009-01-01

Abstract:Memory corruption attacks account for most parts of malicious attacks toward software security. Recently dynamic taint analysis is proposed and is gaining momentum. This proposed technique attempts to defeat attacks by checking the taintedness and integrity of pointers when accessing memory since vulnerabilities are always motivated by tainting pointers. Unfortunately, there exists some class of attacks without tainting pointers, such as array bounds violation attacks using pointers. In this paper, we propose a novel approach to defeat this kind of undetected attacks using taint-based tracking analysis. Our notion is based on the memory access control, that is, first, we will check the taintedness of the pointers when accessing memory like existing taint-based approaches, second, we will check whether or not the memory area is in the legitimate range of a pointer used to access this memory. Our implementation dose not need source code and is based on Valgrind, hence works on commodity software. To demonstrate our idea, we performed a preliminary empirical experiments, the results are quite promising: TMAC can effectively detect a wide range of attacks, and the average runtime overhead is close to Memcheck, a widely memory error detector. © 2009 IEEE.

Sara Baradaran,Mahdi Heidari,Ali Kamali,Maryam Mouzarani

DOI: https://doi.org/10.1007/s10207-023-00691-1

2022-12-23

Abstract:Memory corruption is a serious class of software vulnerabilities, which requires careful attention to be detected and removed from applications before getting exploited and harming the system users. Symbolic execution is a well-known method for analyzing programs and detecting various vulnerabilities, e.g., memory corruption. Although this method is sound and complete in theory, it faces some challenges, such as path explosion, when applied to real-world complex programs. In this paper, we present a method for improving the efficiency of symbolic execution and detecting four classes of memory corruption vulnerabilities in executable codes, i.e., heap-based buffer overflow, stack-based buffer overflow, use-after-free, and double-free. We perform symbolic execution only on test units rather than the whole program to avoid path explosion. In our method, test units are considered parts of the program's code, which might contain vulnerable statements and are statically identified based on the specifications of memory corruption vulnerabilities. Then, each test unit is symbolically executed to calculate path and vulnerability constraints of each statement of the unit, which determine the conditions on unit input data for executing that statement or activating vulnerabilities in it, respectively. Solving these constraints gives us input values for the test unit, which execute the desired statements and reveal vulnerabilities in them. Finally, we use machine learning to approximate the correlation between system and unit input data. Thereby, we generate system inputs that enter the program, reach vulnerable instructions in the desired test unit, and reveal vulnerabilities in them. This method is implemented as a plugin for angr framework and evaluated using a group of benchmark programs. The experiments show its superiority over similar tools in accuracy and performance.

Cryptography and Security,Software Engineering

Vahid Eftekhari Moghadam,Gabriele Serra,Federico Aromolo,Giorgio Buttazzo,Paolo Prinetto

DOI: https://doi.org/10.1109/access.2024.3380478

IF: 3.9

2024-03-30

IEEE Access

Abstract:The complexity of modern software systems, the integration of several software components, and the increasing exposure to public networks make systems more susceptible to cyber-attacks, especially those targeting memory. Memory error exploitation received worldwide attention thanks to the Morris worm in 1988 and has been around for over 30 years. As a matter of fact, attacks that involve memory safety, such as buffer overflows, are still a plague in modern software. The research in countering those kinds of attacks has gone in several directions. This work surveys memory integrity techniques developed during the last quarter century for embedded or general-purpose open-source operating systems, ranging from older mechanisms to state-of-the-art solutions. A comparison of various memory integrity techniques is presented to examine their effectiveness and technical significance. Insights into ongoing trends and developments are also provided to assess their potential impact in the foreseeable future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Binfa Gui,Wei Song,Hailong Xiong,Jeff Huang

DOI: https://doi.org/10.1109/tse.2021.3121994

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:C/C++ programs frequently encounter memory errors, such as Use-After-Free (UAF), buffer overflow, and integer overflow. Among these memory errors, UAF vulnerabilities are increasingly being exploited by attackers to disrupt critical software systems, leading to serious consequences, such as remote code execution and data breaches. Researchers have proposed dozens of approaches to detect UAFs in testing environments and to mitigate UAF exploit in production environments. However, to the best of our knowledge, no comprehensive studies have evaluated and compared these approaches. In this paper, we shed light on the current UAF detection and exploit mitigation approaches and provide a systematic overview, comprehensive comparison, and evaluation. Specifically, we evaluate the effectiveness and efficiency of publicly available UAF detection and exploit mitigation tools. The experimental results show that static UAF detectors are suitable for detecting intra-procedural UAFs but are not sufficient to detect inter-procedural UAFs in real-world programs. Dynamic UAF detectors are still the first choice for detecting inter-procedural UAFs. Our evaluation also demonstrates that the runtime overhead of existing UAF exploit mitigation tools is relatively stable whereas the memory overhead may vary dramatically with respect to different programs. Finally, we envision potential valuable future research directions.

GAO Hai-chang,FENG Bo-qin,HE Hang-jun,ZHU Li

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.011

2006-01-01

Abstract:Usage of pointer in C/C++ language makes program source code flexible and convenient,but the memory usage errors(memory leak,write overflow,wild pointer and so on.) occur in the process is very difficult to analyze and eliminate.Aimed at errors of dynamic memory management,a dynamic memory detection method based on source file extraction and source code instrumentation on Linux Platform was developed,and a dynamic memory detection module was designed.The module can detect memory leak,write overflow,free wild pointer and mismatch using of memory functions to source code.Finally,an instance to test write overflow was carried to validate the effectiveness of our method and module.

Oscar Llorente-Vazquez,Igor Santos-Grueiro,Iker Pastor-Lopez,Pablo Garcia Bringas

DOI: https://doi.org/10.1093/jigpal/jzae008

2024-03-16

Abstract:Abstract Software vulnerabilities are the root cause for a multitude of security problems in computer systems. Owing to their efficiency and tight control over low-level system resources, the C and C++ programming languages are extensively used for a myriad of purposes, from implementing operating system kernels to user-space applications. However, insufficient or improper memory management frequently leads to invalid memory accesses, eventually resulting in memory corruption vulnerabilities. These vulnerabilities are used as a foothold for elaborated attacks that bypass existing defense methods. In this paper, we summarise the main memory safety violation types (i.e. memory errors), and analyse how they are exploited by attackers and the main mitigation methods proposed in the research community. We further systematise the most relevant techniques with regards to memory corruption identification in current programs.

mathematics, applied,logic

Tingting Lu,Junfeng Wang

DOI: https://doi.org/10.1016/j.cose.2019.04.002

IF: 5.105

2019-01-01

Computers & Security

Abstract:Most software attacks subvert the intended data-flow of a program via exploiting the memory corruption vulnerabilities. Data-Flow Integrity (DFI) is a generic defense against such attacks. Its security guarantee mainly depends on the accuracy of the static Data-Flow Graph (DFG) generated from Data-Flow Analysis (DFA), but the static DFG is conservatively over-approximated due to the imprecision of DFA. Hence a natural question is: what is the real protective power of DFI and how to measure it? In this work, we first evaluate the effectiveness of DFI based on the constructed memory corruption offense-defense model and the proposed attack Data-Flow Bending (DFB). We show how DFB corrupts memory data while adhering to DFI through a proof-of-concept exploit. Furthermore, we verify the possibility of the state-of-the-art data-oriented attacks using practical cases in the presence of DFI. Our work indicates that DFI may be ineffective against the exploitation of memory corruption vulnerabilities in certain circumstances, and that DFB can circumvent DFI to carry out memory corruption attacks.

Yao Nianmin,Ma Haifeng,Cai Shaobin,Han Qilong

DOI: https://doi.org/10.1109/dcabes.2012.101

2012-01-01

Abstract:Today, attackers are capable of using software or hardware methods to intrude computer network system. The phenomena of confidential information being tampered with or disclosed are emerging everywhere. Hardware-based attacks have emerged and caused tremendous losses. Focus on this question, this paper proposed new architectural mechanisms to ensure data integrity which improved previous work in this area without compromising security. The new integrity mechanism offers significant higher performance, space advantages and adjustable level of security over existing ones. This paper evaluated the overhead of the scheme and compared it with the conventional integrity checking scheme CHTree. For most benchmarks, the overhead of the new method is much better.

HAN Xinhui,WEI Shuang,YE Jiayi,ZHANG Chao,YE Zhiyuan

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.25.040

2017-01-01

Abstract:Use after-ftee (UaF) vulnerabilities are one of the most common and risky memory corruption vulnerabilities.However,UaF vulnerabilities are difficult to detect.A UaF vulnerability is triggered if and only if three operations occur on the same memory region,in an order of allocating memory,freeing memory,and using the freed memory.These three operations may be conducted anywhere in the program in any order,so the analysis must track a long execution sequence and search for potential vulnerable event sequences to detect UaF vulnerabilities.This study analyzes the root causes of UaF vulnerabilities,ways to exploit them,the severity of the threat and the challenges in detecting them.A solution is then given based on a static analysis and dynamic symbolic execution to detect UaF vulnerabilities in binaries.Tests show that this solution can detect known vulnerabilities in a benchmark.Thus,this detection system can be used to identify and fix bugs to improve application security.

Cheng JI,Xiang-Lan CHEN,Xi LI

DOI: https://doi.org/10.3969/j.issn.1003-3254.2014.12.025

2014-01-01

Abstract:This paper studies the memory access characteristics of Linux kernel module, and then suggests a static approach to detect memory access errors when running the code inside kernel module. Through simulation of instructions inside kernel module and comparison between access request and record of memory region, our suggested method is able to find a variety of memory access errors, such as overflow, accessing arbitrary address, invalid pointer, which are the most common threats. At last, based on ARM Processor platform, we give an implementation of our method for detecting errors induced by kernel module, and the experiment result shows it can efficiently work as we expect.