Oscar Llorente-Vazquez,Igor Santos-Grueiro,Iker Pastor-Lopez,Pablo Garcia Bringas

DOI: https://doi.org/10.1093/jigpal/jzae008

2024-03-16

Abstract:Abstract Software vulnerabilities are the root cause for a multitude of security problems in computer systems. Owing to their efficiency and tight control over low-level system resources, the C and C++ programming languages are extensively used for a myriad of purposes, from implementing operating system kernels to user-space applications. However, insufficient or improper memory management frequently leads to invalid memory accesses, eventually resulting in memory corruption vulnerabilities. These vulnerabilities are used as a foothold for elaborated attacks that bypass existing defense methods. In this paper, we summarise the main memory safety violation types (i.e. memory errors), and analyse how they are exploited by attackers and the main mitigation methods proposed in the research community. We further systematise the most relevant techniques with regards to memory corruption identification in current programs.

mathematics, applied,logic

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Weixin Liang,Kai Bu,Ke Li,Jinhong Li,Arya Tavakoli

DOI: https://doi.org/10.1145/3274694.3274695

2018-01-01

Abstract:Access patterns over untrusted memory have long been exploited to infer sensitive information like program types or even secret keys. Most existing obfuscation solutions hide real memory accesses among a sufficiently large number of dummy memory accesses. Such solutions lead to a heavy communication overhead and more often apply to the client/server scenario instead of the CPU/memory architecture. Sporadic obfuscation solutions strive for an affordable memory bandwidth cost at the expense of security degradation. For example, they may have to obfuscate accesses over a limited range of memory space to control the overhead.

Sara Baradaran,Mahdi Heidari,Ali Kamali,Maryam Mouzarani

DOI: https://doi.org/10.1007/s10207-023-00691-1

2022-12-23

Abstract:Memory corruption is a serious class of software vulnerabilities, which requires careful attention to be detected and removed from applications before getting exploited and harming the system users. Symbolic execution is a well-known method for analyzing programs and detecting various vulnerabilities, e.g., memory corruption. Although this method is sound and complete in theory, it faces some challenges, such as path explosion, when applied to real-world complex programs. In this paper, we present a method for improving the efficiency of symbolic execution and detecting four classes of memory corruption vulnerabilities in executable codes, i.e., heap-based buffer overflow, stack-based buffer overflow, use-after-free, and double-free. We perform symbolic execution only on test units rather than the whole program to avoid path explosion. In our method, test units are considered parts of the program's code, which might contain vulnerable statements and are statically identified based on the specifications of memory corruption vulnerabilities. Then, each test unit is symbolically executed to calculate path and vulnerability constraints of each statement of the unit, which determine the conditions on unit input data for executing that statement or activating vulnerabilities in it, respectively. Solving these constraints gives us input values for the test unit, which execute the desired statements and reveal vulnerabilities in them. Finally, we use machine learning to approximate the correlation between system and unit input data. Thereby, we generate system inputs that enter the program, reach vulnerable instructions in the desired test unit, and reveal vulnerabilities in them. This method is implemented as a plugin for angr framework and evaluated using a group of benchmark programs. The experiments show its superiority over similar tools in accuracy and performance.

Cryptography and Security,Software Engineering

Wang Lei,Fang Chen,Mao Bing,Xie Li

DOI: https://doi.org/10.1109/DEPEND.2009.33

2009-01-01

Abstract:Memory corruption attacks account for most parts of malicious attacks toward software security. Recently dynamic taint analysis is proposed and is gaining momentum. This proposed technique attempts to defeat attacks by checking the taintedness and integrity of pointers when accessing memory since vulnerabilities are always motivated by tainting pointers. Unfortunately, there exists some class of attacks without tainting pointers, such as array bounds violation attacks using pointers. In this paper, we propose a novel approach to defeat this kind of undetected attacks using taint-based tracking analysis. Our notion is based on the memory access control, that is, first, we will check the taintedness of the pointers when accessing memory like existing taint-based approaches, second, we will check whether or not the memory area is in the legitimate range of a pointer used to access this memory. Our implementation dose not need source code and is based on Valgrind, hence works on commodity software. To demonstrate our idea, we performed a preliminary empirical experiments, the results are quite promising: TMAC can effectively detect a wide range of attacks, and the average runtime overhead is close to Memcheck, a widely memory error detector. © 2009 IEEE.

Lifeng Hu,Fan Zhang,Ziyuan Liang,Ruyi Ding,Xingyu Cai,Zonghui Wang,Wenguang Jin

DOI: https://doi.org/10.1016/j.cose.2022.103003

IF: 5.105

2023-01-01

Computers & Security

Abstract:With the rise of the concept of Trusted Execution Environments (TEEs), such as Intel Software Guard Extensions (SGX), researchers are prompted to constantly verify its effectiveness. Controlled-channel attacks are proposed to construct side channels against the shielding systems by intentionally provoking page faults. So far, various powerful and noise-free controlled-channel attacks have been introduced. However, there are some challenges encountered in the actual practice of these attacks, e.g., extensive manual effort is always required to analyze the target binary and identify conditional control-flow patterns. In this paper, we present FaultMorse, an automated controlled-channel attack. We adopt a global perspective to analyze the page fault sequence and find a specific recurring pattern that corresponds to some specific instructions in the program. Most of the secret bits can be automatically deduced by analyzing the locations of the recurring pattern in the page fault sequence. Compared to previous works, FaultMorse can reduce the complexity of analysis. We propose a method to control page fault counts to improve the attack performance. We implement our FaultMorse attack on a physical machine and evaluate its effectiveness, universality, and page-fault rate. The experimental results show that for some known vulnerable algorithms, FaultMorse can automatically deduce more than 99% of the secret bits. (C) 2022 Elsevier Ltd. All rights reserved.

Vahid Eftekhari Moghadam,Gabriele Serra,Federico Aromolo,Giorgio Buttazzo,Paolo Prinetto

DOI: https://doi.org/10.1109/access.2024.3380478

IF: 3.9

2024-03-30

IEEE Access

Abstract:The complexity of modern software systems, the integration of several software components, and the increasing exposure to public networks make systems more susceptible to cyber-attacks, especially those targeting memory. Memory error exploitation received worldwide attention thanks to the Morris worm in 1988 and has been around for over 30 years. As a matter of fact, attacks that involve memory safety, such as buffer overflows, are still a plague in modern software. The research in countering those kinds of attacks has gone in several directions. This work surveys memory integrity techniques developed during the last quarter century for embedded or general-purpose open-source operating systems, ranging from older mechanisms to state-of-the-art solutions. A comparison of various memory integrity techniques is presented to examine their effectiveness and technical significance. Insights into ongoing trends and developments are also provided to assess their potential impact in the foreseeable future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Runhao Li,Bin Zhang,Chaojing Tang

DOI: https://doi.org/10.1049/ell2.13136

2024-02-27

Electronics Letters

Abstract:The study proposes a novel method for identifying potential exploitable memory objects. It focuses on corrupted data propagation processes and designs a corrupted data‐oriented fuzzing method. Exploiting an out‐of‐bounds write vulnerability in general‐purpose applications has become a current research focus. Given the large scale of code in programs, selecting appropriate memory objects for exploitation is challenging. This letter proposes a corrupted data propagation‐guided fuzzing method. By tracking the propagation process of corrupted data among memory objects, a multi‐level fuzzing schedule is proposed to search the execution paths. Experimental results show that this proposed method, EMOFuzz, can effectively identify exploitable objects under various overflow lengths, significantly enhancing the efficiency of exploitability analysis.

engineering, electrical & electronic

Robert Schilling,Mario Werner,Pascal Nasahl,Stefan Mangard

DOI: https://doi.org/10.1145/3274694.3274728

2018-09-24

Abstract:Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multi-residue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10% in terms of code size and 7% regarding runtime, which makes it suitable for practical adoption.

Cryptography and Security

Yan Cai,Biyun Zhu,Ruijie Meng,Hao Yun,Liang He,Purui Su,Bin Liang

DOI: https://doi.org/10.1145/3338906.3338927

2019-01-01

Abstract:Memory corruption vulnerabilities can occur in multithreaded executions, known as concurrency vulnerabilities in this paper. Due to non-deterministic multithreaded executions, they are extremely difficult to detect. Recently, researchers tried to apply data race detectors to detect concurrency vulnerabilities. Unfortunately, these detectors are ineffective on detecting concurrency vulnerabilities. For example, most (90%) of data races are benign. However, concurrency vulnerabilities are harmful and can usually be exploited to launch attacks. Techniques based on maximal causal model rely on constraints solvers to predict scheduling; they can miss concurrency vulnerabilities in practice. Our insight is, a concurrency vulnerability is more related to the orders of events that can be reversed in different executions, no matter whether the corresponding accesses can form data races. We then define exchangeable events to identify pairs of events such that their execution orders can be probably reversed in different executions. We further propose algorithms to detect three major kinds of concurrency vulnerabilities. To overcome potential imprecision of exchangeable events, we also adopt a validation to isolate real vulnerabilities. We implemented our algorithms as a tool ConVul and applied it on 10 known concurrency vulnerabilities and the MySQL database server. Compared with three widely-used race detectors and one detector based on maximal causal model, ConVul was significantly more effective by detecting 9 of 10 known vulnerabilities and 6 zero-day vulnerabilities on MySQL (four have been confirmed). However, other detectors only detected at most 3 out of the 16 known and zero-day vulnerabilities.

Yunlong Lyu,Yi Fang,Yiwei Zhang,Qibin Sun,Siqi Ma,Elisa Bertino,Kangjie Lu,Juanru Li

DOI: https://doi.org/10.1109/sp46214.2022.9833613

2022-01-01

Abstract:Existing tools for the automated detection of memory corruption bugs are not very effective in practice. They typically recognize only standard memory management (MM) APIs (e.g., malloc and free) and assume a naive paired-use model—an allocator is followed by a specific deallocator. However, we observe that programmers very often design their own MM functions and that these functions often manifest two major characteristics: (1) Custom allocator functions perform multi-object or nested allocation which then requires structure-aware deallocation functions. (2) Custom allocators and deallocators follow an unpaired-use model. A more effective detection thus needs to adapt those characteristics and capture memory bugs related to non-standard MM behaviors. In this paper, we present a MM function aware memory bug detection technique by introducing the concept of structure-aware and object-centric Memory Operation Synopsis (MOS). A MOS abstractly describes the memory objects of a given MM function, how they are managed by the function, and their structural relations. By utilizing MOS, a bug detection could explore much less code but is still capable of handling multi-object or nested allocations and does not rely on the paired-use model. In addition, to extensively find MM functions and automatically generate MOS for them, we propose a new identification approach that combines natural language processing (NLP) and data flow analysis, which enables the efficient and comprehensive identification of MM functions, even in very large code bases. We implement a MOS-enhanced memory bug detection system, Goshawk, to discover memory bugs caused by complex and custom MM behaviors. We applied Goshawk to well-tested and widely-used open source projects including OS kernels, server applications, and IoT SDKs. Goshawk outperforms the state-of-the-art data flow analysis driven bug detection tools by an order of magnitude in analysis speed and the number of accurately identified MM functions, reports the discovered bugs with a developer-friendly, MOS based description, and successfully detects 92 new double-free and use-after-free bugs.

Dorel Yaffe,Danny Hendler

DOI: https://doi.org/10.1007/978-3-030-78086-9_29

2021-03-30

Abstract:In recent years malware has become increasingly sophisticated and difficult to detect prior to exploitation. While there are plenty of approaches to malware detection, they all have shortcomings when it comes to identifying malware correctly prior to exploitation. The trade-off is usually between false positives, causing overhead, preventing normal usage and the risk of letting the malware execute and cause damage to the target. We present a novel end-to-end solution for in-memory malicious activity detection done prior to exploitation by leveraging machine learning capabilities based on data from unique run-time logs, which are carefully curated in order to detect malicious activity in the memory of protected processes. This solution achieves reduced overhead and false positives as well as deployment simplicity. We implemented our solution for Windows-based systems, employing multi disciplinary knowledge from malware research, machine learning, and operating system internals. Our experimental evaluation yielded promising results. As we expect future sophisticated malware may try to bypass it, we also discuss how our solution can be extended to thwart such bypassing attempts.

Cryptography and Security,Machine Learning

Dongliang Mu,Wenbo Guo,Alejandro Cuevas,Yueqi Chen,Jinxuan Gai,Xinyu Xing,Bing Mao,Chengyu Song

DOI: https://doi.org/10.1109/ase.2019.00090

2019-01-01

Abstract:Reverse execution and coredump analysis have long been used to diagnose the root cause of software crashes. Each of these techniques, however, face inherent challenges, such as insufficient capability when handling memory aliases. Recent works have used hypothesis testing to address this drawback, albeit with high computational complexity, making them impractical for real world applications. To address this issue, we propose a new deep neural architecture, which could significantly improve memory alias resolution. At the high level, our approach employs a recurrent neural network (RNN) to learn the binary code pattern pertaining to memory accesses. It then infers the memory region accessed by memory references. Since memory references to different regions naturally indicate a non-alias relationship, our neural architecture can greatly reduce the burden of doing hypothesis testing to track down non-alias relation in binary code. Different from previous researches that have utilized deep learning for other binary analysis tasks, the neural network proposed in this work is fundamentally novel. Instead of simply using off-the-shelf neural networks, we designed a new recurrent neural architecture that could capture the data dependency between machine code segments. To demonstrate the utility of our deep neural architecture, we implement it as RENN, a neural network-assisted reverse execution system. We utilize this tool to analyze software crashes corresponding to 40 memory corruption vulnerabilities from the real world. Our experiments show that RENN can significantly improve the efficiency of locating the root cause for the crashes. Compared to a state-of-the-art technique, RENN has 36.25% faster execution time on average, detects an average of 21.35% more non-alias pairs, and successfully identified the root cause of 12.5% more cases.

Alon Hillel-Tuch,Aspen Olmstead

DOI: https://doi.org/10.48550/arXiv.2403.08656

2024-03-14

Abstract:Programming errors, defective hardware components (such as hard disk spindle defects), and environmental hazards can lead to invalid memory operations. In addition, less predictable forms of environmental stress, such as radiation, thermal influence, and energy fluctuations, can induce hardware faults. Sometimes, a soft error can occur instead of a complete failure, such as a bit-flip. The 'natural' factors that can cause bit-flips are replicable through targeted attacks that result in significant compromises, including full privileged system access. Existing physical defense solutions have consistently been circumvented shortly after deployment. We will explore the concept of a novel software-based low-level layer that can protect vulnerable memory targeted by physical attack vectors related to bit-flip vulnerabilities.

Cryptography and Security,Operating Systems

Dongwei Chen,Daliang Xu,Dong Tong,kang dae sun,Xuetao Guan,Chun Yang,Xu Cheng

2020-01-01

Abstract:Memory spatial errors, i.e., buffer overflow vulnerabilities, have been a well-known issue in computer security for a long time and remain one of the root causes of exploitable vulnerabilities. Most of the existing mitigation tools adopt a fail-stop strategy to protect programs from intrusions, which means the victim program will be terminated upon detecting a memory safety violation. Unfortunately, the fail-stop strategy harms the availability of software. In this paper, we propose Saturation Memory Access (SMA), a memory spatial error mitigation mechanism that prevents out-of-bounds access without terminating a program. SMA is based on a key observation that developers generally do not rely on out-of-bounds accesses to implement program logic. SMA modifies dynamic memory allocators and adds paddings to objects to form an enlarged object boundary. By dynamically correcting all the out-of-bounds accesses to operate on the enlarged protecting boundaries, SMA can tolerate out-of-bounds accesses. For the sake of compatibility, we chose tagged pointers to record the boundary metadata of a memory object in the pointer itself, and correct the address upon detecting out-of-bounds access. We have implemented the prototype of SMA on LLVM 10.0. Our results show that our compiler enables the programs to execute successfully through buffer overflow attacks. Experiments on MiBench show that our prototype incurs an overhead of 78\%. Further optimizations would require ISA supports.

蒋剑琴,黄达明,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.03.013

2009-01-01

Abstract:To dectect memory access errors by combining the efficiency of program analysis technologies and the powerful mathematical foundation of program validation technologies,Cmad,a static C memory errors Detector based on semantics abstraction was proposed.By sound approximation to concrete states,accurate verification of the related constraint variable operation and information collection during the traversal of CFG,Cmad detected inter-procedural memory bound overflow errors without any annotation.Prototype implementation proves the validity.

Jian Wang,Ying Li

DOI: https://doi.org/10.3390/info12040169

2021-01-01

Information

Abstract:Ensuring the security of IoT devices and chips at runtime has become an urgent task as they have been widely used in human life. Embedded memories are vital components of SoC (System on Chip) in these devices. If they are attacked or incur faults at runtime, it will bring huge losses. In this paper, we propose a run-time detection architecture for memory security (RDAMS) to detect memory threats (fault and Hardware Trojans attack). The architecture consists of a Security Detection Core (SDC) that controls and enforces the detection procedure as a “security brain”, and a memory wrapper (MEM_wrapper) which interacts with memory to assist the detection. We also design a low latency response mechanism to solve the SoC performance degradation caused by run-time detection. A block-based multi-granularity detection approach is proposed to render the design flexible and reduce the cost in implementation using the FPGA’s dynamic partial reconfigurable (DPR) technology, which enables online detection mode reconfiguration according to the requirements. Experimental results show that RDAMS can correctly detect and identify 10 modeled memory faults and two types of Hardware Trojans (HTs) attacks without leading a great performance degradation to the system.

Xingman Chen,Yinghao Shi,Zheyu Jiang,Yuan Li,Ruoyu Wang,Haixin Duan,Haoyu Wang,Chao Zhang

2023-01-01

Abstract:Fuzzing has been widely adopted for finding vulnerabilities in programs, especially when source code is not available. But the effectiveness and efficiency of binary fuzzing are curtailed by the lack of memory (safety) sanitizers. This lack of binary sanitizers is due to the information loss in compiling programs and challenges in binary instrumentation. In this paper, we present a feasible and practical hardware-assisted memory sanitizer, MTSan, for binary fuzzing. MTSan can detect both spatial and temporal memory safety violations at runtime. It adopts a novel progressive object recovery scheme to recover objects in binaries, and uses a customized binary rewriting solution to instrument binaries with the memory-tagging-based memory safety sanitizing policy. Further, MTSan uses a hardware feature, ARM Memory Tagging Extension (MTE) to significantly reduce its runtime overhead. We implemented a prototype of MTSan on AArch64 and systematically evaluated its effectiveness and performance. Our evaluation results show that MTSan could detect more memory safety violations than existing binary sanitizers whiling introducing much lower runtime and memory overhead.

Ling Yuan,Siyuan Zhou,Peng Pan,Zhenjiang Wang

DOI: https://doi.org/10.3390/e24070947

2022-07-07

Abstract:With the expansion of the scale and complexity of multimedia software, the detection of software defects has become a research hotspot. Because of the large scale of the existing software code, the efficiency and accuracy of the existing software defect detection algorithms are relatively low. We propose an intelligent memory leak detection scheme MLD based on defect modes in software. Based on the analysis of existing memory leak defect modes, we summarize memory operation behaviors (allocation, release and transfer) and present a state machine model. We employ a fuzzy matching algorithm based on regular expression to determine the memory operation behaviors and then analyze the change in the state machine to assess the vulnerability in the source code. To improve the efficiency of detection and solve the problem of repeated detection at the function call point, we propose a function summary method for memory operation behaviors. The experimental results demonstrate that the method we proposed has high detection speed and accuracy. The algorithm we proposed can identify the defects of the software, reduce the risk of being attacked to ensure safe operation.

Jiaxi Liu,Yun Feng,Xinyu Liu,Jianjun Zhao,Qixu Liu

DOI: https://doi.org/10.1186/s42400-023-00157-w

2023-08-04

Abstract:Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years. One popular evasion method is to execute malicious code and perform malicious actions only in memory. Malicious programs that use this attack method are called memory-resident malware, with excellent evasion capability, and have posed huge threats to cyber security. Traditional static and dynamic methods are not effective in detecting memory-resident malware. In addition, existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis. This paper proposes MRm-DLDet, a state-of-the-art memory-resident malware detection framework, to overcome these drawbacks. MRm-DLDet first builds a virtual machine environment and captures memory dumps, then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping, followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them. MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18, which extracts the features of the sub-images. Then trains a network of gated recurrent units with an attention mechanism. Finally, it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer. We created a high-quality dataset consisting of 2,060 benign and memory-resident programs. In other words, the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images. We implement MRm-DLDet for Windows 10, and it performs better than the latest methods, with a detection accuracy of up to 98.34 . Moreover, we measured the effects of mimicry and adversarial attacks on MRm-DLDet, and the experimental results demonstrated the robustness of MRm-DLDet.