ELAID: detecting integer-Overflow-to-Buffer-Overflow vulnerabilities by light-weight and accurate static analysis

Cybersecurity - Tập 3 - Trang 1-19 - 2020
Lili Xu1, Mingjie Xu1,2, Feng Li1, Wei Huo1
1Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
2School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

Tóm tắt

The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability has been widely exploited by attackers to cause severe damages to computer systems. Automatically identifying this kind of vulnerability is critical for software security. Despite many works have been done to mitigate integer overflow, existing tools either report large number of false positives or introduce unacceptable time consumption. To address this problem, in this article we present a static analysis framework. It first constructs an inter-procedural call graph and utilizes taint analysis to accurately identify potential IO2BO vulnerabilities. Then it uses a light-weight method to further filter out false positives. Specifically, it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered, and feeds the constraints to SMT solver to decide their satisfiability. We have implemented a prototype system ELAID based on LLVM, and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 14 known IO2BO vulnerabilities in real world. The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.

Tài liệu tham khảo

Brumley, D, Song DX, Chiueh T, Johnson R, Lin H (2007) RICH: automatically protecting against integer-based vulnerabilities In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, 28th February - 2nd March 2007.. The Internet Society, San Diego. Brummayer, R (2009) Efficient smt solving for bit-vectors and the extensional theory of arrays. PhD thesis. Johannes Kepler University, Linz. Chen, K, Feng D, Su P (2012) Dynamic overflow vulnerability detection method based on finite csp(in chinese) In: Chinese Journal of Computers, vol 35, 898–909.. Science Press, Beijing. Chen, P, Han H, Wang Y, Shen X, Yin X, Mao B, Xie L (2009) Intfinder: Automatically detecting integer bugs in x86 binary program In: Information and Communications Security, 11th International Conference, ICICS 2009, December 14-17, 2009. Proceedings. LNCS, vol 5927, 336–345.. Springer, Beijing. Chen, S, Xu J, Sezer EC (2005) Non-control-data attacks are realistic threats. In: McDaniel PD (ed)Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, USA, July 31 - August 5, 2005.. USENIX Association, Baltimore. Christey, S, Martin RA (2007) Vulnerability Type Distributions in CVE. http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf. Common Vulnerabilities and Exposures (CVE) (2020). http://cve.mitre.org/. CWE-680: IO2BO Vulnerabilities (2020). http://cwe.mitre.org/data/definitions/680.html. Dietz, W, Li P, Regehr J, Adve VS (2012) Understanding integer overflow in C/C++. In: Glinz M, Murphy GC, Pezzè M (eds)34th International Conference on Software Engineering, ICSE 2012, June 2-9, 2012, 760–770.. IEEE Computer Society, Zurich. Jia, X, Zhang C, Su P, Yang Y, Huang H, Feng D (2017) Towards efficient heap overflow discovery. In: Kirda E Ristenpart T (eds)26th USENIX Security Symposium, USENIX Security 2017, August 16-18, 2017, 989–1006.. USENIX Association, Vancouver. Lattner, C (2012) LLVM: An Infrastructure for Multi-Stage Optimization. http://llvm.cs.uiuc.edu. Lattner, C, Adve VS (2004) LLVM: A compilation framework for lifelong program analysis & transformation In: 2nd IEEE / ACM International Symposium on Code Generation and Optimization (CGO 2004), 20-24 March 2004, 75–88.. IEEE Computer Society, San Jose. Lu, K, Hu H (2019) Where does it go?: Refining indirect-call targets with multi-layer type analysis. In: Cavallaro L, Kinder J, Wang X, Katz J (eds)Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 1867–1881.. ACM, London. Mingjie X, Shengnan L, Lili X, Feng L, Wei H, Jing M, Xinhua L, Qingjia H (2018) A Light-Weight and Accurate Method of Static Integer-Overflow-to-Buffer-Overflow Vulnerability Detection. In: Fuchun Guo, Xinyi Huang, Moti Yung (eds)Information Security and Cryptology - 14th International Conference, Inscrypt 2018, December 14-17, 2018, Revised Selected Papers, 404–423.. Springer, Fuzhou. Moy, Y, Bjørner N, Sielaff D (2009) Modular bug-finding for integer overflows in the large: Sound, efficient, bit-precise static analysis. Technical report. Technical Report MSR-TR-2009-57, Microsoft Research. (2017) National Institute of Standard and Technology (NIST). SAMATE-software assurance metrics and tool evaluation. http://samate.nist.gov/SARD/testsuite.php. National Vulnerability Database (2020). http://nvd.nist.gov/. Niu, B, Tan G (2014) Modular control-flow integrity. In: O’Boyle MFP Pingali K (eds)ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14 - June 09 - 11, 2014, 577–587.. ACM, Edinburgh. Sotirov, A (2007) Heap feng shui in javascript. https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf. Sui, Y, Xue J (2016) Svf: interprocedural static value-flow analysis in llvm In: Proceedings of the 25th International Conference on Compiler Construction, 265–266.. Association for Computing Machinery, New York. Sun, H, Zhang X, Su C, Zeng Q (2015) Efficient dynamic tracking technique for detecting integer-overflow-to-buffer-overflow vulnerability. In: Bao F, Miller S, Zhou J, Ahn G (eds)Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, April 14-17, 2015, 483–494.. ACM, Singapore. Tice, C, Roeder T, Collingbourne P, Checkoway S, Erlingsson Ú, Lozano L, Pike G (2014) Enforcing forward-edge control-flow integrity in GCC & LLVM. In: Fu K Jung J (eds)Proceedings of the 23rd USENIX Security Symposium, August 20-22, 2014, 941–955.. USENIX Association, San Diego. Vreugdenhil, P (2020) Pwn2Own 2010 Windows 7 Internet Explorer 8 Exploit. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf. Wang, X, Chen H, Jia Z, Zeldovich N, Kaashoek MF (2012) Improving integer security for systems with KINT. In: Thekkath C Vahdat A (eds)10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2012, October 8-10, 2012, 163–177.. USENIX Association, Hollywood. Wang, Y, Gu D, Xu J, Wen M, Deng L (2010) RICB: integer overflow vulnerability dynamic analysis via buffer overflow. In: Lai X, Gu D, Jin B, Wang Y, Li H (eds)Forensics in Telecommunications, Information, and Multimedia - Third International ICST Conference, e-Forensics 2010, November 11-12, 2010, Revised Selected Papers. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56, 99–109.. Springer, Shanghai. Wang, T, Wei T, Lin Z, Zou W (2009) Intscope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, 8th February - 11th February 2009.. The Internet Society, San Diego. Zhang, Y, Sun X, Deng Y, Cheng L, Zeng S, Fu Y, Feng D (2015) Improving accuracy of static integer overflow detection in binary. In: Bos H, Monrose F, Blanc G (eds)Research in Attacks, Intrusions, and Defenses - 18th International Symposium, RAID 2015, November 2-4, 2015, Proceedings. LNCS, vol 9404, 247–269.. Springer, Kyoto. Zhang, C, Wang T, Wei T, Chen Y, Zou W (2010) Intpatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis D, Preneel B, Theoharidou M (eds)Computer Security – ESORICS 2010, 71–86.. Springer, Berlin, Heidelberg.