Abstract
We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory allocation sites, then generate inputs that satisfy these sanity checks to successfully trigger the overflow. DIODE works with off-the-shelf, production x86 binaries. Our results show that, for our benchmark set of applications, and for every target memory allocation site exercised by our seed inputs (which the applications process correctly with no overflows), either 1) DIODE is able to generate an input that triggers an overflow at that site or 2) there is no input that would trigger an overflow for the observed target expression at that site.
- Common vulnerabilities and exposures. http://cve.mitre.org/.Google Scholar
- Dillo. http://www.dillo.org/.Google Scholar
- Hachoir. http://bitbucket.org/haypo/hachoir/wiki/Home.Google Scholar
- Peach fuzzing platform. http://peachfuzzer.com/.Google Scholar
- SafeInt. http://safeint.codeplex.com/.Google Scholar
- SPIKE fuzzing platform. http://www.immunitysec.com/resources-freesoftware.shtml.Google Scholar
- D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. Department of Electrical and Computing Engineering, page 28, 2007.Google Scholar
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 143--157. IEEE, 2008. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 209--224, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC), 12(2):10, 2008. Google ScholarDigital Library
- E. Ceesay, J. Zhou, M. Gertz, K. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in C programs. Detection of Intrusions and Malware & Vulnerability Assessment, pages 1--16, 2006. Google ScholarDigital Library
- C. Cowan, H. Hinton, C. Pu, and J. Walpole. The cracker patch choice: An analysis of post hoc security techniques. 2000.Google Scholar
- L. De Moura and N. Bjørner. Z3: an efficient smt solver. In Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems, TACAS'08/ETAPS'08, pages 337--340, Berlin, Heidelberg, 2008. Springer-Verlag. Google ScholarDigital Library
- W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C++. In Proceedings of the 2012 International Conference on Software Engineering, pages 760--770. IEEE Press, 2012. Google ScholarDigital Library
- W. Drewry and T. Ormandy. Flayer: Exposing application internals. In Proceedings of the first USENIX workshop on Offensive Technologies, pages 1--9. USENIX Association, 2007. Google ScholarDigital Library
- V. Ganesh, T. Leek, and M. Rinard. Taint-based directed white-box fuzzing. In ICSE '09: Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI '05, pages 213--223, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Queue, 10(1):20, 2012. Google ScholarDigital Library
- I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In Proceedings of the 22nd USENIX conference on Security, pages 49--64. USENIX Association, 2013. Google ScholarDigital Library
- F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. In Proceedings of the 2012 International Conference on Software Engineering, ICSE 2012, pages 80--90, Piscataway, NJ, USA, 2012. IEEE Press. Google ScholarDigital Library
- F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. MIT-CSAIL-TR-2011-044.Google Scholar
- F. Long, S. Sidiroglou-Douskos, D. Kim, and M. Rinard. Sound input filter generation for integer overflow errors. 2014.Google ScholarDigital Library
- F. Long, S. Sidiroglou-Douskos, and M. Rinard. Automatic runtime error repair and containment via recovery shepherding. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 26. ACM, 2014. Google ScholarDigital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12):32--44, 1990. Google ScholarDigital Library
- D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th conference on USENIX security symposium, pages 67--82. USENIX Association, 2009. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07. ACM, 2007. Google ScholarDigital Library
- J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages 87--102, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- M. Rinard. Acceptability-oriented computing. In Proceedings of the 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA '03) Companion, Onwards! Session, Anaheim, California, Oct. 2003. Google ScholarDigital Library
- M. C. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee. Enhancing server availability and security through failure-oblivious computing. In OSDI, volume 4, pages 21--21, 2004. Google ScholarDigital Library
- J. Röning, M. Lasko, A. Takanen, and R. Kaksonen. PROTOS -- systematic approach to eliminate software vulnerabilities. Invited presentation at Microsoft Research, 2002.Google Scholar
- D. Sarkar, M. Jagannathan, J. Thiagarajan, and R. Venkatapathy. Flow-insensitive static analysis for detecting integer anomalies in programs. In Proceedings of the 25th conference on IASTED International Multi-Conference: Software Engineering, pages 334--340. ACTA Press, 2007. Google ScholarDigital Library
- R. Seacord. The CERT C Secure Coding Standard. Addison-Wesley Professional, 2008. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing Engine for C, volume 30. ACM, 2005. Google ScholarDigital Library
- M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008.Google Scholar
- S. Sidiroglou, O. Laadan, C. Perez, N. Viennot, J. Nieh, and A. D. Keromytis. Assure: automatic software self-healing using rescue points. ACM SIGARCH Computer Architecture News, 37(1):37--48, 2009. Google ScholarDigital Library
- S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. Proceedings of the general track, 2005 USENIX annual technical conference: April 10-15, 2005, Anaheim, CA, USA, pages 149--161, 2005. Google ScholarDigital Library
- S. Sidiroglou-Douskos, E. Lahtinen, F. Long, P. Piselli, and M. Rinard. Automatic error elimination by multi-application code transfer. Technical Report MIT-CSAIL-TR-2014-024, MIT CSAIL, August 2014.Google Scholar
- M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, 2007. Google ScholarDigital Library
- W. Tielei, W. Tao, L. Zhiqiang, and Z. Wei. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In 16th Annual Network & Distributed System Security Symposium, 2009.Google Scholar
- T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland'10), 2010. Google ScholarDigital Library
- X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. Kaashoek. Improving integer security for systems with KINT. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pages 163--177. USENIX Association, 2012. Google ScholarDigital Library
- C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. Computer Security--ESORICS 2010, pages 71--86, 2010. Google ScholarDigital Library
Index Terms
- Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
Recommendations
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsWe present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Sound input filter generation for integer overflow errors
POPL '14We present a system, SIFT, for generating input filters that nullify integer overflow errors associated with critical program sites such as memory allocation or block copy sites. SIFT uses a static pro- gram analysis to generate filters that discard ...
Comments