Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

Authors:
Stelios Sidiroglou-Douskos

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Eric Lahtinen

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Nathan Rittenhouse

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Paolo Piselli

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Fan Long

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Deokhwan Kim

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

,
Martin Rinard

MIT CSAIL, Cambridge, MA, USA

MIT CSAIL, Cambridge, MA, USA
View Profile

Authors Info & Claims

ACM SIGARCH Computer Architecture News Volume 43 Issue 1March 2015pp 473–486https://doi.org/10.1145/2786763.2694389

Published:14 March 2015Publication History

ACM SIGARCH Computer Architecture News

Abstract

We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory allocation sites, then generate inputs that satisfy these sanity checks to successfully trigger the overflow. DIODE works with off-the-shelf, production x86 binaries. Our results show that, for our benchmark set of applications, and for every target memory allocation site exercised by our seed inputs (which the applications process correctly with no overflows), either 1) DIODE is able to generate an input that triggers an overflow at that site or 2) there is no input that would trigger an overflow for the observed target expression at that site.

References

Common vulnerabilities and exposures. http://cve.mitre.org/.Google Scholar
Dillo. http://www.dillo.org/.Google Scholar
Hachoir. http://bitbucket.org/haypo/hachoir/wiki/Home.Google Scholar
Peach fuzzing platform. http://peachfuzzer.com/.Google Scholar
SafeInt. http://safeint.codeplex.com/.Google Scholar
SPIKE fuzzing platform. http://www.immunitysec.com/resources-freesoftware.shtml.Google Scholar
D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. Department of Electrical and Computing Engineering, page 28, 2007.Google Scholar
D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 143--157. IEEE, 2008. Google ScholarDigital Library
C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 209--224, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC), 12(2):10, 2008. Google ScholarDigital Library
E. Ceesay, J. Zhou, M. Gertz, K. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in C programs. Detection of Intrusions and Malware & Vulnerability Assessment, pages 1--16, 2006. Google ScholarDigital Library
C. Cowan, H. Hinton, C. Pu, and J. Walpole. The cracker patch choice: An analysis of post hoc security techniques. 2000.Google Scholar
L. De Moura and N. Bjørner. Z3: an efficient smt solver. In Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems, TACAS'08/ETAPS'08, pages 337--340, Berlin, Heidelberg, 2008. Springer-Verlag. Google ScholarDigital Library
W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C++. In Proceedings of the 2012 International Conference on Software Engineering, pages 760--770. IEEE Press, 2012. Google ScholarDigital Library
W. Drewry and T. Ormandy. Flayer: Exposing application internals. In Proceedings of the first USENIX workshop on Offensive Technologies, pages 1--9. USENIX Association, 2007. Google ScholarDigital Library
V. Ganesh, T. Leek, and M. Rinard. Taint-based directed white-box fuzzing. In ICSE '09: Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI '05, pages 213--223, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Queue, 10(1):20, 2012. Google ScholarDigital Library
I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In Proceedings of the 22nd USENIX conference on Security, pages 49--64. USENIX Association, 2013. Google ScholarDigital Library
F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. In Proceedings of the 2012 International Conference on Software Engineering, ICSE 2012, pages 80--90, Piscataway, NJ, USA, 2012. IEEE Press. Google ScholarDigital Library
F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. MIT-CSAIL-TR-2011-044.Google Scholar
F. Long, S. Sidiroglou-Douskos, D. Kim, and M. Rinard. Sound input filter generation for integer overflow errors. 2014.Google ScholarDigital Library
F. Long, S. Sidiroglou-Douskos, and M. Rinard. Automatic runtime error repair and containment via recovery shepherding. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 26. ACM, 2014. Google ScholarDigital Library
B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12):32--44, 1990. Google ScholarDigital Library
D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th conference on USENIX security symposium, pages 67--82. USENIX Association, 2009. Google ScholarDigital Library
N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07. ACM, 2007. Google ScholarDigital Library
J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages 87--102, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
M. Rinard. Acceptability-oriented computing. In Proceedings of the 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA '03) Companion, Onwards! Session, Anaheim, California, Oct. 2003. Google ScholarDigital Library
M. C. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee. Enhancing server availability and security through failure-oblivious computing. In OSDI, volume 4, pages 21--21, 2004. Google ScholarDigital Library
J. Röning, M. Lasko, A. Takanen, and R. Kaksonen. PROTOS -- systematic approach to eliminate software vulnerabilities. Invited presentation at Microsoft Research, 2002.Google Scholar
D. Sarkar, M. Jagannathan, J. Thiagarajan, and R. Venkatapathy. Flow-insensitive static analysis for detecting integer anomalies in programs. In Proceedings of the 25th conference on IASTED International Multi-Conference: Software Engineering, pages 334--340. ACTA Press, 2007. Google ScholarDigital Library
R. Seacord. The CERT C Secure Coding Standard. Addison-Wesley Professional, 2008. Google ScholarDigital Library
K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing Engine for C, volume 30. ACM, 2005. Google ScholarDigital Library
M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008.Google Scholar
S. Sidiroglou, O. Laadan, C. Perez, N. Viennot, J. Nieh, and A. D. Keromytis. Assure: automatic software self-healing using rescue points. ACM SIGARCH Computer Architecture News, 37(1):37--48, 2009. Google ScholarDigital Library
S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. Proceedings of the general track, 2005 USENIX annual technical conference: April 10-15, 2005, Anaheim, CA, USA, pages 149--161, 2005. Google ScholarDigital Library
S. Sidiroglou-Douskos, E. Lahtinen, F. Long, P. Piselli, and M. Rinard. Automatic error elimination by multi-application code transfer. Technical Report MIT-CSAIL-TR-2014-024, MIT CSAIL, August 2014.Google Scholar
M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, 2007. Google ScholarDigital Library
W. Tielei, W. Tao, L. Zhiqiang, and Z. Wei. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In 16th Annual Network & Distributed System Security Symposium, 2009.Google Scholar
T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland'10), 2010. Google ScholarDigital Library
X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. Kaashoek. Improving integer security for systems with KINT. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pages 163--177. USENIX Association, 2012. Google ScholarDigital Library
C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. Computer Security--ESORICS 2010, pages 71--86, 2010. Google ScholarDigital Library

Index Terms

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

Recommendations

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems

We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Read More
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15

We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Read More
Sound input filter generation for integer overflow errors
POPL '14

We present a system, SIFT, for generating input filters that nullify integer overflow errors associated with critical program sites such as memory allocation or block copy sites. SIFT uses a static pro- gram analysis to generate filters that discard ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGARCH Computer Architecture News Volume 43, Issue 1
ASPLOS'15
March 2015
676 pages
ISSN:0163-5964
DOI:10.1145/2786763
Editor:
Doug DeGroot
acm dot org
Issue’s Table of Contents
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems
March 2015
720 pages
ISBN:9781450328357
DOI:10.1145/2694344
General Chairs:
Ozcan Ozturk
Bilkent University, Turkey
,
Kemal Ebcioglu
Global Supercomputing, USA
,
Program Chair:
Sandhya Dwarkadas
University of Rochester, USA
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 March 2015
Check for updates
Author Tags
bug detection
integer overflow
targeted symbolic execution
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 31
  Total Citations
  View Citations
- 1,714
  Total Downloads
- Downloads (Last 12 months)83
- Downloads (Last 6 weeks)15
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

ACM SIGARCH Computer Architecture News

Abstract

References

Cited By

Index Terms

Recommendations

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

Sound input filter generation for integer overflow errors