ABSTRACT
After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it barely serves as informative debugging aids in locating software faults, particularly memory corruption vulnerabilities. A memory corruption vulnerability is a special type of software faults that an attacker can exploit to manipulate the content at a certain memory. As such, a core dump may contain a certain amount of corrupted data, which increases the difficulty in identifying useful debugging information (e.g. , a crash point and stack traces). Without a proper mechanism to deal with this problem, a core dump can be practically useless for software failure diagnosis. In this work, we develop CREDAL, an automatic tool that employs the source code of a crashing program to enhance core dump analysis and turns a core dump to an informative aid in tracking down memory corruption vulnerabilities. Specifically, CREDAL systematically analyzes a core dump potentially corrupted and identifies the crash point and stack frames. For a core dump carrying corrupted data, it goes beyond the crash point and stack trace. In particular, CREDAL further pinpoints the variables holding corrupted data using the source code of the crashing program along with the stack frames. To assist software developers (or security analysts) in tracking down a memory corruption vulnerability, CREDAL also performs analysis and highlights the code fragments corresponding to data corruption.
To demonstrate the utility of CREDAL, we use it to analyze 80 crashes corresponding to 73 memory corruption vulnerabilities archived in Offensive Security Exploit Database. We show that, CREDAL can accurately pinpoint the crash point and (fully or partially) restore a stack trace even though a crashing program stack carries corrupted data. In addition, we demonstrate CREDAL can potentially reduce the manual effort of finding the code fragment that is likely to contain memory corruption vulnerabilities.
- Abc2midi 2004--12-04 - multiple stack buffer overflow vulnerabilities. https://www.exploit-db.com/exploits/25019/.Google Scholar
- Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (cve-2013--2028). http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013--2028.html.Google Scholar
- Apple quicktime (rtsp url handler) stack buffer overflow exploit. https://www.exploit-db.com/exploits/3064/.Google Scholar
- Asterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) remote heap overflow (poc). https://www.exploit-db.com/exploits/2597/.Google Scholar
- Blender blenloader 2.x file processing integer overflow vulnerability. https://www.exploit-db.com/exploits/26915/.Google Scholar
- Da's dwarf page. https://www.prevanders.net/dwarf.html.Google Scholar
- Gaim <= 1.2.1 url handling remote stack overflow exploit. https://www.exploit-db.com/exploits/999/.Google Scholar
- libdisasm: x86 disassembler library. http://bastard.sourceforge.net/libdisasm.html.Google Scholar
- Libelf - free software directory. https://directory.fsf.org/wiki/Libelf.Google Scholar
- The libunwind project. http://www.nongnu.org/libunwind/.Google Scholar
- Linux programmer's manual. http://man7.org/linux/man-pages/man7/signal.7.html.Google Scholar
- The llvm compiler infrastructure. http://llvm.org/.Google Scholar
- Nginx 1.3.9--1.4.0 - dos poc. http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin.Google Scholar
- Offensive security exploit database archive. https://www.exploit-db.com/.Google Scholar
- Safari 5.02 - stack overflow denial of service. https://www.exploit-db.com/exploits/15558/.Google Scholar
- Sun java runtime environment 1.6 - web start jnlp file stack buffer overflow vulnerability. https://www.exploit-db.com/exploits/30284/.Google Scholar
- H. Cleve and A. Zeller. Locating causes of program failures. In Proceedings of the 27th International Conference on Software Engineering, 2005. Google ScholarDigital Library
- D. D. I. F. Committee. Dwarf debugging information format (version 4). http://www.dwarfstd.org/doc/DWARF4.pdf, 2010.Google Scholar
- W. Cui, M. Peinado, S. K. Cha, Y. Fratantonio, and V. P. Kemerlis. Retracer: Triaging crashes by reverse execution from partial memory dumps. In Proceedings of the 38th International Conference on Software Engineering, 2016. Google ScholarDigital Library
- Y. Dang, R. Wu, H. Zhang, D. Zhang, and P. Nobel. Rebucket: A method for clustering duplicate crash reports based on call stack similarity. In Proceedings of the 34th International Conference on Software Engineering, 2012. Google ScholarDigital Library
- K. Glerum, K. Kinshumann, S. Greenberg, G. Aul, V. Orgovan, G. Nichols, D. Grant, G. Loihle, and G. Hunt. Debugging in the (very) large: Ten years of implementation and experience. In Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles, 2009. Google ScholarDigital Library
- S. Hangal and M. S. Lam. Tracking down software bugs using automatic anomaly detection. In Proceedings of the 24th International Conference on Software Engineering, 2002. Google ScholarDigital Library
- S. Horwitz, B. Liblit, and M. Polishchuk. Better debugging via output tracing and callstack-sensitive slicing. IEEE Transaction Software Engineering, 2010. Google ScholarDigital Library
- S. Kim, T. Zimmermann, and N. Nagappan. Crash graphs: An aggregated view of multiple crashes to improve crash triage. In Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks, 2011. Google ScholarDigital Library
- V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pages 147--163, Broomfield, CO, Oct. 2014. USENIX Association. Google ScholarDigital Library
- B. Liblit and A. Aiken. Building a better backtrace: Techniques for postmortem program analysis. Technical report, 2002. Google ScholarDigital Library
- R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. Pse: Explaining program failures via postmortem static analysis. In Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, 2004. Google ScholarDigital Library
- D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google ScholarDigital Library
- S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. ACM Sigplan Notices, 44(6):245--258, 2009. Google ScholarDigital Library
- P. Ohmann. Making your crashes work for you (doctoral symposium). In Proceedings of the 2015 International Symposium on Software Testing and Analysis, 2015. Google ScholarDigital Library
- P. Ohmann and B. Liblit. Cores, debugging, and coverage. Technical report, 2015.Google Scholar
- P. Ohmann and B. Liblit. Csiclipse: Presenting crash analysis data to developers. In Proceedings of the on Eclipse Technology eXchange, 2015. Google ScholarDigital Library
- M. Polishchuk, B. Liblit, and C. W. Schulze. Dynamic heap type inference for program understanding and debugging. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. Google ScholarDigital Library
- M. Renieris and S. P. Reiss. Fault localization with nearest neighbor queries. In Proceedings of IEEE/ACM International Conference on Automated Software Engineering, 2003.Google ScholarCross Ref
- T. Reps, T. Ball, M. Das, and J. Larus. The use of program profiling for software maintenance with applications to the year 2000 problem. In Proceedings of the 6th European SOFTWARE ENGINEERING Conference, 1997. Google ScholarDigital Library
- S. K. Sahoo, J. Criswell, C. Geigle, and V. Adve. Using likely invariants for automated software fault localization. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, 2013. Google ScholarDigital Library
- R. Salkeld and G. Kiczales. Interacting with dead objects. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, 2013. Google ScholarDigital Library
- A. Schröter, N. Bettenburg, and R. Premraj. Do stack traces help developers fix bugs? In Proceedings of the 7th IEEE Working Conference on Mining Software Repositories, 2010.Google ScholarCross Ref
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: a fast address sanity checker. In Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), pages 309--318, 2012. Google ScholarDigital Library
- M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. New York University. Courant Institute of Mathematical Sciences. Computer Science Department, 1978.Google Scholar
- R. E. Strom and D. M. Yellin. Extending typestate checking using conditional liveness analysis. IEEE Transaction Software Engineering, 1993. Google ScholarDigital Library
- R. E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transaction Software Engineering, 1986. Google ScholarDigital Library
- R. Wu, H. Zhang, S.-C. Cheung, and S. Kim. Crashlocator: Locating crashing faults based on crash stacks. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, 2014. Google ScholarDigital Library
- D. Yuan, H. Mai, W. Xiong, L. Tan, Y. Zhou, and S. Pasupathy. Sherlog: Error diagnosis by connecting clues from run-time logs. In Proceedings of the Fifteenth Edition of ASPLOS on Architectural Support for Programming Languages and Operating Systems, 2010. Google ScholarDigital Library
- D. Yuan, J. Zheng, S. Park, Y. Zhou, and S. Savage. Improving software diagnosability via log enhancement. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, 2011. Google ScholarDigital Library
- A. Zeller. Isolating cause-effect chains from computer programs. In Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2002. Google ScholarDigital Library
Index Terms
- CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump
Recommendations
Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securitySoftware vulnerabilities have been the main contributing factor to the Internet security problems such as fast spreading worms. Among these software vulnerabilities, memory corruption vulnerabilities such as buffer overflow and format string bugs have ...
Optimizing crash dump in virtualized environments
VEE '10: Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsCrash dump, or core dump is the typical way to save memory image on system crash for future offline debugging and analysis. However, for typical server machines with likely abundant memory, the time of core dump can significantly increase the mean time ...
Comments