CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump

Authors:
Jun Xu

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

,
Dongliang Mu

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

,
Ping Chen

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

,
Xinyu Xing

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

,
Pei Wang

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

,
Peng Liu

The Pennsylvania State University, University Park, PA, USA

The Pennsylvania State University, University Park, PA, USA
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 529–540https://doi.org/10.1145/2976749.2978340

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 529–540

ABSTRACT

After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it barely serves as informative debugging aids in locating software faults, particularly memory corruption vulnerabilities. A memory corruption vulnerability is a special type of software faults that an attacker can exploit to manipulate the content at a certain memory. As such, a core dump may contain a certain amount of corrupted data, which increases the difficulty in identifying useful debugging information (e.g. , a crash point and stack traces). Without a proper mechanism to deal with this problem, a core dump can be practically useless for software failure diagnosis. In this work, we develop CREDAL, an automatic tool that employs the source code of a crashing program to enhance core dump analysis and turns a core dump to an informative aid in tracking down memory corruption vulnerabilities. Specifically, CREDAL systematically analyzes a core dump potentially corrupted and identifies the crash point and stack frames. For a core dump carrying corrupted data, it goes beyond the crash point and stack trace. In particular, CREDAL further pinpoints the variables holding corrupted data using the source code of the crashing program along with the stack frames. To assist software developers (or security analysts) in tracking down a memory corruption vulnerability, CREDAL also performs analysis and highlights the code fragments corresponding to data corruption.

To demonstrate the utility of CREDAL, we use it to analyze 80 crashes corresponding to 73 memory corruption vulnerabilities archived in Offensive Security Exploit Database. We show that, CREDAL can accurately pinpoint the crash point and (fully or partially) restore a stack trace even though a crashing program stack carries corrupted data. In addition, we demonstrate CREDAL can potentially reduce the manual effort of finding the code fragment that is likely to contain memory corruption vulnerabilities.

References

Abc2midi 2004--12-04 - multiple stack buffer overflow vulnerabilities. https://www.exploit-db.com/exploits/25019/.Google Scholar
Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (cve-2013--2028). http://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013--2028.html.Google Scholar
Apple quicktime (rtsp url handler) stack buffer overflow exploit. https://www.exploit-db.com/exploits/3064/.Google Scholar
Asterisk <= 1.0.12 / 1.2.12.1 (chan_skinny) remote heap overflow (poc). https://www.exploit-db.com/exploits/2597/.Google Scholar
Blender blenloader 2.x file processing integer overflow vulnerability. https://www.exploit-db.com/exploits/26915/.Google Scholar
Da's dwarf page. https://www.prevanders.net/dwarf.html.Google Scholar
Gaim <= 1.2.1 url handling remote stack overflow exploit. https://www.exploit-db.com/exploits/999/.Google Scholar
libdisasm: x86 disassembler library. http://bastard.sourceforge.net/libdisasm.html.Google Scholar
Libelf - free software directory. https://directory.fsf.org/wiki/Libelf.Google Scholar
The libunwind project. http://www.nongnu.org/libunwind/.Google Scholar
Linux programmer's manual. http://man7.org/linux/man-pages/man7/signal.7.html.Google Scholar
The llvm compiler infrastructure. http://llvm.org/.Google Scholar
Nginx 1.3.9--1.4.0 - dos poc. http://seclists.org/fulldisclosure/2013/Jul/att-90/ngxunlock_pl.bin.Google Scholar
Offensive security exploit database archive. https://www.exploit-db.com/.Google Scholar
Safari 5.02 - stack overflow denial of service. https://www.exploit-db.com/exploits/15558/.Google Scholar
Sun java runtime environment 1.6 - web start jnlp file stack buffer overflow vulnerability. https://www.exploit-db.com/exploits/30284/.Google Scholar
H. Cleve and A. Zeller. Locating causes of program failures. In Proceedings of the 27th International Conference on Software Engineering, 2005. Google ScholarDigital Library
D. D. I. F. Committee. Dwarf debugging information format (version 4). http://www.dwarfstd.org/doc/DWARF4.pdf, 2010.Google Scholar
W. Cui, M. Peinado, S. K. Cha, Y. Fratantonio, and V. P. Kemerlis. Retracer: Triaging crashes by reverse execution from partial memory dumps. In Proceedings of the 38th International Conference on Software Engineering, 2016. Google ScholarDigital Library
Y. Dang, R. Wu, H. Zhang, D. Zhang, and P. Nobel. Rebucket: A method for clustering duplicate crash reports based on call stack similarity. In Proceedings of the 34th International Conference on Software Engineering, 2012. Google ScholarDigital Library
K. Glerum, K. Kinshumann, S. Greenberg, G. Aul, V. Orgovan, G. Nichols, D. Grant, G. Loihle, and G. Hunt. Debugging in the (very) large: Ten years of implementation and experience. In Proceedings of the ACM SIGOPS 22Nd Symposium on Operating Systems Principles, 2009. Google ScholarDigital Library
S. Hangal and M. S. Lam. Tracking down software bugs using automatic anomaly detection. In Proceedings of the 24th International Conference on Software Engineering, 2002. Google ScholarDigital Library
S. Horwitz, B. Liblit, and M. Polishchuk. Better debugging via output tracing and callstack-sensitive slicing. IEEE Transaction Software Engineering, 2010. Google ScholarDigital Library
S. Kim, T. Zimmermann, and N. Nagappan. Crash graphs: An aggregated view of multiple crashes to improve crash triage. In Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks, 2011. Google ScholarDigital Library
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pages 147--163, Broomfield, CO, Oct. 2014. USENIX Association. Google ScholarDigital Library
B. Liblit and A. Aiken. Building a better backtrace: Techniques for postmortem program analysis. Technical report, 2002. Google ScholarDigital Library
R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. Pse: Explaining program failures via postmortem static analysis. In Proceedings of the 12th ACM SIGSOFT Twelfth International Symposium on Foundations of Software Engineering, 2004. Google ScholarDigital Library
D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google ScholarDigital Library
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. Softbound: Highly compatible and complete spatial memory safety for c. ACM Sigplan Notices, 44(6):245--258, 2009. Google ScholarDigital Library
P. Ohmann. Making your crashes work for you (doctoral symposium). In Proceedings of the 2015 International Symposium on Software Testing and Analysis, 2015. Google ScholarDigital Library
P. Ohmann and B. Liblit. Cores, debugging, and coverage. Technical report, 2015.Google Scholar
P. Ohmann and B. Liblit. Csiclipse: Presenting crash analysis data to developers. In Proceedings of the on Eclipse Technology eXchange, 2015. Google ScholarDigital Library
M. Polishchuk, B. Liblit, and C. W. Schulze. Dynamic heap type inference for program understanding and debugging. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. Google ScholarDigital Library
M. Renieris and S. P. Reiss. Fault localization with nearest neighbor queries. In Proceedings of IEEE/ACM International Conference on Automated Software Engineering, 2003.Google ScholarCross Ref
T. Reps, T. Ball, M. Das, and J. Larus. The use of program profiling for software maintenance with applications to the year 2000 problem. In Proceedings of the 6th European SOFTWARE ENGINEERING Conference, 1997. Google ScholarDigital Library
S. K. Sahoo, J. Criswell, C. Geigle, and V. Adve. Using likely invariants for automated software fault localization. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems, 2013. Google ScholarDigital Library
R. Salkeld and G. Kiczales. Interacting with dead objects. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, 2013. Google ScholarDigital Library
A. Schröter, N. Bettenburg, and R. Premraj. Do stack traces help developers fix bugs? In Proceedings of the 7th IEEE Working Conference on Mining Software Repositories, 2010.Google ScholarCross Ref
K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: a fast address sanity checker. In Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), pages 309--318, 2012. Google ScholarDigital Library
M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. New York University. Courant Institute of Mathematical Sciences. Computer Science Department, 1978.Google Scholar
R. E. Strom and D. M. Yellin. Extending typestate checking using conditional liveness analysis. IEEE Transaction Software Engineering, 1993. Google ScholarDigital Library
R. E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transaction Software Engineering, 1986. Google ScholarDigital Library
R. Wu, H. Zhang, S.-C. Cheung, and S. Kim. Crashlocator: Locating crashing faults based on crash stacks. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, 2014. Google ScholarDigital Library
D. Yuan, H. Mai, W. Xiong, L. Tan, Y. Zhou, and S. Pasupathy. Sherlog: Error diagnosis by connecting clues from run-time logs. In Proceedings of the Fifteenth Edition of ASPLOS on Architectural Support for Programming Languages and Operating Systems, 2010. Google ScholarDigital Library
D. Yuan, J. Zheng, S. Park, Y. Zhou, and S. Savage. Improving software diagnosability via log enhancement. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, 2011. Google ScholarDigital Library
A. Zeller. Isolating cause-effect chains from computer programs. In Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, 2002. Google ScholarDigital Library

Index Terms

CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Software vulnerabilities have been the main contributing factor to the Internet security problems such as fast spreading worms. Among these software vulnerabilities, memory corruption vulnerabilities such as buffer overflow and format string bugs have ...
Read More
deExploit

We propose to detect memory corruption by identifying misuses of input data.We propose a binary level approach for memory corruption detection and diagnosis.Our approach is generic to typical memory corruption attacks.Our approach is effective in ...
Read More
Optimizing crash dump in virtualized environments
VEE '10: Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Crash dump, or core dump is the typical way to save memory image on system crash for future offline debugging and analysis. However, for typical server machines with likely abundant memory, the time of core dump can significantly increase the mean time ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
core dump
memory corruption
vulnerability analysis
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 23
  Total Citations
  View Citations
- 1,572
  Total Downloads
- Downloads (Last 12 months)168
- Downloads (Last 6 weeks)18
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Memsherlock: an automated debugger for unknown memory corruption vulnerabilities

deExploit

Optimizing crash dump in virtualized environments