Abstract
More than two decades after the first stack smashing attacks, memory corruption vulnerabilities utilizing stack anomalies are still prevalent and play an important role in practice. Among such vulnerabilities, uninitialized variables play an exceptional role due to their unpleasant property of unpredictability: as compilers are tailored to operate fast, costly interprocedural analysis procedures are not used in practice to detect such vulnerabilities. As a result, complex relationships that expose uninitialized memory reads remain undiscovered in binary code. Recent vulnerability reports show the versatility on how uninitialized memory reads are utilized in practice, especially for memory disclosure and code execution. Research in recent years proposed detection and prevention techniques tailored to source code. To date, however, there has not been much attention for these types of software bugs within binary executables.
In this paper, we present a static analysis framework to find uninitialized variables in binary executables. We developed methods to lift the binaries into a knowledge representation which builds the base for specifically crafted algorithms to detect uninitialized reads. Our prototype implementation is capable of detecting uninitialized memory errors in complex binaries such as web browsers and OS kernels, and we detected 7 novel bugs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis (1994)
Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)
Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization (2011)
Budd, C.: Pwn2Own: Day 2 and Event Wrap-Up, March 2016. http://blog.trendmicro.com/pwn2own-day-2-event-wrap/
Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1(1), 146–166 (1989)
Chen, X., Slowinska, A., Bos, H.: Who allocated my memory? Detecting custom memory allocators in c binaries. In: 2013 20th Working Conference on Reverse Engineering (WCRE) (2013)
Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Symposium on Network and Distributed System Security (NDSS) (2015)
Chen, X., Slowinska, A., Bos, H.: On the detection of custom memory allocators in c binaries. Empirical Softw. Eng. 21(3), 753–777 (2016)
CVE-2012-1889: Vulnerability in microsoft xml core services. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1889
CVE-2014-6355: Graphics component information disclosure vulnerability. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6355
CVE-2015-0061: Tiff processing information disclosure vulnerability. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0061
CVE-Statistics-Chrome: Google Chrome Vulnerability Statistics (2014). http://www.cvedetails.com/product/15031/Google-Chrome.html
CVE-Statistics-Firefox: Mozilla Firefox Vulnerability Statistics (2014). http://www.cvedetails.com/product/3264/Mozilla-Firefox.html
CVE-Statistics-IE: Microsoft Internet Explorer Vulnerability Statistics (2014). http://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(4), 451–490 (1991)
Evans, I., et al.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)
Fehnker, A., Huuck, R., Jayet, P., Lussenburg, M., Rauch, F.: Goanna—a static model checker. In: Brim, L., Haverkort, B., Leucker, M., van de Pol, J. (eds.) FMICS 2006. LNCS, vol. 4346, pp. 297–300. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70952-7_20
Flake, H.: Attacks on uninitialized local variables (2006)
Giuffrida, C., Cavallaro, L., Tanenbaum, A.S.: Practical automated vulnerability monitoring using program state invariants. In: Conference on Dependable Systems and Networks (DSN) (2013)
Haller, I., Slowinska, A., Bos, H.: MemPick: data structure detection in C/C++ binaries. In: Proceedings of the 20th Working Conference on Reverse Engineering (WCRE) (2013)
Hariri, A.A.: VMware Exploitation through Uninitialized Buffers, March 2018. https://www.thezdi.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers
Horwitz, S., Reps, T., Sagiv, M.: Demand interprocedural dataflow analysis, vol. 20. ACM (1995)
Jin, W., et al.: Recovering C++ objects from binaries using inter-procedural data-flow analysis. In: Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014 (2014)
Khurshid, S., PĂsĂreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36577-X_40
Lee, J., et al.: Taming undefined behavior in LLVM. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2017)
Livshits, B., et al.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)
Lu, K., Song, C., Kim, T., Lee, W.: Unisan: proactive kernel memory initialization to eliminate data leakages. In: ACM Conference on Computer and Communications Security (CCS) (2016)
Lu, K., Walter, M.T., Pfaff, D., Nürnberger, S., Lee, W., Backes, M.: Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying. In: Symposium on Network and Distributed System Security (NDSS) (2017)
Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: DR. CHECKER: a soundy analysis for Linux kernel drivers. In: USENIX Security Symposium (2017)
Milburn, A., Bos, H., Giuffrida, C.: SafeInit: comprehensive and practical mitigation of uninitialized read vulnerabilities. In: Symposium on Network and Distributed System Security (NDSS) (2017)
Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary Linux programs. In: USENIX Security Symposium (2009)
Ramos, D.A., Engler, D.: Under-constrained symbolic execution: Correctness checking for real code. In: USENIX Security Symposium (2015)
Reps, T.: Undecidability of context-sensitive data-dependence analysis. ACM Trans. Program. Lang. Syst. 22(1), 162–186 (2000)
Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74. IEEE (2002)
Richardson, S., Ganapathi, M.: Interprocedural analysis useless for code optimization. Technical report, Stanford, CA, USA (1987)
Rinetzky, N., Sagiv, M.: Interprocedural shape analysis for recursive programs. In: Wilhelm, R. (ed.) CC 2001. LNCS, vol. 2027, pp. 133–149. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45306-7_10
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. Computer Science Department, New York University, New York, NY (1978)
Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy (2016)
Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Symposium on Network and Distributed System Security (NDSS), San Diego, CA (2011)
Smaragdakis, Y., Balatsouras, G.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)
Smaragdakis, Y., Bravenboer, M.: Using datalog for fast and easy program analysis. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 245–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_14
Stepanov, E., Serebryany, K.: MemorySanitizer: fast detector of uninitialized memory use in C++. In: 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) (2015)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (2013)
Tillequin, A.: Amoco (2016). https://github.com/bdcht/amoco
Van Emmerik, M.J.: Static single assignment for decompilation. Ph.D. thesis, The University of Queensland (2007)
Wang, X., Chen, H., Cheung, A., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Undefined behavior: what happened to my code? In: Proceedings of the Asia-Pacific Workshop on Systems (2012)
Ye, D., Sui, Y., Xue, J.: Accelerating dynamic detection of uses of undefined values with static value-flow analysis. In: Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (2014)
Acknowledgements
We thank the anonymous reviewers for their valuable feedback. This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. In addition, this work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (ERC Starting Grant No. 640110 (BASTION)).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Garmany, B., Stoffel, M., Gawlik, R., Holz, T. (2019). Static Detection of Uninitialized Stack Variables in Binary Code. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)