Skip to main content
SpringerLink
Log in

Static Detection of Uninitialized Stack Variables in Binary Code

  • Conference paper
  • First Online:
Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11736))

Included in the following conference series:

Abstract

More than two decades after the first stack smashing attacks, memory corruption vulnerabilities utilizing stack anomalies are still prevalent and play an important role in practice. Among such vulnerabilities, uninitialized variables play an exceptional role due to their unpleasant property of unpredictability: as compilers are tailored to operate fast, costly interprocedural analysis procedures are not used in practice to detect such vulnerabilities. As a result, complex relationships that expose uninitialized memory reads remain undiscovered in binary code. Recent vulnerability reports show the versatility on how uninitialized memory reads are utilized in practice, especially for memory disclosure and code execution. Research in recent years proposed detection and prevention techniques tailored to source code. To date, however, there has not been much attention for these types of software bugs within binary executables.

In this paper, we present a static analysis framework to find uninitialized variables in binary executables. We developed methods to lift the binaries into a knowledge representation which builds the base for specifically crafted algorithms to detect uninitialized reads. Our prototype implementation is capable of detecting uninitialized memory errors in complex binaries such as web browsers and OS kernels, and we detected 7 novel bugs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis (1994)

    Google Scholar 

  2. Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)

    Google Scholar 

  3. Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization (2011)

    Google Scholar 

  4. Budd, C.: Pwn2Own: Day 2 and Event Wrap-Up, March 2016. http://blog.trendmicro.com/pwn2own-day-2-event-wrap/

  5. Ceri, S., Gottlob, G., Tanca, L.: What you always wanted to know about datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1(1), 146–166 (1989)

    Article  Google Scholar 

  6. Chen, X., Slowinska, A., Bos, H.: Who allocated my memory? Detecting custom memory allocators in c binaries. In: 2013 20th Working Conference on Reverse Engineering (WCRE) (2013)

    Google Scholar 

  7. Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: StackArmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Symposium on Network and Distributed System Security (NDSS) (2015)

    Google Scholar 

  8. Chen, X., Slowinska, A., Bos, H.: On the detection of custom memory allocators in c binaries. Empirical Softw. Eng. 21(3), 753–777 (2016)

    Article  Google Scholar 

  9. CVE-2012-1889: Vulnerability in microsoft xml core services. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1889

  10. CVE-2014-6355: Graphics component information disclosure vulnerability. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6355

  11. CVE-2015-0061: Tiff processing information disclosure vulnerability. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0061

  12. CVE-Statistics-Chrome: Google Chrome Vulnerability Statistics (2014). http://www.cvedetails.com/product/15031/Google-Chrome.html

  13. CVE-Statistics-Firefox: Mozilla Firefox Vulnerability Statistics (2014). http://www.cvedetails.com/product/3264/Mozilla-Firefox.html

  14. CVE-Statistics-IE: Microsoft Internet Explorer Vulnerability Statistics (2014). http://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html

  15. Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(4), 451–490 (1991)

    Article  Google Scholar 

  16. Evans, I., et al.: Control jujutsu: on the weaknesses of fine-grained control flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2015)

    Google Scholar 

  17. Fehnker, A., Huuck, R., Jayet, P., Lussenburg, M., Rauch, F.: Goanna—a static model checker. In: Brim, L., Haverkort, B., Leucker, M., van de Pol, J. (eds.) FMICS 2006. LNCS, vol. 4346, pp. 297–300. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70952-7_20

    Chapter  Google Scholar 

  18. Flake, H.: Attacks on uninitialized local variables (2006)

    Google Scholar 

  19. Giuffrida, C., Cavallaro, L., Tanenbaum, A.S.: Practical automated vulnerability monitoring using program state invariants. In: Conference on Dependable Systems and Networks (DSN) (2013)

    Google Scholar 

  20. Haller, I., Slowinska, A., Bos, H.: MemPick: data structure detection in C/C++ binaries. In: Proceedings of the 20th Working Conference on Reverse Engineering (WCRE) (2013)

    Google Scholar 

  21. Hariri, A.A.: VMware Exploitation through Uninitialized Buffers, March 2018. https://www.thezdi.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers

  22. Horwitz, S., Reps, T., Sagiv, M.: Demand interprocedural dataflow analysis, vol. 20. ACM (1995)

    Google Scholar 

  23. Jin, W., et al.: Recovering C++ objects from binaries using inter-procedural data-flow analysis. In: Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014 (2014)

    Google Scholar 

  24. Khurshid, S., PĂsĂreanu, C.S., Visser, W.: Generalized symbolic execution for model checking and testing. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 553–568. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36577-X_40

    Chapter  MATH  Google Scholar 

  25. Lee, J., et al.: Taming undefined behavior in LLVM. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (2017)

    Google Scholar 

  26. Livshits, B., et al.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)

    Article  Google Scholar 

  27. Lu, K., Song, C., Kim, T., Lee, W.: Unisan: proactive kernel memory initialization to eliminate data leakages. In: ACM Conference on Computer and Communications Security (CCS) (2016)

    Google Scholar 

  28. Lu, K., Walter, M.T., Pfaff, D., Nürnberger, S., Lee, W., Backes, M.: Unleashing use-before-initialization vulnerabilities in the Linux kernel using targeted stack spraying. In: Symposium on Network and Distributed System Security (NDSS) (2017)

    Google Scholar 

  29. Machiry, A., Spensky, C., Corina, J., Stephens, N., Kruegel, C., Vigna, G.: DR. CHECKER: a soundy analysis for Linux kernel drivers. In: USENIX Security Symposium (2017)

    Google Scholar 

  30. Milburn, A., Bos, H., Giuffrida, C.: SafeInit: comprehensive and practical mitigation of uninitialized read vulnerabilities. In: Symposium on Network and Distributed System Security (NDSS) (2017)

    Google Scholar 

  31. Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary Linux programs. In: USENIX Security Symposium (2009)

    Google Scholar 

  32. Ramos, D.A., Engler, D.: Under-constrained symbolic execution: Correctness checking for real code. In: USENIX Security Symposium (2015)

    Google Scholar 

  33. Reps, T.: Undecidability of context-sensitive data-dependence analysis. ACM Trans. Program. Lang. Syst. 22(1), 162–186 (2000)

    Article  MathSciNet  Google Scholar 

  34. Reynolds, J.C.: Separation logic: a logic for shared mutable data structures. In: Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74. IEEE (2002)

    Google Scholar 

  35. Richardson, S., Ganapathi, M.: Interprocedural analysis useless for code optimization. Technical report, Stanford, CA, USA (1987)

    Google Scholar 

  36. Rinetzky, N., Sagiv, M.: Interprocedural shape analysis for recursive programs. In: Wilhelm, R. (ed.) CC 2001. LNCS, vol. 2027, pp. 133–149. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45306-7_10

    Chapter  Google Scholar 

  37. Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. Computer Science Department, New York University, New York, NY (1978)

    Google Scholar 

  38. Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy (2016)

    Google Scholar 

  39. Slowinska, A., Stancescu, T., Bos, H.: Howard: a dynamic excavator for reverse engineering data structures. In: Symposium on Network and Distributed System Security (NDSS), San Diego, CA (2011)

    Google Scholar 

  40. Smaragdakis, Y., Balatsouras, G.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)

    Article  Google Scholar 

  41. Smaragdakis, Y., Bravenboer, M.: Using datalog for fast and easy program analysis. In: de Moor, O., Gottlob, G., Furche, T., Sellers, A. (eds.) Datalog 2.0 2010. LNCS, vol. 6702, pp. 245–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24206-9_14

    Chapter  Google Scholar 

  42. Stepanov, E., Serebryany, K.: MemorySanitizer: fast detector of uninitialized memory use in C++. In: 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) (2015)

    Google Scholar 

  43. Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (2013)

    Google Scholar 

  44. Tillequin, A.: Amoco (2016). https://github.com/bdcht/amoco

  45. Van Emmerik, M.J.: Static single assignment for decompilation. Ph.D. thesis, The University of Queensland (2007)

    Google Scholar 

  46. Wang, X., Chen, H., Cheung, A., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Undefined behavior: what happened to my code? In: Proceedings of the Asia-Pacific Workshop on Systems (2012)

    Google Scholar 

  47. Ye, D., Sui, Y., Xue, J.: Accelerating dynamic detection of uses of undefined values with static value-flow analysis. In: Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (2014)

    Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their valuable feedback. This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197. In addition, this work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (ERC Starting Grant No. 640110 (BASTION)).

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security (HGI), Ruhr-Universität Bochum, Bochum, Germany

    Behrad Garmany, Martin Stoffel, Robert Gawlik & Thorsten Holz

Authors
  1. Behrad Garmany
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Stoffel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Robert Gawlik
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Behrad Garmany , Martin Stoffel , Robert Gawlik or Thorsten Holz .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Garmany, B., Stoffel, M., Gawlik, R., Holz, T. (2019). Static Detection of Uninitialized Stack Variables in Binary Code. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29962-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29961-3

  • Online ISBN: 978-3-030-29962-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation