Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs

  • Ebrima N. Ceesay
  • Jingmin Zhou
  • Michael Gertz
  • Karl Levitt
  • Matt Bishop
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4064)

Abstract

Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    The ICAT team: Icat vulnerability statistics (2005), http://icat.nist.gov/icat.cfm?function=statistics
  2. 2.
    Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999), Atlanta, Georgia (1999)Google Scholar
  3. 3.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th Usenix Security Symposium, Washington, DC (2001)Google Scholar
  4. 4.
    Blexim: Basic integer overflows. Phrack Issue 0x3c, Phile 0x0a of 0x10 (2002)Google Scholar
  5. 5.
    CERT: Apache web server chunk handling vulnerability. Advisory CA-2002-17 (2002)Google Scholar
  6. 6.
    CERT: Openssh vulnerabilities in challenge response. Advisory CA-2002-18 (2002)Google Scholar
  7. 7.
    CERT: Integer overflow in sun rpc xdr library routines. Advisory CA-2003-10 (2003)Google Scholar
  8. 8.
    CERT: Apple quicktime contains an integer overflow in the “quicktime.qts” extension. Vulnerability Note VU#782958 (2004)Google Scholar
  9. 9.
    X-Force: Sendmail debugging function signed integer overflow. Vulnerability DB Entry 7016 (2001)Google Scholar
  10. 10.
    Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: ARCHERR: Runtime environment driven program safety. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 385–406. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Horovitz, O.: Big loop integer protection. Phrack Issue 0x3c, Phile 0x09 of 0x10 (2002)Google Scholar
  12. 12.
    Howard, M.: An overlooked construct and an integer overflow redux (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure09112003.asp
  13. 13.
    Howard, M.: Reviewing code for integer manipulation vulnerabilities (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp
  14. 14.
    LeBlanc, D.: Integer handling with the c++ safeint class (2004), http://msdn.microsoft.com/library/en-us/dncode/html/secure01142004.asp
  15. 15.
    Biba, K.J.: Integrity considerations for secure computer system. Technical Report ESD-TR-76-372, MTR-3153, The MITRE Corporation, USAF Electronic Systems Division, Bedford, MA (1977)Google Scholar
  16. 16.
    Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA (2004)Google Scholar
  17. 17.
    Foster, J.S.: Type Qualifiers: Lightweight Specifications to Improve Software Quality. PhD thesis. University of California, Berkeley (2002)Google Scholar
  18. 18.
    Boutell.com: Gd graphics library (2004), http://www.boutell.com/gd/
  19. 19.
    Gentoo Linux: Gd: Integer overflow. Security Advisory GLSA 200411-08 (2004)Google Scholar
  20. 20.
    The rsync project: News for rsync 2.5.7 (2003), http://rsync.samba.org
  21. 21.
    Sirainen, T.: Possible security hole (2003), http://www.mail-archive.com/rsync.lists.samba.org/msg08271.html
  22. 22.
    The GNOME Project: Gnome imaging model - gdkpixbuf (2003), http://developer.gnome.org/arch/imaging/gdkpixbuf.html
  23. 23.
    CERT: Gdkpixbuf xpm parser contains a heap overflow vulnerability. Vulnerability Note VU#729894 (2004)Google Scholar
  24. 24.
    CERT: Gdkpixbuf ico parser contains a integer overflow vulnerability. Vulnerability Note VU#577654 (2004)Google Scholar
  25. 25.
    CERT: Libtiff contains multiple heap-based buffer overflows. Vulnerability Note VU#948752 (2004)Google Scholar
  26. 26.
    Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings and narrowings. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 280–295. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security 5 (2002)Google Scholar
  28. 28.
    Secure Software Inc.: Rats: Rough auditing tool for security (2002), http://www.securesw.com/rats.php
  29. 29.
    Wheeler, D.A.: Flawfinder (2001), http://www.dwheeler.com/flawfinder/
  30. 30.
    Evans, D.: Static detection of dynamic memory errors. In: Proceedings of the 1996 ACM Conference on Programming Language Design and Implementation (SIGPLAN), pp. 44–53 (1996)Google Scholar
  31. 31.
    Ashcraft, K., Engler, D.R.: Using programmer-written compiler extensions to catch security holes. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 143–159 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ebrima N. Ceesay
    • 1
  • Jingmin Zhou
    • 1
  • Michael Gertz
    • 1
  • Karl Levitt
    • 1
  • Matt Bishop
    • 1
  1. 1.Computer Security LaboratoryUniversity of California at DavisDavisUSA

Personalised recommendations