International Workshop on Recent Advances in Intrusion Detection

Research in Attacks, Intrusions, and Defenses pp 247-269 | Cite as

Improving Accuracy of Static Integer Overflow Detection in Binary

  • Yang Zhang
  • Xiaoshan Sun
  • Yi Deng
  • Liang Cheng
  • Shuke Zeng
  • Yu Fu
  • Dengguo Feng
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


Integer overflow presents a major source of security threats to information systems. However, current solutions are less effective in detecting integer overflow vulnerabilities: they either produce unacceptably high false positive rates or cannot generate concrete inputs towards vulnerability exploration. This limits the usability of these solutions in analyzing real-world applications, especially those in the format of binary executables.

In this paper, we present a platform, called INDIO, for accurately detecting integer overflow vulnerabilities in Windows binaries. INDIO integrates the techniques of pattern-matching (for quick identification of potential vulnerabilities), vulnerability ranking (for economic elimination of false positives), and selective symbolic execution (for rigorous elimination of false positives). As a result, INDIO can detect integer overflow with low false positive and false negative rates.

We have applied INDIO to several real-world, large-size Windows binaries, and the experimental results confirmed the effectiveness of INDIO (all known and two previously unknown integer overflows vulnerabilities were detected). The experiments also demonstrate that the vulnerability ranking technique and other optimization techniques employed in INDIO can significantly reduce false positives with economic costs.


Integer overflow detection Static program analysis Binary analysis Vulnerability ranking Weakest precondition Symbolic execution 


  1. 1.
    Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  2. 2.
    Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. SIGPLAN Not. 35(5), 1–12 (2000)CrossRefGoogle Scholar
  3. 3.
    Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008)Google Scholar
  4. 4.
    Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 380–394. IEEE Computer Society, Washington, DC (2012)Google Scholar
  5. 5.
    Chen, D., Zhang, Y., Cheng, L., Deng, Y., Sun, X.: Heuristic path pruning algorithm based on error handling pattern recognition in detecting vulnerability. In: 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 95–100, July 2013Google Scholar
  6. 6.
    Chen, P., Han, H., Wang, Y., Shen, X., Yin, X., Mao, B., Xie, L.: IntFinder: automatically detecting integer bugs in x86 binary program. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 336–345. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Chen, P., Wang, Y., Xin, Z., Mao, B., Xie, L.: Brick: a binary tool for run-time detecting and locating integer-based vulnerability. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 208–215 (2009)Google Scholar
  8. 8.
    Cheng, S., Yang, J., Wang, J., Wang, J., Jiang, F.: Loongchecker: practical summary-based semi-simulation to detect vulnerability in binary code. In: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 150–159, November 2011Google Scholar
  9. 9.
    Chipounov, V., Kuznetsov, V., Candea, G.: S2e: a platform for in-vivo multi-path analysis of software systems. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pp. 265–278. ACM, New York (2011)Google Scholar
  10. 10.
    Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in C/C++. In: Proceedings of the 34th International Conference on Software Engineering, ICSE 2012, pp. 760–770. IEEE Press, Zurich (2012)Google Scholar
  11. 11.
    Dijkstra, E.: Go to statement considered harmful. In: Classics in Software Engineering (incoll), pp. 27–33. Yourdon Press, Upper Saddle River (1979)Google Scholar
  12. 12.
    Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Commun. ACM 55(3), 40 (2012)CrossRefGoogle Scholar
  13. 13.
    Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 49–64 (2013)Google Scholar
  14. 14.
    Hasabnis, N., Misra, A., Sekar, R.: Light-weight bounds checking. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO 2012, pp. 135–144. ACM, New York (2012)Google Scholar
  15. 15.
    Long, F., Sidiroglou-Douskos, S., Kim, D., Rinard, M.: Sound input filter generation for integer overflow errors. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, pp. 439–452. ACM, New York (2014)Google Scholar
  16. 16.
    Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 67–82. USENIX Association, Berkeley (2009)Google Scholar
  17. 17.
    Pomonis, M., Petsios, T., Jee, K., Polychronakis, M., Keromytis, A.D.: IntFlow: improving the accuracy of arithmetic error detection using information flow tracking. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 416–425. ACM, New Orleans (2014)Google Scholar
  18. 18.
    Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331 (2010)Google Scholar
  19. 19.
    Sen, K., Marinov, D., Agha, G.: Cute: A concolic unit testing engine for c. SIGSOFT Softw. Eng. Notes 30(5), 263–272 (2005)CrossRefGoogle Scholar
  20. 20.
    Sidiroglou-Douskos, S., Lahtinen, E., Rittenhouse, N., Piselli, P., Long, F., Kim, D., Rinard, M.: Targeted automatic integer overflow discovery using goal-directed conditional branch enforcement. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015, pp. 473–486. ACM, New York (2015)Google Scholar
  21. 21.
    Simon, A.: Value-Range Analysis of C Programs: Towards Proving the Absence of Buffer Overflow Vulnerabilities. Springer, Heidelberg (2010)Google Scholar
  22. 22.
    Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  23. 23.
    Stephen, M., Dawnsong, M.P.: DTA++: dynamic taint analysiswith targetedcontrol-flow propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), pp. 269–282, February 2011Google Scholar
  24. 24.
    Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 497–512, May 2010Google Scholar
  25. 25.
    Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (2009)Google Scholar
  26. 26.
    Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with KINT. In: Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pp. 163–177 (2012)Google Scholar
  27. 27.
    Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 590–604 (2014)Google Scholar
  28. 28.
    Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, WOOT 2011, p. 13 (2011)Google Scholar
  29. 29.
    Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 499–510 (2013)Google Scholar
  30. 30.
    Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 1043–1054. ACM, New York (2013)Google Scholar
  31. 31.
    Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W.: IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 71–86. Springer, Heidelberg (2010) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Yang Zhang
    • 1
  • Xiaoshan Sun
    • 1
  • Yi Deng
    • 1
  • Liang Cheng
    • 1
  • Shuke Zeng
    • 1
  • Yu Fu
    • 1
  • Dengguo Feng
    • 1
  1. 1.Trusted Computing and Information Assurance LaboratoryInstitute of Software, Chinese Academy of SciencesBeijingChina

Personalised recommendations