Static Integer Overflow Vulnerability Detection in Windows Binary

  • Yi Deng
  • Yang Zhang
  • Liang Cheng
  • Xiaoshan Sun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8231)

Abstract

In this paper, we present a static binary analysis based approach to detect integer overflow vulnerabilities in windows binary. We first translate the binary to our intermediate representation and perform Sign type analysis to reconstruct sufficient type information, and then use dataflow analysis to collect suspicious integer overflow vulnerabilities. To alleviate the problem that static vulnerability detection has high false positive rate, we use the information how variables which may be affected by integer overflow are used in security sensitive operations to compute priority and rank the suspicious integer overflow vulnerabilities. Finally the weakest preconditions technique is used to validate the suspicious integer overflow vulnerabilities. Our approach is static so that it does not run the software directly in real environment. We implement a prototype called EIOD and use it to analyze real-world windows binaries. Experiments show that EIOD can effectively and efficiently detect integer overflow vulnerabilities.

Keywords

Binary analysis Integer overflow Priority ranking Weakest Precondition 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Vulnerability type distributions in cev. CVE (2007), http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf
  2. 2.
    Necula, G.C., McPeak, S., Weimer, W.: Ccured: Type-safe retrofitting of legacy code. In: Proceedings of the Principles of Programming Languages, pp. 128–139 (2002)Google Scholar
  3. 3.
    Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of c. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference (2002)Google Scholar
  4. 4.
    Horovitz, O.: Big loop integer protection. Phrack Inc. (2002), http://www.phrack.org/issues.html?issue=60&id=9#article
  5. 5.
    Brumley, D., Chiueh, T., Johnson, R., Lin, H., Song, D.: Rich: Automatically protecting against integer-based vulnerabilities. In: Proceedings of the 14th Annual Network and Distributed System Security, NDSS (2007)Google Scholar
  6. 6.
    Evans, D., Guttag, J., Horning, J., Tan, Y.M.: Lclint:a tool for using specification to check code. In: Proceedings of the ACM SIGSOFT 1994 Symposium on the Foundations of Software Engineering, pp. 87–96 (1994)Google Scholar
  7. 7.
    Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W.: IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 71–86. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Wang, T., Wei, T., Lin, Z., Zou, W.: Intscope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)Google Scholar
  9. 9.
    Lin, Z., Zhang, X., Xu, D.: Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In: Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2008), Anchorage, Alaska, USA (June 2008)Google Scholar
  10. 10.
    Chen, P., Han, H., Wang, Y., Shen, S., Yin, X., Mao, B., Xie, L.: INTFINDER: automatically detecting integer bugs in x86 binary program. In: Proceedings of the International Conference on Information and Communications Security, Beijing, China, pp. 336–345 (December 2009)Google Scholar
  11. 11.
  12. 12.
    Nethercote, N., Seward, J.: Valgrind: A Program Supervision Framework. In: Third Workshop on Runtime Verification, RV 2003 (2003)Google Scholar
  13. 13.
    Vine: BitBlaze Static Analysis Component, http://bitblaze.cs.berkeley.edu/vine.html
  14. 14.
    BAP: The Next-Generation Binary Analysis Platform, http://bap.ece.cmu.edu/
  15. 15.
    Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (May 2008)Google Scholar
  16. 16.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Wojtczuk, R.: Uqbtng: a tool capable of automatically finding integer overflows in win32 binaries. In: 22nd Chaos Communication Congress (2005)Google Scholar
  18. 18.
    UQBT: A Resourceable and Retargetable Binary Translator, http://www.itee.uq.edu.au/cristina/uqbt.html
  19. 19.
    Clarke, E., Kroning, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    BitBlaze: The BitBlaze Binary Analysis Platform Project, http://bitblaze.cs.berkeley.edu/index.html
  21. 21.
    Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—A platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Microsoft. Phoenix framework, http://research.microsoft.com/phoenix/
  23. 23.
    Automated vulnerability auditing in machine code, http://www.phrack.com/issues.html?issue=64id=8
  24. 24.
    Kremenek, T., Engler, D.R.: Z-ranking: Using statistical analysis to counter the impact of static analysis approximations. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 295–315. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Zhang, C., Xu, H., Zhang, S., Zhao, J., Chen, Y.: Frequency Estimation of Virtual Call Targets for Object-Oriented Programs. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 510–532. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Godefroid, P., Levin, M., Molnar, D.: Automated whitebox fuzz testing. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008), San Diego, CA (February 2008)Google Scholar
  27. 27.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Princiles, Techniques, and Tools, 2nd edn. Addison- Wesley (2006)Google Scholar
  28. 28.
    Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. 29.
    Balakrishnan, G., Reps, T.: DIVINE: DIscovering Variables IN Executables. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 1–28. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    LeBlanc, D.: Integer handling with the c++ safeint class (2004), http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp
  31. 31.
    Howard, M.: Safe integer arithmetic in c (2006), http://blogs.msdn.com/michaelhoward/archive/2006/02/02/523392.aspx
  32. 32.
    Dipanwita, S., Muthu, J., Jay, T., Ramanathan, V.: Flow-insensitive static analysis for detecting integer anomalies in programs. In: Proc. SE, pp. 334–340. ACTA Press, Anaheim (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Yi Deng
    • 1
  • Yang Zhang
    • 1
  • Liang Cheng
    • 1
  • Xiaoshan Sun
    • 1
  1. 1.Institute of SoftwareChinese Academy of SciencesBeijingChina

Personalised recommendations