Abstract
The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underrated source of security threats. Despite many works have been done to mitigate integer overflow, existing tools either report large number of false positives or introduce unacceptable time consumption. To address this problem, in this paper we present a new static analysis framework. It first utilizes inter-procedural dataflow analysis and taint analysis to accurately identify potential IO2BO vulnerabilities. Then it uses a light-weight method to further filter out false positives. Specifically, it generates constraints representing the conditions under which a potential IO2BO vulnerability can be triggered, and feeds the constraints to SMT solver to decide their satisfiability. We have implemented a prototype system LAID based on LLVM, and evaluated it on 228 programs of the NIST’s SAMATE Juliet test suite and 6 known IO2BO vulnerabilities in real world. The experiment results show that our system can effectively and efficiently detect all known IO2BO vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Common vulnerabilities and exposures (CVE). http://cve.mitre.org/
Christey, S., Martin, R.A.: Vulnerability Type Distributions in CVE, May 2007. http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf
CWE-680: IO2BO vulnerabilities. http://cwe.mitre.org/data/definitions/680.html
Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W.: IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 71–86. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_5
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 12 (2005)
Sotirov, A.: Heap feng shui in javascript. In: Proceedings of Blackhat Europe (2007)
National vulnerability database. http://nvd.nist.gov/
Lattner, C.: LLVM: An Infrastructure for Multi-Stage Optimization. Master’s thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL, December 2002
Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis & transformation. In: Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO 2004), Palo Alto, California, March 2004
Clang C language family frontend for LLVM. http://clang.llvm.org/
CVE-2005-1141. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1141
CVE-2011-4517. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
CVE-2014-9112. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112
CVE-2016-9601. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
CVE-2016-6328. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
CVE-2017-16868. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16868
Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with KINT. In: Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pp. 163–177 (2012)
Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in C/C ++. In: Proceedings of the 34th International Conference on Software Engineering, ICSE 2012, pp. 760–770. IEEE Press, Zurich (2012)
Pomonis, M., Petsios, T., Jee, K., Polychronakis, M., Keromytis, A.D.: IntFlow: improving the accuracy of arithmetic error detection using information flow tracking. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 416–425. ACM, New Orleans (2014)
Chen, P., et al.: IntFinder: automatically detecting integer bugs in x86 binary program. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 336–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-11145-7_26
Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (2009)
Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit (2010). http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
Moy, Y., Bjørner, N., Sielaff, D.: Modular bug-finding for integer overflows in the large: sound, efficient, bit-precise static analysis. Technical report MSR-TR-2009-57, Microsoft Research (2009)
Brummayer, R.: Efficient SMT Solving for Bit-Vectors and the Extensional Theory of Arrays. Ph.D thesis, Johannes Kepler University, Linz, Austria, November 2009
Brumley, D., Chiueh, T.c, Johnson, R., Lin, H., Song, D.: Rich: automatically protecting against integer-based vulnerabilities. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)
Zhang, Y., et al.: Improving accuracy of static integer overflow detection in binary. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 247–269. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_12
National Institute of Standard and Technology (NIST). SAMATE-software assurance metrics and tool evaluation. http://samate.nist.gov/SARD/testsuite.php
Sun, H., Zhang, X., Su, C., Zeng, Q.: Efficient dynamic tracking technique for detecting integer-overflow-to-buffer-overflow vulnerability. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 483–494. ACM (2015)
Wang, Y., Gu, D., Xu, J., Wen, M., Deng, L.: RICB: integer overflow vulnerability dynamic analysis via buffer overflow. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds.) e-Forensics 2010. LNICST, vol. 56, pp. 99–109. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23602-0_9
Chen, K., Feng, D., Su, P.: Dynamic overflow vulnerability detection method based on finite CSP. Chin. J. Comput. 35(5), 898–909 (2012). (in Chinese)
Jia, X., Zhang, C., Su, P., Yang, Y., Huang, H., Feng, D.: Towards efficient heap overflow discovery. In: Proceedings of the 26th USENIX Conference on Security Symposium (2017)
Acknowledgments
We are grateful to the anonymous reviewers for their insightful comments and suggestions. This research was supported in part by the National Natural Science Foundation of China (Grant No. 61802394, Grant NO. 61602470), Foundation of Science and Technology on Information Assurance Laboratory (No. KJ-17-110), Key Research and Development Program of Beijing Municipal Science & Technology Commission, Research on intelligent vulnerability analysis and penetration testing technology (Grant No. D181100000618004), Strategic Priority Research Program of the CAS (XDC02000000), Program of Key Laboratory of Network Assessment Technology, the Chinese Academy of Sciences and Program of Beijing Key Laboratory of Network Security and Protection Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Xu, M. et al. (2019). A Light-Weight and Accurate Method of Static Integer-Overflow-to-Buffer-Overflow Vulnerability Detection. In: Guo, F., Huang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2018. Lecture Notes in Computer Science(), vol 11449. Springer, Cham. https://doi.org/10.1007/978-3-030-14234-6_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-14234-6_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-14233-9
Online ISBN: 978-3-030-14234-6
eBook Packages: Computer ScienceComputer Science (R0)