Abstract
Integer overflow has become a common cause of software vulnerabilities, and significantly threatens system availability and security. Yet protecting commodity software from attacks against unknown or unpatched integer overflow vulnerabilities remains unaddressed. This paper presents SoupInt, a system that can diagnose exploited integer overflow vulnerabilities from captured attack instances and then automatically generate patches to fix the vulnerabilities. Specifically, given an attack instance, SoupInt first diagnoses whether it exploits integer overflow vulnerabilities through a dynamic data flow analysis based mechanism. To fix the exploited integer overflows, SoupInt generates patches and deploys them at existing, relevant validation check points inside the program. By leveraging existing error-handlers for programmer-anticipated errors to deal with the unanticipated integer overflows, these patches enable the program to survive future attacks that exploit the same integer overflows. We have implemented a SoupInt prototype that directly works on x86 binaries.We evaluated SoupInt with various input formats and a number of real world integer overflow vulnerabilities in commodity software, including Adobe Reader, Adobe Flash Player, etc. The results show that SoupInt can accurately locate the exploited integer overflow vulnerabilities and generate patches in minutes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Agrawal, H., Horgan, J.R.: Dynamic program slicing. SIGPLAN Not. 25, 246–256 (1990)
Barrett, C., Stump, A., Tinelli, C.: The smt-lib v2 language and tools: A tutorial (February 2011), www.smtlib.org
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: CCS (2012)
Brumley, D., cker Chiueh, T., Johnson, R., Lin, H., Song, D.: Rich: Automatically protecting against integer-based vulnerabilities. In: NDSS (2007)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability signatures. In: IEEE Symposium on Security and Privacy (May 2006)
Brumley, D., Wang, H., Jha, S., Song, D.: Creating vulnerability signatures using weakest preconditions. In: IEEE Computer Security Foundations Symposium (2007)
Caballero, J., Liang, Z., Poosankam, P., Song, D.: Towards generating high coverage vulnerability-based signatures with protocol-level constraint-guided exploration. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 161–181. Springer, Heidelberg (2009)
Coker, Z., Hafiz, M.: Program transformations to fix c integers. In: ICSE (2013)
Costa, M., Castro, M., Zhou, L., Zhang, L., Peinado, M.: Bouncer: securing software by blocking bad input. In: ACM SIGOPS Symposium on Operating Systems Principles (2007)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. In: SOSP (2005)
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: CCS (2005)
Cui, W., Peinado, M., Wang, H.J., Locasto, M.E.: Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In: IEEE Symposium on Security and Privacy (2007)
Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in c/c++. In: ICSE (2012)
Frei, S., Tellenbach, B., Plattner, B.: 0-day patch - exposing vendors (in)security performance. In: BlackHat Europe (2008)
Jee, K., Portokalidis, G., Kemerlis, V.P., Ghosh, S., August, D.I., Keromytis, A.D.: A general approach for efficiently accelerating software-based dynamic data flow tracking on commodity hardware. In: NDSS (2012)
Kemerlis, V.P., Portokalidis, G., Jee, K., Keromytis, A.D.: libdft: practical dynamic data flow tracking for commodity systems. In: VEE (2012)
Lee, J., Avgerinos, T., Brumley, D.: Tie: Principled reverse engineering of types in binary programs. In: NDSS (2011)
Lin, Z., Jiang, X., Xu, D., Mao, B., Xie, L.: Autopag: Towards automated software patch generation with source code root cause identification and repair. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security (2007)
Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: NDSS (2010)
Long, F., Ganesh, V., Carbin, M., Sidiroglou, S., Rinard, M.: Automatic input rectification. In: ICSE (2012)
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. In: PLDI (2005)
Maurer, M., Brumley, D.: Tachyon: tandem execution for efficient live patch testing. In: USENIX Conference on Security Symposium (2012)
min Wang, Y., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: Proceedings of the Network and Distributed Systems Security Symposium (2006)
Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the 18th USENIX Security Symposium (2009)
Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: NDSS (2008)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005)
Newsome, J., Song, D.: Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In: NDSS (2005)
Perkins, J.H., Kim, S., Larsen, S., Amarasinghe, S., Bachrach, J., Carbin, M., Pacheco, C., Sherwood, F., Sidiroglou, S., Sullivan, G., Wong, W.-F., Zibin, Y., Ernst, M.D., Rinard, M.: Automatically patching errors in deployed software. In: SOSP (2009)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems (2006)
Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: treating bugs as allergies—a safe method to survive software failures. In: SOSP (2005)
Ruwase, O., Chen, S., Gibbons, P.B., Mowry, T.C.: Decoupled lifeguards: enabling path optimizations for dynamic correctness checking tools. In: PLDI (2010)
Sidiroglou, S., Laadan, O., Keromytis, A.D., Nieh, J.: Using rescue points to navigate software recovery. In: IEEE Symposium on Security and Privacy (2007)
Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.D.: Assure: automatic software self-healing using rescue points. In: ASPLOS (2009)
Sidiroglou, S., Locasto, M.E., Boyd, S.W., Keromytis, A.D.: Building a reactive immune system for software services. In: USENIX Annual Technical Conference (2005)
Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: a lightweight end-to-end system for defending against fast worms. In: EuroSys (2007)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Sigcomm (2004)
Wang, T., Wei, T., Gu, G., Zou, W.: Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution. ACM Trans. Inf. Syst. Secur. 2 (September 2011)
Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In: NDSS (2009)
Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with kint. In: OSDI (2012)
Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet vaccine: black-box exploit detection and signature generation. In: CCS (2006)
Weimer, W., Nguyen, T., Le Goues, C., Forrest, S.: Automatically finding patches using genetic programming. In: International Conference on Software Engineering (2009)
Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: CCS (2005)
Yin, Z., Yuan, D., Zhou, Y., Pasupathy, S., Bairavasundaram, L.: How do fixes become bugs? – a comprehensive characteristic study on incorrect fixes in commercial and open source operating systems. In: FSE (2011)
Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W.: IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 71–86. Springer, Heidelberg (2010)
Zhang, M., Prakash, A., Li, X., Liang, Z., Yin, H.: Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis. In: NDSS (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, T., Song, C., Lee, W. (2014). Diagnosis and Emergency Patch Generation for Integer Overflow Exploits. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-08509-8_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08508-1
Online ISBN: 978-3-319-08509-8
eBook Packages: Computer ScienceComputer Science (R0)