Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Recent Advances in Intrusion Detection

RAID 2015: Research in Attacks, Intrusions, and Defenses pp 247–269Cite as

Improving Accuracy of Static Integer Overflow Detection in Binary

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Abstract

Integer overflow presents a major source of security threats to information systems. However, current solutions are less effective in detecting integer overflow vulnerabilities: they either produce unacceptably high false positive rates or cannot generate concrete inputs towards vulnerability exploration. This limits the usability of these solutions in analyzing real-world applications, especially those in the format of binary executables.

In this paper, we present a platform, called INDIO, for accurately detecting integer overflow vulnerabilities in Windows binaries. INDIO integrates the techniques of pattern-matching (for quick identification of potential vulnerabilities), vulnerability ranking (for economic elimination of false positives), and selective symbolic execution (for rigorous elimination of false positives). As a result, INDIO can detect integer overflow with low false positive and false negative rates.

We have applied INDIO to several real-world, large-size Windows binaries, and the experimental results confirmed the effectiveness of INDIO (all known and two previously unknown integer overflows vulnerabilities were detected). The experiments also demonstrate that the vulnerability ranking technique and other optimization techniques employed in INDIO can significantly reduce false positives with economic costs.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Vulnerability type distributions in cve. CVE (2007), http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf.

  2. 2.

    Hex-Rays Inc., https://www.hex-rays.com/products/ida/index.shtml (May 2015).

  3. 3.

    Ref. CVE-2013-3195 and CVE-2013-7353.

References

  1. Anand, S., Godefroid, P., Tillmann, N.: Demand-driven compositional symbolic execution. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 367–381. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  2. Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. SIGPLAN Not. 35(5), 1–12 (2000)

    Article  Google Scholar 

  3. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008)

    Google Scholar 

  4. Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 380–394. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

  5. Chen, D., Zhang, Y., Cheng, L., Deng, Y., Sun, X.: Heuristic path pruning algorithm based on error handling pattern recognition in detecting vulnerability. In: 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 95–100, July 2013

    Google Scholar 

  6. Chen, P., Han, H., Wang, Y., Shen, X., Yin, X., Mao, B., Xie, L.: IntFinder: automatically detecting integer bugs in x86 binary program. In: Qing, S., Mitchell, C.J., Wang, G. (eds.) ICICS 2009. LNCS, vol. 5927, pp. 336–345. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  7. Chen, P., Wang, Y., Xin, Z., Mao, B., Xie, L.: Brick: a binary tool for run-time detecting and locating integer-based vulnerability. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 208–215 (2009)

    Google Scholar 

  8. Cheng, S., Yang, J., Wang, J., Wang, J., Jiang, F.: Loongchecker: practical summary-based semi-simulation to detect vulnerability in binary code. In: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 150–159, November 2011

    Google Scholar 

  9. Chipounov, V., Kuznetsov, V., Candea, G.: S2e: a platform for in-vivo multi-path analysis of software systems. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pp. 265–278. ACM, New York (2011)

    Google Scholar 

  10. Dietz, W., Li, P., Regehr, J., Adve, V.: Understanding integer overflow in C/C++. In: Proceedings of the 34th International Conference on Software Engineering, ICSE 2012, pp. 760–770. IEEE Press, Zurich (2012)

    Google Scholar 

  11. Dijkstra, E.: Go to statement considered harmful. In: Classics in Software Engineering (incoll), pp. 27–33. Yourdon Press, Upper Saddle River (1979)

    Google Scholar 

  12. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Commun. ACM 55(3), 40 (2012)

    Article  Google Scholar 

  13. Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In: Proceedings of the 22nd USENIX Conference on Security, SEC 2013, pp. 49–64 (2013)

    Google Scholar 

  14. Hasabnis, N., Misra, A., Sekar, R.: Light-weight bounds checking. In: Proceedings of the Tenth International Symposium on Code Generation and Optimization, CGO 2012, pp. 135–144. ACM, New York (2012)

    Google Scholar 

  15. Long, F., Sidiroglou-Douskos, S., Kim, D., Rinard, M.: Sound input filter generation for integer overflow errors. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2014, pp. 439–452. ACM, New York (2014)

    Google Scholar 

  16. Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 67–82. USENIX Association, Berkeley (2009)

    Google Scholar 

  17. Pomonis, M., Petsios, T., Jee, K., Polychronakis, M., Keromytis, A.D.: IntFlow: improving the accuracy of arithmetic error detection using information flow tracking. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 416–425. ACM, New Orleans (2014)

    Google Scholar 

  18. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331 (2010)

    Google Scholar 

  19. Sen, K., Marinov, D., Agha, G.: Cute: A concolic unit testing engine for c. SIGSOFT Softw. Eng. Notes 30(5), 263–272 (2005)

    Article  Google Scholar 

  20. Sidiroglou-Douskos, S., Lahtinen, E., Rittenhouse, N., Piselli, P., Long, F., Kim, D., Rinard, M.: Targeted automatic integer overflow discovery using goal-directed conditional branch enforcement. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015, pp. 473–486. ACM, New York (2015)

    Google Scholar 

  21. Simon, A.: Value-Range Analysis of C Programs: Towards Proving the Absence of Buffer Overflow Vulnerabilities. Springer, Heidelberg (2010)

    Google Scholar 

  22. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Stephen, M., Dawnsong, M.P.: DTA++: dynamic taint analysiswith targetedcontrol-flow propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), pp. 269–282, February 2011

    Google Scholar 

  24. Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 497–512, May 2010

    Google Scholar 

  25. Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (2009)

    Google Scholar 

  26. Wang, X., Chen, H., Jia, Z., Zeldovich, N., Kaashoek, M.F.: Improving integer security for systems with KINT. In: Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, pp. 163–177 (2012)

    Google Scholar 

  27. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, pp. 590–604 (2014)

    Google Scholar 

  28. Yamaguchi, F., Lindner, F., Rieck, K.: Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning. In: Proceedings of the 5th USENIX Conference on Offensive Technologies, WOOT 2011, p. 13 (2011)

    Google Scholar 

  29. Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 499–510 (2013)

    Google Scholar 

  30. Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 1043–1054. ACM, New York (2013)

    Google Scholar 

  31. Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W.: IntPatch: automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 71–86. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

Download references

Acknowledgments

We are grateful to Yi Zhang, and the anonymous reviewers for their insightful comments and suggestions. This research was supported in part by National Natural Science Foundations of China (Grant No. 61471344).

Author information

Authors and Affiliations

  1. Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing, China

    Yang Zhang, Xiaoshan Sun, Yi Deng, Liang Cheng, Shuke Zeng, Yu Fu & Dengguo Feng

Authors
  1. Yang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoshan Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yi Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Liang Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shuke Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yu Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Dengguo Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liang Cheng .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, Y. et al. (2015). Improving Accuracy of Static Integer Overflow Detection in Binary. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation