Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Compiler Construction

CC 2012: Compiler Construction pp 122–143Cite as

  1. Home
  2. Compiler Construction
  3. Conference paper
Static Detection of Unsafe Component Loadings

Static Detection of Unsafe Component Loadings

  • Taeho Kwon17 &
  • Zhendong Su17 
  • Conference paper
  • 929 Accesses

  • 6 Citations

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 7210)

Abstract

Dynamic loading of software components is a commonly used mechanism to achieve better flexibility and modularity in software. For an application’s runtime safety, it is important for the application to load only its intended components. However, programming mistakes may lead to failures to load a component, or even worse, to load a malicious component. Recent work has shown that these errors are both prevalent and severe, sometimes leading to remote code execution attacks. The work is based on dynamic analysis by monitoring and analyzing runtime component loadings. Although simple and effective in detecting real errors, it suffers from limited code coverage and may miss important vulnerabilities. Thus, it is desirable to develop effective techniques to detect all possible unsafe component loadings.

This paper presents the first static binary analysis aiming at detecting all possible loading-related errors. The key challenge is how to scalably and precisely compute what components may be loaded at relevant program locations. Our main insight is that this information is often determined locally from the component loading call sites. This motivates us to design a demand-driven analysis, working backward starting from the relevant call sites. In particular, for a given call site c, we first compute its context-sensitive executable slices, one for each execution context. Then we emulate the slices to obtain the set of components possibly loaded at c. This novel combination of slicing and emulation achieves good scalability and precision by avoiding expensive symbolic analysis. We implemented our technique and evaluated its effectiveness against the existing dynamic technique on nine popular Windows applications. Results show that our tool has better coverage and is precise—it is able to detect many more unsafe loadings. It is also scalable and finishes analyzing all nine applications within minutes.

Keywords

  • System Call
  • Static Detection
  • Component Loading
  • Target Component
  • Symbolic Analysis

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Kiss, Á., Jász, J., Lehotai, G., Gyimóthy, T.: Interprocedural static slicing of binary executables. In: Proc. SCAM Workshop (2003)

    Google Scholar 

  2. An update on the DLL-preloading remote attack vector, http://blogs.technet.com/b/srd/archive/2010/08/31/an-update-on-the-dll-preloading-remote-attack-vector.aspx

  3. Balakrishnan, G., Reps, T.: Analyzing Memory Accesses in x86 Executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  4. Balakrishnan, G., Reps, T.: Analyzing Stripped Device-Driver Executables. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 124–140. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  5. Binkley, D.: Precise executable interprocedural slices. ACM Lett. Program. Lang. Syst. 2(1-4), 31–45 (1993)

    CrossRef  Google Scholar 

  6. Cifuentes, C., Fraboulet, A.: Intraprocedural static slicing of binary executables. In: Proc. ICSM (1997)

    Google Scholar 

  7. Comparetti, P.M., Salvaneschi, G., Kirda, E., Kolbitsch, C., Kruegel, C., Zanero, S.: Identifying dormant functionality in malware programs. In: Proc. SSP (2010)

    Google Scholar 

  8. dlopen man page, http://linux.die.net/man/3/dlopen

  9. Dynamic-Link Library Search Order, http://msdn.microsoft.com/en-us/library/ms682586VS.85.aspx

  10. Dynamic-Link Library Security, http://msdn.microsoft.com/en-us/library/ff919712VS.85.aspx

  11. Exploiting DLL Hijacking Flaws, http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html .

  12. Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Prog. Lang. Syst. 9(3), 319–349 (1987)

    CrossRef  MATH  Google Scholar 

  13. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Trans. Prog. Lang. Syst. 12(1), 26–60 (1990)

    CrossRef  Google Scholar 

  14. Horwitz, S., Reps, T., Sagiv, M.: Demand interprocedural dataflow analysis. In: Proc. FSE (1995)

    Google Scholar 

  15. IDA Pro Disassmelber, http://www.hex-rays.com/idapro/

  16. IDAPython, http://code.google.com/p/idapython/

  17. Insecure Library Loading Could Allow Remote Code Execution, http://www.microsoft.com/technet/security/advisory/2269637.mspx

  18. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    CrossRef  MATH  Google Scholar 

  19. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proc. USENIX Security (2004)

    Google Scholar 

  20. Kruegel, C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits Through Binary Analysis. In: Proc. ACSAC (2004)

    Google Scholar 

  21. Kwon, T., Su, Z.: Automatic detection of unsafe component loadings. In: Proc. ISSTA (2010)

    Google Scholar 

  22. Kwon, T., Su, Z.: Static detection of unsafe component loadings. UC Davis techical report CSE-2010-17 (2010)

    Google Scholar 

  23. Microsoft Cooking Up Baker’s Dozen of Fixes for Patch Tuesday, http://www.esecurityplanet.com/patches/article.php/3902856/Microsoft-Cooking-Up-Bakers-Dozen-of-Fixes-for-Patch-Tuesday.htm

  24. Microsoft Portable Executable and Common Object File Format Specification, http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

  25. Microsoft releases tool to block DLL load hijacking attacks, http://www.computerworld.com/s/article/print/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks

  26. Microsoft releases tool to block DLL load hijacking attacks, http://www.computerworld.com/s/article/9181518/Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks

  27. Microsoft Was Warned of DLL Vulnerability a Year Ago, http://www.esecurityplanet.com/features/article.php/3900186/Microsoft-Was-Warned-of-DLL-Vulnerability-a-Year-Ago.htm

  28. MS09-014: Addressing the Safari Carpet Bomb vulnerability, http://blogs.technet.com/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx

  29. NetworkX, http://networkx.lanl.gov/

  30. Orso, A., Sinha, S., Harrold, M.J.: Incremental slicing based on data-dependence types. In: Proc. ICSM (2001)

    Google Scholar 

  31. pefile, http://code.google.com/p/pefile/

  32. PyEmu, http://code.google.com/p/pyemu/

  33. Reps, T.: Solving Demand Versions of Interprocedural Analysis Problems. In: Adsul, B. (ed.) CC 1994. LNCS, vol. 786, pp. 389–403. Springer, Heidelberg (1994)

    CrossRef  Google Scholar 

  34. Reps, T., Balakrishnan, G.: Improved Memory-Access Analysis for x86 Executables. In: Hendren, L. (ed.) CC 2008. LNCS, vol. 4959, pp. 16–35. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  35. Reps, T., Horwitz, S., Sagiv, M., Rosay, G.: Speeding up slicing. In: Proc. FSE (1994)

    Google Scholar 

  36. Researcher told Microsoft of Windows apps zero-day bugs 6 months ago, http://www.computerworld.com/s/article/print/9181358/Researcher_told_Microsoft_of_Windows_apps_zero_day_bugs_6_months_ago

  37. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: Proc. SSP (2010)

    Google Scholar 

  38. Sinha, S., Harrold, M.J., Rothermel, G.: System-dependence-graph-based slicing of programs with arbitrary interprocedural control flow. In: Proc. ICSE (1999)

    Google Scholar 

  39. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  40. Tip, F.: A survey of program slicing techniques. Technical report, CWI, Amsterdam, The Netherlands (1994)

    Google Scholar 

  41. Types of Dependencies, http://dependencywalker.com/help/html/dependency_types.htm

  42. Vulnerabilities in Microsoft Office Could Allow Remote Code Execution, http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

  43. Weiser, M.: Program slicing. In: Proc. ICSE (1981)

    Google Scholar 

  44. Windows DLL Exploits Boom; Hackers Post Attacks for 40-plus Apps, http://www.computerworld.com/s/article/9181918/Windows_DLL_exploits_boom_hackers_post_attacks_for_40_plus_apps

  45. X86 Calling Conventions, http://en.wikipedia.org/wiki/X86_calling_conventions

  46. Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. SIGSOFT Softw. Eng. Notes 30(2), 1–36 (2005)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of California, Davis, USA

    Taeho Kwon & Zhendong Su

Authors
  1. Taeho Kwon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhendong Su
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School for Informatics, University of Edinburgh, 10 Crichton Street, EH8 9AB, Edinburgh, UK

    Michael O’Boyle

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kwon, T., Su, Z. (2012). Static Detection of Unsafe Component Loadings. In: O’Boyle, M. (eds) Compiler Construction. CC 2012. Lecture Notes in Computer Science, vol 7210. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28652-0_7

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-28652-0_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-28651-3

  • Online ISBN: 978-3-642-28652-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature