Abstract
We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory allocation sites, then generate inputs that satisfy these sanity checks to successfully trigger the overflow. DIODE works with off-the-shelf, production x86 binaries. Our results show that, for our benchmark set of applications, and for every target memory allocation site exercised by our seed inputs (which the applications process correctly with no overflows), either 1) DIODE is able to generate an input that triggers an overflow at that site or 2) there is no input that would trigger an overflow for the observed target expression at that site.
- Common vulnerabilities and exposures. http://cve.mitre.org/.Google Scholar
- Dillo. http://www.dillo.org/.Google Scholar
- Hachoir. http://bitbucket.org/haypo/hachoir/wiki/Home.Google Scholar
- Peach fuzzing platform. http://peachfuzzer.com/.Google Scholar
- SafeInt. http://safeint.codeplex.com/.Google Scholar
- SPIKE fuzzing platform. http://www.immunitysec.com/resources-freesoftware.shtml.Google Scholar
- D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. RICH: Automatically protecting against integer-based vulnerabilities. Department of Electrical and Computing Engineering, page 28, 2007.Google Scholar
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 143--157. IEEE, 2008. Google Scholar
Digital Library
- C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 209--224, Berkeley, CA, USA, 2008. USENIX Association. Google Scholar
Digital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC), 12(2):10, 2008. Google Scholar
Digital Library
- E. Ceesay, J. Zhou, M. Gertz, K. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in C programs. Detection of Intrusions and Malware & Vulnerability Assessment, pages 1--16, 2006. Google Scholar
Digital Library
- C. Cowan, H. Hinton, C. Pu, and J. Walpole. The cracker patch choice: An analysis of post hoc security techniques. 2000.Google Scholar
- L. De Moura and N. Bjørner. Z3: an efficient smt solver. In Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems, TACAS'08/ETAPS'08, pages 337--340, Berlin, Heidelberg, 2008. Springer-Verlag. Google Scholar
Digital Library
- W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C++. In Proceedings of the 2012 International Conference on Software Engineering, pages 760--770. IEEE Press, 2012. Google Scholar
Digital Library
- W. Drewry and T. Ormandy. Flayer: Exposing application internals. In Proceedings of the first USENIX workshop on Offensive Technologies, pages 1--9. USENIX Association, 2007. Google Scholar
Digital Library
- V. Ganesh, T. Leek, and M. Rinard. Taint-based directed white-box fuzzing. In ICSE '09: Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009. Google Scholar
Digital Library
- P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI '05, pages 213--223, New York, NY, USA, 2005. ACM. Google Scholar
Digital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Queue, 10(1):20, 2012. Google Scholar
Digital Library
- I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: a guided fuzzer to find buffer boundary violations. In Proceedings of the 22nd USENIX conference on Security, pages 49--64. USENIX Association, 2013. Google Scholar
Digital Library
- F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. In Proceedings of the 2012 International Conference on Software Engineering, ICSE 2012, pages 80--90, Piscataway, NJ, USA, 2012. IEEE Press. Google Scholar
Digital Library
- F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. MIT-CSAIL-TR-2011-044.Google Scholar
- F. Long, S. Sidiroglou-Douskos, D. Kim, and M. Rinard. Sound input filter generation for integer overflow errors. 2014.Google Scholar
Digital Library
- F. Long, S. Sidiroglou-Douskos, and M. Rinard. Automatic runtime error repair and containment via recovery shepherding. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, page 26. ACM, 2014. Google Scholar
Digital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12):32--44, 1990. Google Scholar
Digital Library
- D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary Linux programs. In Proceedings of the 18th conference on USENIX security symposium, pages 67--82. USENIX Association, 2009. Google Scholar
Digital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07. ACM, 2007. Google Scholar
Digital Library
- J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan, W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages 87--102, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- M. Rinard. Acceptability-oriented computing. In Proceedings of the 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications (OOPSLA '03) Companion, Onwards! Session, Anaheim, California, Oct. 2003. Google Scholar
Digital Library
- M. C. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee. Enhancing server availability and security through failure-oblivious computing. In OSDI, volume 4, pages 21--21, 2004. Google Scholar
Digital Library
- J. Röning, M. Lasko, A. Takanen, and R. Kaksonen. PROTOS -- systematic approach to eliminate software vulnerabilities. Invited presentation at Microsoft Research, 2002.Google Scholar
- D. Sarkar, M. Jagannathan, J. Thiagarajan, and R. Venkatapathy. Flow-insensitive static analysis for detecting integer anomalies in programs. In Proceedings of the 25th conference on IASTED International Multi-Conference: Software Engineering, pages 334--340. ACTA Press, 2007. Google Scholar
Digital Library
- R. Seacord. The CERT C Secure Coding Standard. Addison-Wesley Professional, 2008. Google Scholar
Digital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: A Concolic Unit Testing Engine for C, volume 30. ACM, 2005. Google Scholar
Digital Library
- M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008.Google Scholar
- S. Sidiroglou, O. Laadan, C. Perez, N. Viennot, J. Nieh, and A. D. Keromytis. Assure: automatic software self-healing using rescue points. ACM SIGARCH Computer Architecture News, 37(1):37--48, 2009. Google Scholar
Digital Library
- S. Sidiroglou, M. E. Locasto, S. W. Boyd, and A. D. Keromytis. Building a reactive immune system for software services. Proceedings of the general track, 2005 USENIX annual technical conference: April 10-15, 2005, Anaheim, CA, USA, pages 149--161, 2005. Google Scholar
Digital Library
- S. Sidiroglou-Douskos, E. Lahtinen, F. Long, P. Piselli, and M. Rinard. Automatic error elimination by multi-application code transfer. Technical Report MIT-CSAIL-TR-2014-024, MIT CSAIL, August 2014.Google Scholar
- M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, 2007. Google Scholar
Digital Library
- W. Tielei, W. Tao, L. Zhiqiang, and Z. Wei. IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution. In 16th Annual Network & Distributed System Security Symposium, 2009.Google Scholar
- T. Wang, T. Wei, G. Gu, and W. Zou. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the 31st IEEE Symposium on Security & Privacy (Oakland'10), 2010. Google Scholar
Digital Library
- X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. Kaashoek. Improving integer security for systems with KINT. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pages 163--177. USENIX Association, 2012. Google Scholar
Digital Library
- C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. Computer Security--ESORICS 2010, pages 71--86, 2010. Google Scholar
Digital Library
Index Terms
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
Recommendations
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS'15We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsWe present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Sound input filter generation for integer overflow errors
POPL '14We present a system, SIFT, for generating input filters that nullify integer overflow errors associated with critical program sites such as memory allocation or block copy sites. SIFT uses a static pro- gram analysis to generate filters that discard ...







Comments