IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution

Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009

Volumn , Issue , 2009, Pages

  Wang, Tielei ^a   Wei, Tao ^a   Lin, Zhiqiang ^b   Zou, Wei ^a  

^a PEKING UNIVERSITY   (China)

^b PURDUE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

FLOW GRAPHS; MODEL CHECKING; SENSITIVE DATA; ZERO-DAY ATTACK;

DATA-FLOW ANALYSIS; INTEGER OVERFLOW; INTEGER OVERFLOWS VULNERABILITIES; INTERMEDIATE REPRESENTATIONS; PATH SENSITIVES; SENSITIVE DATAS; SYMBOLIC EXECUTION;

DATA FLOW ANALYSIS;

EID: 81355161883     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (54)

1. Automated vulnerability auditing in machine code. http://www.phrack.com/issues.html?issue=64&id=8.
2. BitBlaze: The BitBlaze Binary Analysis Platform Project. http://bitblaze.cs.berkeley.edu/index.html.
3. CLN: Class Library for Numbers. http://www.ginac.de/CLN/.
4. CodeSurfer: Automated Source-code Analysis Tool. http://www.grammatech.com/products/codesurfer/.
5. Cve: Vulnerability type distributions. http://cwe.mitre.org/documents/vuln-trends/index.html.
6. CXimage: Image Processing and Conversion Library. http://www.xdp.it/cximage.htm.
7. FAAD2: A MPEG-4 and MPEG-2 AAC Decoder. http://www.audiocoding.com/faad2.html.
8. GiNaC: A Free Computer Algebra Aystem. http://www.ginac.de/.
9. GMP: GNU Multiple Precision Arithmetic Library. http://gmplib.org/.
10. GOOM: Visual Effects Generator. http://www.iossoftware.com/.
11. Hamsterdb: A Lightweight Embedded Database. http://hamsterdb.com/.
12. Ida pro. http://www.hex-rays.com/idapro/.
13. Malware attack exploiting flash zero day vulnerability. http://ddanchev.blogspot.com/2008/05/malware-attackexploiting-flash-zero.html.
14. MPD:Music Player Daemon. http://www.musicpd.org/.
15. MPlayer: The Movie Player. http://www.mplayerhq.hu/.
16. National vulnerability database. http://nvd.nist.gov/.
17. Qcow2: The QCOW2 Image Format. www.gnome.org/ markmc/qcow-image-format.html.
18. QEMU: An Open Source Processor Emulator. http://www.qemu.org/.
19. QEMU Buffer Overflow Vulnerability. http://www.frsirt.com/english/advisories/2008/2919.
20. The Xen Hypervisor. http://www.xen.org/.
21. UQBT: A Resourceable and Retargetable Binary Translator. http://www.itee.uq.edu.au/ cristina/uqbt.html.
22. Vine: BitBlaze Static Analysis Component. http://bitblaze.cs.berkeley.edu/vine.html.
23. VLC: Media Player and Streaming Server. http://www.videolan.org/vlc/.
24. Windows Metafile AttemptWrite Heap Overflow. http://research.eeye.com/html/advisories/published/AD20070814b.html.
25. Xine: A Free Video Player. http://xinehq.de/.
26. Zero day exploit alert: Webviewfoldericon setslice vulnerability. http://research.eeye.com/html/alerts/AL20061002.html.
27. Zero day exploit in pdf with adobe reader. http://it.slashdot.org/article.pl?sid=07/09/22/1040225.
28. A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Princiles, Techniques, and Tools (Second Edition). Addison-Wesley, 2006.
29. K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, California, USA, May, 2002.
30. G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In Proceedings of the 13th International Conference on Compiler Construction, pages 5–23, 2004.
31. G. Balakrishnan and T. Reps. Divine: Discovering variables in executables. In Proceedings of Internation Conf. on Verification Model Checking and Abstract Interpretation (VMCAI), 2007.
32. D. Brumley, T. cker Chiueh, R. Johnson, H. Lin, and D. Song. Rich: Automatically protecting against integer-based vulnerabilities. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS’07), 2007.
33. D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. Bitscope: Automatically dissecting malicious binaries, 2007. Technical Report CMU-CS-07-133, Carnegie Mellon University.
34. D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, May, 2008.
35. C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In USENIX Symposium on Operating Systems Design and Implementation (OSDI’08), San Diego, CA, 2008.
36. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: automatically generating inputs of death. In Proceedings of the 13th ACM conference on Computer and communications security (CCS’06), pages 322–335, 2006.
37. E. Ceesay, J. Zhou, M. Gertz, K. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs. In Detection of Intrusions and Malware & Vulnerability Assessment, 2006.
38. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th conference on USENIX Security Symposium, pages 12–12, 2005.
39. E. Clarke, D. Kroening, and F. Lerda. A tool for checking ANSI-C programs. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 2988 of Lecture Notes in Computer Science, pages 168–176. Springer, 2004.
40. M. V. Emmerik and T. Waddington. Using a decompiler for real-world source recovery. In Proceedings of the 11th Working Conference on Reverse Engineering, pages 27–36, 2004.
41. J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI’02), pages 1–12, Berlin, Germany, 2002.
42. V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Computer Aided Verification (CAV’07), Berlin, Germany, July 2007. Springer-Verlag.
43. P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (PLDI’05), pages 213–223, 2005.
44. P. Godefroid, M. Levin, and D. Molnar. Automated white-box fuzz testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), San Diego, CA, February 2008.
45. D. Gopan and T. Reps. Low-level library analysis and summarization. In 19th International Conference on Computer Aided Verification (CAV’07), Berlin, Germany, 2007.
46. Z. Lin, X. Zhang, and D. Xu. Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’08), Anchorage, Alaska, USA, June 2008.
47. T. Reps, G. Balakrishnan, and J. Lim. Intermediate-representation recovery from low-level code. In Proceedings of the 2006 ACM SIGPLAN Workshop on Partial Evaluation and Semantics-based Program Manipulation, Charleston, South Carolina, USA, 2006.
48. T. Reps, G. Balakrishnan, J. Lim, and T. Teitelbaum. A next-generation platform for analyzing executables. In The Third Asian Symposium on Programming Languages and Systems, Tsukuba, Japan, 2005.
49. D. Sarkar, M. Jagannathan, J. Thiagarajan, and R. Venkatapathy. Flow-insensitive static analysis for detecting integer anomalies in programs. In Proceedings of the 25th conference on IASTED International Multi-Conference, pages 334–340, Anaheim, CA, USA, 2007. ACTA Press.
50. K. Sen, D. Marinov, and G. Agha. Cute: a concolic unit testing engine for c. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering, pages 263–272, 2005.
51. T. Wei, J. Mao, W. Zou, and Y. Chen. A new algorithm for identifying loops in decompilation. In 14th International Static Analysis Symposium (SAS’07), volume 4634 of Lecture Notes in Computer Science, pages 170–183. Springer, 2007.
52. T. Wei, J. Mao, W. Zou, and Y. Chen. Structuring 2-way branches in binary executables. In 31st Annual International Computer Software and Applications Conference (COMP-SAC’07), 2007.
53. R. Wojtczuk. Uqbtng: a tool capable of automatically finding integer overflows in win32 binaries. In 22nd Chaos Communication Congress, 2005.
54. Y. Xie, A. Chou, and D. Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. SIGSOFT Softw. Eng. Notes, 28(5):327–336, 2003.