Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities

2012 International Symposium on Software Testing and Analysis, ISSTA 2012 - Proceedings

Volumn , Issue , 2012, Pages 133-143

  Caballero, Juan ^a   Grieco, Gustavo ^a   Marron, Mark ^a   Nappa, Antonio ^a  

^a IMDEA SOFTWARE INSTITUTE   (Spain)

Author keywords

Automated testing; binary analysis; debugging; dynamic analysis

Indexed keywords

AUTOMATED TESTING; BINARY ANALYSIS; DANGLING POINTERS; DETECTION TECHNIQUE; FIREFOX; FIREFOX WEB BROWSER; ROOT CAUSE; RUNTIME APPROACH; VULNERABILITY ANALYSIS;

COMPUTER DEBUGGING; DYNAMIC ANALYSIS; SOFTWARE TESTING; WORLD WIDE WEB;

WEB BROWSERS;

EID: 84865306275     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/04000800.2336769     Document Type: Conference Paper

References (53)

1. Cve-2010-3962. October 2010. http://cve.mitre.org/cgibin/cvename.cgi? name=CVE-2010-3962.
2. Dep, Emet Protect Against Attacks On The Latest Internet Explorer Vulnerability. November 2010. http://blogs.technet.com/b/srd/archive/2010/11/03/ dep-emet-protect-againstattacks-on-the-latest-internet-explorervulnerability. aspx.
3. Defence In Depth: Internet Explorer 0-day: Cve-2010-3971. January 2011. http://www.defenceindepth.net/2011/01/internet-explorer-0-day-cve-2010-3971. html/.
4. . Common Vulnerabilities And Exposures. http://cve.mitre.org/cve/.
5. A. Alexandrescu. Modern C++ Design: Generic Programming And Design Patterns Appliedc. Addison-Wesley, 2001.
6. D. Avots, M. Dalton, B. V. Livshits, and M. S. Lam. Improving Software Security With A C Pointer Analysis. ICSE, May 2005.
7. J. Afek and A. Sharabani. Dangling Pointer - Smashing The Pointer For Fun And Profit. BlackHat USA, July 2007.
8. P. Akritidis. Cling: A Memory Allocator To Mitigate Dangling Pointers. USENIX Security, July 2010.
9. T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient Detection Of All Pointer And Array Access Errors. PLDI, June 1994.
10. H.-J. Boehm and M. Weiser. Garbage Collection In An Uncooperative Environment. Software - Practice and Experience, 18, September 1988.
11. E. D. Berger and B. Zorn. Diehard: Probabilistic Memory Safety For Unsafe Programming Languages. PLDI, June 2006.
12. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: A System For Automatically Generating Inputs Of Death Using Symbolic Execution. CCS, Oct. 2006.
13. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding Data Lifetime Via Whole System Simulation. USENIX Security, Aug. 2004.
14. J. Caballero. Grammar And Model Extraction For Security Applications Using Dynamic Program Binary Analysis. Ph.D. Thesis, Department of Electrical and Computer Engineering, Carnegie Mellon University, September 2010.
15. J. Caballero and D. Song. Rosetta: Extracting Protocol Semantics Using Binary Analysis With Applications To Protocol Replay And nat Rewriting. Cylab, Carnegie Mellon University, Technical Report CMU-CyLab-07-014, Oct. 2007.
16. J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering. CCS, Nov. 2009.
17. J. Caballero, P. Poosankam, S. McCamant, D. Babic, and D. Song. Input Generation Via Decomposition And Re-stitching: Finding Bugs In Malware. CCS, Oct. 2010.
18. J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic Extraction Of Protocol Message Format Using Dynamic Binary Analysis. CCS, Oct. 2007.
19. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end Containment Of Internet Worms. SOSP, Oct. 2005.
20. D. Dhurjati and V. Adve. Efficiently Detecting All Dangling Pointer Uses In Production Servers. DSN, June 2006.
21. D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory Safety Without Runtime Checks Or Garbage Collection. LCTES, June 2003.
22. I. Dobrovitski. Exploit For Cvs Double Free() For Linux Pserver. February 2003. http://archives.neohapsis.com/archives/fulldisclosure/2003-q1/0545.html.
23. W. Drewry and T. Ormandy. Flayer: Exposing Application Internals. WOOT, Aug. 2007.
24. d0cs4vage. Insecticides Don't Kill Bugs, Patch Tuesdays Do. June 2011. http://esploit.blogspot.com/2011/06/cve-2011-1260-recent-ie-0day-exploit.html.
25. P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed Automated Random Testing. PLDI, June 2005.
26. Z. Gu, E. T. Barr, D. J. Hamilton, and Z. Su. Has The Bug Really Been Fixed? ICSE, May 2010.
27. Google. Rewarding Web Application Security Research. Nov. 2010. http://googleonlinesecurity.blogspot.com/2010/11/rewarding-webapplication- security.html.
28. R. Hastings and B. Joyce. Purify: Fast Detection Of Memory Leaks And Access Errors. USENIX Winter, 1992.
29. T. Jim, G. J. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect Of C. USENIX ATC, June 2002.
30. R. W. M. Jones and P. H. J. Kelly. Backwards-compatible Bounds Checking For Arrays And Pointers In C Programs. International Workshop on Automated Debugging, May 1997.
31. J. Lee, T. Avgerinos, and D. Brumley. Tie: Principled Reverse Engineering Of Types In Binary Programs. NDSS, Feb. 2011.
32. Z. Lin, X. Zhang, and D. Xu. Automatic Reverse Engineering Of Data Structures From Binary Execution. NDSS, Feb. 2010.
33. D. Molnar, X. C. Li, and D. A. Wagner. Dynamic Test Generation To Find Integer Bugs In X86 Binary Linux Programs. USENIX Security, Aug. 2009.
34. B. P. Miller, L. Fredriksen, and B. So. An Empirical Study Of The Reliability Of Unix Utilities. Communications of the ACM, 33, December 1990.
35. J. Newsome and D. Song. Dynamic Taint Analysis For Automatic Detection, Analysis, And Signature Generation Of Exploits On Commodity Software. NDSS, Feb. 2005.
36. S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Cets: Compiler-enforced Temporal Safety For C. ISMM, June 2010.
37. G. C. Necula, S. McPeak, and W. Weimer. Ccured: Type-safe Retrofitting Of Legacy Code. POPL, Jan. 2002.
38. R. O'Callahan. Mitigating Dangling Pointer Bugs Using Frame Poisoning. October 2010. http://weblogs.mozillazine.org/roc/archives/2010/10/mitigating- dang.html.
39. B. Perens. Electric Fence Malloc Debugger. July 2011. http://perens.com/FreeSoftware/ElectricFence/.
40. A. Slowinska, T. Stancescu, and H. Bos. Howard: A Dynamic Excavator For Reverse Engineering Data Structures. NDSS, Feb. 2011.
41. A. Schneider. 0-day Exploit Used In A Targeted Attack Cve-2011-1255. June 2011. http://labs.m86security.com/tag/cve-2011-1255/.
42. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution Via Dynamic Information Flow Tracking. ASPLOS, Oct. 2004.
43. W. Xu, D. C. DuVarney, and R. Sekar. An Efficient And Backwards-compatible Transformation To Ensure Memory Safety Of C Programs. FSE, Oct. 2004.
44. K. Zetter. Hack Of Google, Adobe Conducted Through Zero-day Ie Flaw. January 2010. http://www.wired.com/threatlevel/2010/01/hack-of-adob.
45. Bf3: Browser Fuzzer 3. http://www.aldeid.com/wiki/Bf3.
46. Exploits Database By Offensive Security. http://www.exploit-db.com/.
47. Bugzilla@mozilla: Bug 634986. https://bugzilla.mozilla.org/show-bug.cgi? id=634986.
48. Bugzilla@mozilla: Bug 630919. https://bugzilla.mozilla.org/show-bug.cgi? id=630919.
49. Page Heap For Chromium. July 2011. http://www.chromium.org/developers/ testing/page-heap-for-chrome.
50. qemu: Open Source Processor Emulator. http://wiki.qemu.org.
51. temu: The Bitblaze Dynamic Analysis Component. http://bitblaze.cs. berkeley.edu/temu.html.
52. Valgrind. July 2011. http://valgrind.org/.
53. Mozilla Developer Network: Xpcom.https://developer.mozilla.org/en/XPCOM.