Finding Buffer Overflow Inducing Loops in Binary Executables

Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.

[1]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[2]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[3]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[4]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[5]  Philippe Clauss,et al.  Efficient memory tracing by program skeletonization , 2011, (IEEE ISPASS) IEEE INTERNATIONAL SYMPOSIUM ON PERFORMANCE ANALYSIS OF SYSTEMS AND SOFTWARE.

[6]  R. Lippmann,et al.  A Taxonomy of Buffer Overflows for Evaluating Static and Dynamic Software Testing Tools * , 2005 .

[7]  Giovanni Vigna,et al.  Static Detection of Vulnerabilities in x86 Executables , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[8]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.

[9]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[10]  Jun Yang,et al.  LoongChecker: Practical Summary-Based Semi-simulation to Detect Vulnerability in Binary Code , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[11]  Larry Carter,et al.  A Modal Model of Memory , 2001, International Conference on Computational Science.

[12]  Shiuh-Pyng Shieh,et al.  RELEASE: Generating Exploits Using Loop-Aware Concolic Execution , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[13]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  박용범,et al.  2011 CWE/SANS Top 25 Dangerous Software Errors 기반 하둡 맵리듀스 프레임워크의 취약점 분석 및 시큐어 코딩 기법 , 2013 .

[15]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[16]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[17]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools (2nd Edition) , 2006 .

[18]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[19]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[20]  Mihai Christodorescu,et al.  String analysis for x86 binaries , 2005, PASTE '05.