Fan Long
ABSTRACT
We present a system, SIFT, for generating input filters that nullify integer overflow errors associated with critical program sites such as memory allocation or block copy sites. SIFT uses a static pro- gram analysis to generate filters that discard inputs that may trigger integer overflow errors in the computations of the sizes of allocated memory blocks or the number of copied bytes in block copy operations. Unlike all previous techniques of which we are aware, SIFT is sound -- if an input passes the filter, it will not trigger an integer overflow error at any analyzed site. Our results show that SIFT successfully analyzes (and therefore generates sound input filters for) 56 out of 58 memory allocation and block memory copy sites in analyzed input processing modules from five applications (VLC, Dillo, Swfdec, Swftools, and GIMP). These nullified errors include six known integer overflow vulnerabilities. Our results also show that applying these filters to 62895 real-world inputs produces no false positives. The analysis and filter generation times are all less than a second.
Supplemental Material
- Hachoir. http://bitbucket.org/haypo/hachoir/wiki/Home..Google Scholar
- LLVM Basic Alias Analysis Pass. http://llvm.org/docs/AliasAnalysis.html#the-basicaa-pass...Google Scholar
- The LLVM compiler infrastructure. http://www.llvm.org/.Google Scholar
- D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. Song. Rich: Automatically protecting against integer-based vulnerabilities. Department of Electrical and Computing Engineering, page 28, 2007.Google Scholar
- D. Brumley, H. Wang, S. Jha, and D. Song. Creating vulnerability signatures using weakest preconditions. In Proceedings of the 20th IEEE Computer Security Foundations Symposium, CSF '07', pages 311--325, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pages 209--224, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- E. Ceesay, J. Zhou, M. Gertz, K. Levitt, and M. Bishop. Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs. Detection of Intrusions and Malware & Vulnerability Assessment, pages 1--16, 2006. Google ScholarDigital Library
- S. Chandra, S. J. Fink, and M. Sridharan. Snugglebug: a powerful approach to weakest preconditions. In Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation, PLDI '09, pages 363--374, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- R. Chinchani, A. Iyer, B. Jayaraman, and S. Upadhyaya. Archerr: Runtime environment driven program safety. Computer Security--ESORICS 2004, pages 385--406, 2004.Google ScholarCross Ref
- M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, SOSP '07. ACM, 2007. Google ScholarDigital Library
- M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: end-to-end containment of internet worms. In Proceedings of the twentieth ACM symposium on Operating systems principles, SOSP '05. ACM, 2005. Google ScholarDigital Library
- W. Cui, M. Peinado, and H. J.Wang. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In Proceedings of 2007 IEEE Symposium on Security and Privacy. IEEE Computer Society, 2007. Google ScholarDigital Library
- W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in c/c++. In Proceedings of the 2012 International Conference on Software Engineering, pages 760--770. IEEE Press, 2012. Google ScholarDigital Library
- C. Flanagan and J. B. Saxe. Avoiding exponential explosion: generating compact verification conditions. In Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '01', pages 193--205, New York, NY, USA, 2001. ACM. Google ScholarDigital Library
- V. Ganesh, T. Leek, and M. Rinard. Taint-based directed whitebox fuzzing. In ICSE '09: Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 2009. Google ScholarDigital Library
- D. Gao, M. K. Reiter, and D. Song. On gray-box program tracking for anomaly detection. In Proceedings of the 13th conference on USENIX Security Symposium - Volume 13, SSYM'04. USENIX Association, 2004. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI '05, pages 213--223, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- M. Kling, S. Misailovic, M. Carbin, and M. Rinard. Bolt: on-demand infinite loop escape in unmodified binaries. In Proceedings of the ACM international conference on Object oriented programming systems languages and applications, OOPSLA '12', pages 431--450, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of the 10th ACM conference on Computer and communications security, CCS '03. ACM, 2003. Google ScholarDigital Library
- C. Lattner, A. Lenharth, and V. Adve. Making context-sensitive points-to analysis with heap cloning practical for the real world. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, PLDI '07, pages 278--289, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- D. LeBlanc. Integer handling with the c++ safeint class. http:// msdn. microsoft. com/en-us/library/ms972705, 2004.Google Scholar
- F. Long, V. Ganesh, M. Carbin, S. Sidiroglou, and M. Rinard. Automatic input rectification. ICSE '12, 2012. Google ScholarDigital Library
- F. Long, S. Sidiroglou, D. Kim, and M. Rinard. Sound input filter generation for integer overflow errors. MIT-CSAIL-TR-2013-018.Google Scholar
- R. Madhavan and R. Komondoor. Null dereference verification via over-approximated weakest pre-conditions analysis. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications, OOPSLA '11, pages 1033--1052, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- D. Molnar, X. C. Li, and D. A. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. Usenix Security'09. Google ScholarDigital Library
- J. Newsome, D. Brumley, and D. X. Song. Vulnerability-specific execution filtering for exploit prevention on commodity software. In NDSS, 2006.Google Scholar
- G. Novark, E. D. Berger, and B. G. Zorn. Exterminator: Automatically correcting memory errors with high probability. In In Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, ACM. Press, 2007. Google ScholarDigital Library
- J. H. Perkins, S. Kim, S. Larsen, S. Amarasinghe, J. Bachrach, M. Carbin, C. Pacheco, F. Sherwood, S. Sidiroglou, G. Sullivan,W.-F. Wong, Y. Zibin, M. D. Ernst, and M. Rinard. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pages 87--102, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- M. Rinard, C. Cadar, D. Dumitran, D. M. Roy, T. Leu, and W. S. Beebee. Enhancing server availability and security through failureoblivious computing. In In Proceedings 6 th Symposium on Operating Systems Design and Implementation (OSDI), pages 303--316, 2004. Google ScholarDigital Library
- M. C. Rinard. Living in the comfort zone. In Proceedings of the 22nd annual ACM SIGPLAN conference on Object-oriented programming systems and applications, OOPSLA '07. ACM, 2007. Google ScholarDigital Library
- D. Sarkar, M. Jagannathan, J. Thiagarajan, and R. Venkatapathy. Flowinsensitive static analysis for detecting integer anomalies in programs. In IASTED, 2007. Google ScholarDigital Library
- R. Seacord. The CERT C secure coding standard. Addison-Wesley Professional, 2008. Google ScholarDigital Library
- W. Tielei, W. Tao, L. Zhiqiang, and Z. Wei. IntScope: Automatically Detecting Integer Overflow Vulnerability In X86 Binary Using Symbolic Execution. In 16th Annual Network & Distributed System Security Symposium, 2009.Google Scholar
- K.Wang and S. J. Stolfo. Anomalous payload-based network intrusion detection. In RAID, 2004.Google ScholarCross Ref
- X.Wang, H. Chen, Z. Jia, N. Zeldovich, and M. Kaashoek. Improving integer security for systems with kint. In OSDI. USENIX Association, 2012. Google ScholarDigital Library
- X. Wang, Z. Li, J. Xu, M. K. Reiter, C. Kil, and J. Y. Choi. Packet vaccine: black-box exploit detection and signature generation. CCS'06. ACM, 2006. Google ScholarDigital Library
- C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. Intpatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compiletime. Computer Security--ESORICS 2010, pages 71--86, 2010. Google ScholarDigital Library
Index Terms
- Sound input filter generation for integer overflow errors
Recommendations
Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement
ASPLOS '15: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating SystemsWe present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory ...
Understanding Integer Overflow in C/C++
Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are ...
Sound input filter generation for integer overflow errors
POPL '14We present a system, SIFT, for generating input filters that nullify integer overflow errors associated with critical program sites such as memory allocation or block copy sites. SIFT uses a static pro- gram analysis to generate filters that discard ...
Comments