Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs

doi:10.3969/j.issn.1671-1122.2017.05.003

Abstract

Abstract:

Integer overflow vulnerabilities have become the second largest threat to software security. The existing tools for mining integer overflow vulnerability do not support automatic exploitation. Neither do the automatic exploitation tools support integer overflow vulnerability. To fill the gaps we proposes an automatic exploitation method of integer overflow vulnerabilities in binary programs. Aiming at the valuable IO2BO vulnerability of integer overflow, firstly trying to avoid crashing in the process of buffer overflow, which would make hijacking control-flow fail. Secondly building suspicious taint set to reduce the scope of taints. Thirdly collecting the loops condition of reading and writing memory by taint analysis and symbolic execution. Lastly overwriting the critical data in the stack and heap by controlling the number of loops and generating new samples for testing by solving constraint. The proposed method can transform the automatic exploitation of IO2BO vulnerability into that of traditional buffer overflow vulnerability. The test results show that this method work well for the typical IO2BO vulnerabilities and could generate new samples for hijacking the control-flow of testing programs.

Key words: vulnerability exploitation, symbolic execution, taint analysis, integer overflow, buffer overflow

CLC Number:

TP311

Jianshan PENG, Qi XI, Qingxian WANG. Automatic Exploitation of Integer Overflow Vulnerabilities in Binary Programs[J]. Netinfo Security, 2017, 17(5): 14-21.

Figures/Tables 7

References 22

[1]	高川,严寒冰,贾子骁. 基于特征的网络漏洞态势感知方法研究[J]. 信息网络安全,2016(12):28-33.
[2]	CHRISTEY S, MARTIN R A. Vulnerability Type Distributions in CVE[EB/OL]. .
[3]	WANG T L, WEI T, LIN Z Q, et al. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution[EB/OL].2009-2-11/2017-4-5.
[4]	MOLNAR D, LI X C, WAGNER D A.Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs[C]// USENIX SSYM’09 Proceedings of the 18th Conference on USENIX Security Symposium, August 10-14, 2009, Montreal, Canada. Berkeley:USENIX ,2009:67-82.
[5]	CHEN P, HAN H, WANG Y, et al.IntFinder: Automatically Detecting Integer Bugs in x86 Binary Program[C]// Springer. ICICS’09 Proceedings of the 11th International Conference on Information and Communications Security, December 14-17, 2009, Beijing, China. Berlin, Heidelberg:Springer, 2009:336-345.
[6]	STELIOS S D, ERIC L, NATHAN R, et al.Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement[J]. ACM Sigplan Notices, 2015, 50(4):473-486.
[7]	JAMES N, DAWN S.Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software[C]// Network and Distributed System Security Symposium, February 3-4, 2005, San Diego, California, USA. DBLP, 2005.Beijing:Chinese Journal of Engineering Mathematics , 2012 :720-724.
[8]	GODEFROID P, LEVIN M Y, MOLNAR D A. Automated Whitebox Fuzz Testing[EB/OL]. , 2017-4-5.
[9]	BRUMLEY D, POOSANKAM P, SONG D, et al.Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications[C]// IEEE. Security and Privacy, May 18-21, 2008, Oakland, California, USA. New York:IEEE, 2008:143-157.
[10]	HEELAN S, KROENING D. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities[EB/OL]. https://www.mendeley.com/research-papers/automatic-generation-control-flow-hijacking-exploits-software-vulnerabilities,2017-4-5.
[11]	SANG K C, AVGERINOS T, REBERT A, et al.Unleashing Mayhem on Binary Code[C]// IEEE. Security and Privacy, May 20-23, 2012, San Francisco, California, USA. New York:IEEE, 2012:380-394.
[12]	HUANG S K, HUANG M H, HUANG P Y, et al.CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations[C]// IEEE. Sixth International Conference on Software Security and Reliability, June 20-22, 2012, Washington, D.C., USA. New York:IEEE, 2012:78-87.
[13]	AHMAD D.The Rising Threat of Vulnerabilities Due to Integer Errors[C]// IEEE. Security and Privacy, May 11-14, 2003, Oakland, California, USA. New York:IEEE, 2003:77-82.
[14]	LEE J, AVGERINOS T, BRUMLEY D. TIE: Principled Reverse Engineering of Types in Binary Programs[EB/OL]. , 2017-4-5.
[15]	LIN Z, ZHANG X, XU D. Automatic Reverse Engineering of Data Structures from Binary Execution[EB/OL]. 2017-4-5.
[16]	DEBRARY S, MUTH R, WEIPPERT M.Alias Analysis of Executable Code[C]// ACM. POPL ‘98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, January 19 - 21, 1998, San Diego, California, USA. New York:ACM, 1998:12-24.
[17]	ZHANG C, WANG T, WEI T, et al.IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time[C]// Springer.European Symposium on Research in Computer Security, September 20-22, 2010, Athens, Greece. Berlin, Heidelberg:Springer, 2010:71-86.
[18]	BRUMLEY D, JAGER I, AVGERINOS T, et al.BAP: A Binary Analysis Platform[C]// Springer.International Conference on Computer Aided Verification, July 14-20, 2011, Snowbird, Utah, USA. Berlin, Heidelberg:Springer, 2011:463-469.
[19]	KAMINSKY D, FERGUSON J, LARSEN J, et al.Reverse Engineering Code with IDA Pro[J]. Journal of the Royal Society for the Promotion of Health, 2008, 123(4):210-215.
[20]	SONG D, BRUMLEY D, YIN H, et al.BitBlaze: A New Approach to Computer Security via Binary Analysis[C]// Springer .Information Systems Security, December 16-20, 2008, Hyderabad, India. Berlin, Heidelberg:Springer, 2008:1-25.
[21]	Pin - A Dynamic Binary Instrumentation Tool[EB/OL]., 2015-1-30/2017-4-5.
[22]	陈颖聪,陈广清,陈智明,等. 面向智能电网SDN的二进制代码分析漏洞扫描方法研究[J]. 信息网络安全,2016(7):35-39.