Abstract
Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Integer overflow in parse_decode_path of slocate. CVE (2003), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0326
Integer overflow in zgv-5.8. CVE (2004), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1095
Integer underflow in ngircd before 0.8.2. CVE (2005), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0199
Ssh crc-32 compensation attack detector vulnerability. CVE (2005), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
Cve version: 20061101. CVE (2006), http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=integer
Integer overflow in pdftops. CVE (2007), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384
Vulnerability type distributions in cev. CVE (2007), http://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf
Signedness error in python-2.5.2. CVE (2008), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721
Brumley, D., cker Chiueh, T., Johnson, R., Lin, H., Song, D.: Rich: Automatically protecting against integer-based vulnerabilities. In: Proceedings of the 14th Annual Network and Distributed System Security, NDSS (2007)
Chen, P., Wang, Y., Xin, Z., Mao, B., Xie, L.: Brick: A binary tool for run-time detecting and locating integer-based vulnerability. In: International Conference on Availability, Reliability and Security, pp. 208–215 (2009)
Dipanwita, S., Muthu, J., Jay, T., Ramanathan, V.: Flow-insensitive static analysis for detecting integer anomalies in programs. In: Proceedings of the 25th conference on IASTED International Multi-Conference (SE 2007), pp. 334–340. ACTA Press, Anaheim (2007)
Emmerik, M.J.V.: Static Single Assignment for Decompilation. Ph.D. thesis (2007)
Evans, D., Guttag, J., Horning, J., Tan, Y.M.: Lclint:a tool for using specification to check code. In: Proceedings of the ACM SIGSOFT 1994 Symposium on the Foundations of Software Engineering, pp. 87–96 (1994)
Horovitz, O.: Big loop integer protection. Phrack Inc (2002), http://www.phrack.org/issues.html?issue=60&id=9#article
Howard, M.: Safe integer arithmetic in c (2006), http://blogs.msdn.com/michaelhoward/archive/2006/02/02/523392.aspx
Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of c. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference (2002)
LeBlanc, D.: Integer handling with the c++ safeint class (2004), http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp
Lin, Z., Zhang, X., Xu, D.: Convicting exploitable software vulnerabilities: An efficient input provenance based approach. In: Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN-DCCS 2008 (2008)
Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: Building customized program analysis tools with dynamic instrumentation. In: Programming Language Design and Implementation, pp. 190–200 (2005)
Molnar, D., Li, X.C., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the USENIX 2009 Annual Technical Conference (2009)
Necula, G.C., McPeak, S., Weimer, W.: Ccured: Type-safe retrofitting of legacy code. In: Proceedings of the Principles of Programming Languages, pp. 128–139 (2002)
Seward, J., Nethercote, N.: Using valgrind to detect undefined value errors with bit-precision. In: Proceedings of the annual conference on USENIX Annual Technical Conference (2005)
Stalling, W.: Computer organization and architecture designing for performance. Prentice Hall, Inc., Englewood Cliffs (1996)
Wang, T., Wei, T., Lin, Z., Zou, W.: Intscope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009 (2009)
Wojtczuk, R.: Uqbtng: a tool capable of automatically finding integer overflows in win32 binaries. In: 22nd Chaos Communication Congress (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chen, P. et al. (2009). IntFinder: Automatically Detecting Integer Bugs in x86 Binary Program. In: Qing, S., Mitchell, C.J., Wang, G. (eds) Information and Communications Security. ICICS 2009. Lecture Notes in Computer Science, vol 5927. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11145-7_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-11145-7_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11144-0
Online ISBN: 978-3-642-11145-7
eBook Packages: Computer ScienceComputer Science (R0)