Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Security

ISC 2012: Information Security pp 151–167Cite as

Learning Fine-Grained Structured Input for Memory Corruption Detection

  • Conference paper

  • 1329 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7483))

Abstract

Inputs to many application and server programs contain rich and consistent structural information. The propagation of such input in program execution could serve as accurate and reliable signatures for detecting memory corruptions. In this paper, we propose a novel approach to detect memory corruptions at the binary level. The basic insight is that different parts of an input are usually processed in different ways, e.g., by different instructions. Identifying individual parts in an input and learning the pattern in which they are processed is an attractive approach to detect memory corruptions. We propose a fine-grained dynamic taint analysis system to detect different fields in an input and monitor the propagation of these fields, and show that deviations from the execution pattern learned signal a memory corruption. We implement a prototype of our system and demonstrate its success in detecting a number of memory corruption attacks in the wild. In addition, we evaluate the overhead of our system and discuss its advantages over existing approaches and limitations.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Data execution protection, http://technet.microsoft.com/en-us/library/cc738483WS.10.aspx

  2. Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles, implementations, and applications. ACM Transactions on Information and System Security 13(1), 1–40 (2009)

    Article  Google Scholar 

  3. Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing Memory Error Exploits with WIT. In: 2008 IEEE Symposium on Security and Privacy, pp. 263–277 (2008)

    Google Scholar 

  4. Bhatkar, S., DuVarney, D.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of USENIX Security (2003)

    Google Scholar 

  5. Bosman, E., Slowinska, A., Bos, H.: Minemu: The World’s Fastest Taint Tracker. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 1–20. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  6. Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of CCS, pp. 317–329 (2007)

    Google Scholar 

  7. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of OSDI, pp. 147–160 (2006)

    Google Scholar 

  8. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-hijacking attacks are realistic threats. In: Proceedings of USENIX Security (2005)

    Google Scholar 

  9. Clause, J., Doudalis, I., Orso, A., Prvulovic, M.: Effective memory protection using dynamic tainting. In: Proceedings of ASE, pp. 284–292 (2007)

    Google Scholar 

  10. Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of USENIX Security (1998)

    Google Scholar 

  11. Cui, W., Peinado, M., Chen, K., Wang, H., Irun-Briz, L.: Tupni: Automatic reverse engineering of input formats. In: Proceedings of CCS, pp. 391–402 (2008)

    Google Scholar 

  12. Doudalis, I., Clause, J., Venkataramani, G., Prvulovic, M., Orso, A.: Effective and Efficient Memory Protection Using Dynamic Tainting. IEEE Transactions on Computers 61(1), 87–100 (2012)

    Article  MathSciNet  Google Scholar 

  13. Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. In: Proceedings of PLDI, vol. 43, pp. 206–215 (2008)

    Google Scholar 

  14. Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: Proceedings of USENIX ATC, pp. 275–288 (2002)

    Google Scholar 

  15. Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: Proceedings of NDSS (2008)

    Google Scholar 

  16. Lin, Z., Zhang, X.: Reverse Engineering Input Syntactic Structure from Program Execution and Its Applications. IEEE Transactions on Software Engineering 36(5), 688–703 (2010)

    Article  Google Scholar 

  17. Livshits, V.B., Lam, M.S.: Tracking pointers with path and context sensitivity for bug detection in C programs. In: Proceedings of FSE, vol. 28, pp. 317–326 (2003)

    Google Scholar 

  18. Nakka, N., Kalbarczyk, Z., Iyer, R.: Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In: Proceedings of DSN, pp. 378–387 (2005)

    Google Scholar 

  19. National Institute of Standards and Technology: National vulnerability database statistics, http://web.nvd.nist.gov/view/vuln/statistics

  20. Necula, G.C., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: Proceedings of POPL, pp. 128–139 (2002)

    Google Scholar 

  21. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of NDSS (2005)

    Google Scholar 

  22. Qin, F., Wang, C., Li, Z., Kim, H.S., Zhou, Y., Wu, Y.: LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In: Proceedings of Micro, pp. 135–148 (2006)

    Google Scholar 

  23. Slowinska, A., Bos, H.: Pointless tainting? Evaluating the practicality of pointer tainting. In: Proceedings of EuroSys, pp. 61–74 (2009)

    Google Scholar 

  24. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: A New Approach to Computer Security via Binary Analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  25. Tsai, T., Singh, N.: Libsafe: transparent system-wide protection against buffer overflow attacks. In: Proceedings of DSN, pp. 541–550 (2002)

    Google Scholar 

  26. Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: PAriCheck: an efficient pointer arithmetic checker for C programs. In: Proceedings of AsiaCCS, pp. 145–156 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer School of Wuhan University, Wuhan, China

    Lei Zhao & Lina Wang

  2. School of Information Systems, Singapore Management University, Singapore

    Lei Zhao & Debin Gao

Authors
  1. Lei Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Debin Gao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lina Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Security in Distributed Applications, University of Technology, Harburger Schlossstrasse 20, 21073, Hamburg, Germany

    Dieter Gollmann

  2. Department of Computer Science, University of Erlangen-Nürnberg, Am Wolfsmantel 46, 91058, Erlangen, Germany

    Felix C. Freiling

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhao, L., Gao, D., Wang, L. (2012). Learning Fine-Grained Structured Input for Memory Corruption Detection. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33383-5_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33382-8

  • Online ISBN: 978-3-642-33383-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation