200 likes | 210 Views
Learn how IntScope detects integer overflow in X86 binaries by combining taint analysis and symbolic execution. Explore implementation, evaluation results, strengths, and weaknesses.
E N D
IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue University and Peking University Annapurna Sagi
Contents • Introduction • Overview of Intscope • Implementation • Evaluation and results • Strengths • Weakness
Introduction • What is an integer overflow? An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space.
Integer Overflow Example #include <stdio.h> Int main(void) { Printf (“1073741245*4= %d\n”,1073741245*4); Return 0; } Output= 0
Features of Integer Overflow. • Untrusted Source • Various types of sinks • Memory allocation • Memory access • Branch statement • Incomplete or improper sanitization checks
An Untrusted source Incomplete check Integer Overflow Sensitive operator Heap Overflow Unsigned int x=read_int()------> If(x>oxfffff)------> Abort(); Unsigned int n= x*sizeof(int);--> Char*p=malloc(n)--> Read_int_into_buf(p,x)---->
Idea of IntScope • Symbolically executing the x86 Binary on an intermediate representation. • Using Taint analysis • Using Lazy Checking
Pre-Process procedure • De compiler Translate it into Intermediate Representation (PANDA) Constructs the control flow graph (G) and call graph (C) • Component Extractor Extract from C the candidate functions that are common ancestors connecting source to a sink • Profile Constructor Computes a chop flow graph G’ based on G, that includes only source-sink paths in candidate sub-graphs.
Detection Procedure • Symbolically execute each path in the components Collect path constraints, and check the feasibility of the path (constraint solver) Track the propagation of untrusted (tainted) data Only check whether untrusted data causes integer overflows at sink points
L1 x=y=read_from_net() • L2 if(x==c) • L3 p=malloc(y);
Evaluation and Results • Detected integer overflow bugs in Windows DLLs • Detected bugs in several widely used applications Media player VLC
Strengths • A systematic method of combining taint analysis and path-sensitive symbolic execution to detect integer overflow vulnerabilities in executable. • A prototype called IntScope to analyze real-world binaries, which shows the approach is highly effective
Weakness • Lack of information on global variables may lead to false positives • Lack of information on intrinsic constraints between inputs leads to false positives. • No accurately simulation of block memory functions