1 / 20

Tielei Wang, TaoWei , ZhingiangLin , weiZou Purdue University and Peking University

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution. Tielei Wang, TaoWei , ZhingiangLin , weiZou Purdue University and Peking University Annapurna Sagi. Contents . Introduction Overview of Intscope Implementation

stefaniea
Download Presentation

Tielei Wang, TaoWei , ZhingiangLin , weiZou Purdue University and Peking University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue University and Peking University Annapurna Sagi

  2. Contents • Introduction • Overview of Intscope • Implementation • Evaluation and results • Strengths • Weakness

  3. Introduction • What is an integer overflow? An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space.

  4. Integer Overflow Example #include <stdio.h> Int main(void) { Printf (“1073741245*4= %d\n”,1073741245*4); Return 0; } Output= 0

  5. Integer Overflow growth Vulnerabilities

  6. Features of Integer Overflow. • Untrusted Source • Various types of sinks • Memory allocation • Memory access • Branch statement • Incomplete or improper sanitization checks

  7. An Untrusted source Incomplete check Integer Overflow Sensitive operator Heap Overflow Unsigned int x=read_int()------> If(x>oxfffff)------> Abort(); Unsigned int n= x*sizeof(int);--> Char*p=malloc(n)--> Read_int_into_buf(p,x)---->

  8. Idea of IntScope • Symbolically executing the x86 Binary on an intermediate representation. • Using Taint analysis • Using Lazy Checking

  9. Overview of IntScope

  10. Pre-Process procedure • De compiler Translate it into Intermediate Representation (PANDA) Constructs the control flow graph (G) and call graph (C) • Component Extractor Extract from C the candidate functions that are common ancestors connecting source to a sink • Profile Constructor Computes a chop flow graph G’ based on G, that includes only source-sink paths in candidate sub-graphs.

  11. Detection Procedure • Symbolically execute each path in the components Collect path constraints, and check the feasibility of the path (constraint solver) Track the propagation of untrusted (tainted) data Only check whether untrusted data causes integer overflows at sink points

  12. Implementation

  13. Chopping the CFG G in to G’

  14. Symbolic Execution

  15. L1 x=y=read_from_net() • L2 if(x==c) • L3 p=malloc(y);

  16. Evaluation and Results • Detected integer overflow bugs in Windows DLLs • Detected bugs in several widely used applications Media player VLC

  17. Strengths • A systematic method of combining taint analysis and path-sensitive symbolic execution to detect integer overflow vulnerabilities in executable. • A prototype called IntScope to analyze real-world binaries, which shows the approach is highly effective

  18. Weakness • Lack of information on global variables may lead to false positives • Lack of information on intrinsic constraints between inputs leads to false positives. • No accurately simulation of block memory functions

  19. Thank you…!!

More Related