[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Capturing Invalid Input Manipulations for Memory Corruption Diagnosis

Published: 01 March 2023 Publication History

Abstract

Memory corruption diagnosis, especially at the binary level where all high-level program abstractions are missing, is a tedious and time-consuming task. Given a crash, memory corruption diagnosis is expected to not only locate the root cause of the vulnerability, but also deliver rich semantics to understand the vulnerability. However, existing techniques can barely satisfy the above requirements. In this article, we present <inline-formula><tex-math notation="LaTeX">${{\sf MemRay}}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">MemRay</mml:mi></mml:math><inline-graphic xlink:href="zhao-ieq1-3145022.gif"/></alternatives></inline-formula>, a dynamic memory corruption diagnosis technique. The insight behind our approach is that most memory corruption is caused by malformed inputs, which further leads the vulnerable program to manipulate inputs by referencing invalid data structures. We design the &#x201C;data structure reference sequence&#x201D; to characterize how a program references various data structures to manipulate program inputs. Then, we identify memory corruptions by detecting violations in the input manipulations via data structures. We demonstrate the effectiveness of <inline-formula><tex-math notation="LaTeX">${{\sf MemRay}}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">MemRay</mml:mi></mml:math><inline-graphic xlink:href="zhao-ieq2-3145022.gif"/></alternatives></inline-formula> on a wide range of memory-corruption vulnerabilities. The result shows that <inline-formula><tex-math notation="LaTeX">${{\sf MemRay}}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">MemRay</mml:mi></mml:math><inline-graphic xlink:href="zhao-ieq3-3145022.gif"/></alternatives></inline-formula> precisely locates the root cause of vulnerabilities. Moreover, the &#x201C;data structure reference&#x201D; enables <inline-formula><tex-math notation="LaTeX">${{\sf MemRay}}$</tex-math><alternatives><mml:math><mml:mi mathvariant="sans-serif">MemRay</mml:mi></mml:math><inline-graphic xlink:href="zhao-ieq4-3145022.gif"/></alternatives></inline-formula> to deliver rich semantics and context information to assist vulnerability diagnosis on binary code.

References

[1]
P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro, “Preventing memory error exploits with WIT,” in Proc. IEEE Symp. Secur. Privacy, 2008, pp. 263–277.
[2]
P. Akritidis, M. Costa, M. Castro, and S. Hand, “Baggy Bounds Checking: An efficient and backwards-compatible defense against out-of-bounds errors,” in Proc. 18th Conf. USENIX Secur. Symp., 2009, pp. 51–66.
[3]
T. Blazytkoet al., “AURORA: Statistical crash analysis for automated root cause explanation,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
[4]
D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, “Towards automatic generation of vulnerability-based signatures,” in Proc. IEEE Symp. Secur. Privacy, 2006, pp. 15–16.
[5]
J. Caballero, H. Yin, Z. Liang, and D. Song, “Polyglot: Automatic extraction of protocol message format using dynamic binary analysis,” in Proc. 14th ACM Conf. Comput. Commun. Secur., 2007, pp. 317–329.
[6]
M. Castro, M. Costa, and T. Harris, “Securing software by enforcing data-flow integrity,” in Proc. 7th Symp. Oper. Syst. Des. Implementation, 2006, pp. 147–160.
[7]
Y. Chen, M. Khandaker, and Z. Wang, “Pinpointing vulnerabilities,” in Proc. ACM Asia Conf. Comput. Commun. Secur., 2017, pp. 334–345.
[8]
W. D. Clinger, “Proper tail recursion and space efficiency,” in Proc. ACM SIGPLAN Conf. Program. Lang. Des. Implementation, 1998, pp. 174–185.
[9]
M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado, “Bouncer: Securing software by blocking bad input,” in Proc. 21st ACM SIGOPS Symp. Oper. Syst. Princ., 2007, Art. no.
[10]
W. Cuiet al., “REPT: Reverse debugging of failures in deployed software,” in Proc. 13th USENIX Symp. Oper. Syst. Des. Implementation, 2018, pp. 17–32.
[11]
W. Cui, M. Peinado, S. K. Cha, Y. Fratantonio, and V. P. Kemerlis, “RETracer: Triaging crashes by reverse execution from partial memory dumps,” in Proc. 38th Int. Conf. Softw. Eng., 2016, pp. 820–831.
[14]
ncurses, 2020. [Online]. Available: http://invisible-island.net/ncurses/
[15]
mp3gain, 2010. [Online]. Available: http://mp3gain.sourceforge.net/
[16]
jhead, 2015. [Online]. Available: http://www.sentex.net/mwandel/jhead/
[17]
binutils, 2016. [Online]. Available: http://www.gnu.org/software/binutils/
[18]
K. A. Farris, A. Shah, G. Cybenko, R. Ganesan, and S. Jajodia, “VULCON: A system for vulnerability prioritization, mitigation, and management,” ACM Trans. Privacy Secur., vol. 21, no. 4, Jun. 2018, Art. no.
[19]
S. Ganet al., “GREYONE: Data flow sensitive fuzzing,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
[20]
S. Ganet al., “CollAFL: Path sensitive fuzzing,” in Proc. 39th IEEE Symp. Secur. Privacy, 2018, pp. 679–696.
[21]
X. Gao, B. Wang, G. J. Duck, R. Ji, Y. Xiong, and A. Roychoudhury, “Beyond tests: Program vulnerability repair via crash constraint extraction,” ACM Trans. Softw. Eng. Methodol., vol. 30, 2021, Art. no.
[22]
X. Ge, B. Niu, and W. Cui, “Reverse debugging of kernel failures in deployed systems,” in Proc. USENIX Annu. Tech. Conf., 2020, pp. 281–292.
[23]
C. L. Goues, M. Pradel, and A. Roychoudhury, “Automated program repair,” Commun. ACM, vol. 62, no. 12, pp. 56–65, 2019.
[24]
A. Hendersonet al., “Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform,” in Proc. Int. Symp. Softw. Testing Anal., 2014, pp. 248–258.
[25]
S.-K. Huang, M.-H. Huang, P.-Y. Huang, C.-W. Lai, H.-L. Lu, and L. Wai-Meng, “CRAX: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations,” in Proc. IEEE 6th Int. Conf. Softw. Secur. Rel., 2012, pp. 78–87.
[26]
Z. Huang, D. Lie, G. Tan, and T. Jaeger, “Using safety properties to generate vulnerability patches,” in Proc. IEEE Symp. Security Privacy, 2019, pp. 539–554.
[27]
M. G. Kang, S. McCamant, P. Poosankam, and D. Song, “DTA++: Dynamic taint analysis with targeted control-flow propagation,” in Proc. 18th Annu. Netw. Distrib. Syst. Secur. Symp., 2011.
[28]
Z. Liet al., “VulDeePecker: A deep learning-based system for vulnerability detection,” in Proc. 25th Annu. Netw. Distrib. Syst. Secur. Symp., 2018.
[29]
F. Long, S. Sidiroglou-Douskos, D. Kim, and M. Rinard, “Sound input filter generation for integer overflow errors,” in Proc. 41st ACM SIGPLAN-SIGACT Symp. Princ. Program. Lang., 2014, pp. 439–452.
[30]
D. Muet al., “Understanding the reproducibility of crowd-reported security vulnerabilities,” in Proc. 27th USENIX Conf. Secur. Symp., 2018, pp. 919–936.
[31]
D. Muet al., “POMP++: Facilitating postmortem program diagnosis with value-set analysis,” IEEE Trans. Softw. Eng., vol. 47, no. 9, pp. 1929–1942, Sep. 2021.
[32]
S. Pearsonet al., “Evaluating and improving fault localization,” in Proc. IEEE/ACM 39th Int. Conf. Softw. Eng., 2017, pp. 609–620.
[33]
H. Peng, Y. Shoshitaishvili, and M. Payer, “T-Fuzz: Fuzzing by program transformation,” in Proc. 39th IEEE Symp. Secur. Privacy, 2018, pp. 697–710.
[34]
G. Portokalidis, A. Slowinska, and H. Bos, “Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation,” in Proc. 1st ACM SIGOPS/EuroSys Eur. Conf. Comput. Syst., 2006, pp. 15–27.
[35]
A. Prakash, H. Yin, and Z. Liang, “Enforcing system-wide control flow integrity for exploit detection and diagnosis,” in Proc. 8th ACM SIGSAC Symp. Inf. Comput. Commun. Secur., 2013, pp. 311–322.
[36]
A. Ramaswamy, S. Bratus, S. W. Smith, and M. E. Locasto, “Katana: A hot patching framework for ELF executables,” in Proc. Int. Conf. Availability Rel. Secur., 2010, pp. 507–512.
[37]
E. J. Schwartz, T. Avgerinos, and D. Brumley, “All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask),” in Proc. IEEE Symp. Secur. Privacy, 2010, pp. 317–331.
[38]
E. C. Sezer, P. Ning, C. Kil, and J. Xu, “Memsherlock: An automated debugger for unknown memory corruption vulnerabilities,” in Proc. 14th ACM Conf. Comput. Commun. Secur., 2007, pp. 562–572.
[39]
S. Shen, A. Kolluri, Z. Dong, P. Saxena, and A. Roychoudhury, “Localizing vulnerabilities statistically from one exploit,” in Proc. ACM Asia Conf. Comput. Commun. Secur., 2021, pp. 537–549.
[40]
A. Slowinska, T. Stancescu, and H. Bos, “Howard: A dynamic excavator for reverse engineering data structures,” in Proc. 18th Annu. Netw. Distrib. Syst. Secur. Symp., 2011.
[41]
A. Sotirov, “Hotpatching and the rise of third-party patches,” in Proc. Black Hat Technical Secur. Conf., Las Vegas, Nevada, 2006, vol. 83, p. 88.
[42]
N. Stephenset al., “Driller: Augmenting fuzzing through selective symbolic execution,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2016, pp. 1–16.
[43]
L. Szekeres, M. Payer, T. Wei, and D. Song, “SoK: Eternal war in memory,” in Proc. IEEE Symp. Secur. Privacy, 2013, pp. 48–62.
[44]
V. V. D. Veen, N. Dutt-Sharma, L. Cavallaro, and H. Bos, “Memory errors: The past, the present, and the future,” in Proc. 15th Int. Conf. Res. Attacks Intrusions Defenses, 2012, pp. 86–106.
[45]
H. Wanget al., “Locating vulnerabilities in binaries via memory layout recovering,” in Proc. 27th ACM Joint Eur. Softw. Eng. Conf. and Symp. Found. Softw. Eng., 2019, pp. 718–728.
[46]
X. Wang, K. Sun, A. Batcheller, and S. Jajodia, “Detecting “0-day” vulnerability: An empirical study of secret security patch in OSS,” in Proc. 49th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw., 2019, pp. 485–492.
[47]
Y. Wanget al., “Revery: From proof-of-concept to exploitable,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2018, pp. 1914–1927.
[48]
R. Wu, H. Zhang, S.-C. Cheung, and S. Kim, “CrashLocator: Locating crashing faults based on crash stacks,” in Proc. Int. Symp. Softw. Testing Anal., 2014, pp. 204–214.
[49]
J. Xu, D. Mu, P. Chen, X. Xing, P. Wang, and P. Liu, “CREDAL: Towards locating a memory corruption vulnerability with your core dump,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2016, pp. 529–540.
[50]
J. Xu, D. Mu, X. Xing, P. Liu, P. Chen, and B. Mao, “POMP: Postmortem program analysis with hardware-enhanced post-crash artifacts,” in Proc. 26th USENIX Secur. Symp., 2017, pp. 17–32.
[51]
J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt, “Automatic diagnosis and response to memory corruption vulnerabilities,” in Proc. 12th ACM Conf. Comput. Commun. Secur., 2005, pp. 223–234.
[52]
T. Yueet al., “EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit,” in Proc. 29th USENIX Secur. Symp., 2020, Art. no.
[53]
C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou, “IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time,” in Proc. Eur. Symp. Res. Comput. Secur., 2010, pp. 71–86.
[54]
M. Zhang, A. Prakash, X. Li, Z. Liang, and H. Yin, “Identifying and analyzing pointer misuses for sophisticated memory-corruption exploit diagnosis,” in Proc. 19th Annu. Netw. Distrib. Syst. Secur. Symp., 2012.
[55]
Z. Zhang, W. K. Chan, T. Tse, B. Jiang, and X. Wang, “Capturing propagation of infected program states,” in Proc. 7th Joint Meeting Eur. Softw. Eng. Conf. and ACM SIGSOFT Symp. Found. Softw. Eng., 2009, pp. 43–52.
[56]
L. Zhao, Y. Duan, H. Yin, and J. Xuan, “Send hardest problems my way: Probabilistic path prioritization for hybrid fuzzing,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2019. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2019/02/NDSS2019_Proceedings_Front_Matter.pdf

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing  Volume 20, Issue 2
March-April 2023
885 pages

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 March 2023

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 0
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media