Transcript ppt

IntScope: Automatically Detecting
Integer overflow vulnerability in X86
Binary Using Symbolic Execution
• Tielei Wang, TaoWei, ZhingiangLin, weiZou
• Purdue University and Peking University
• Annapurna Sagi
Contents
•
•
•
•
•
•
Introduction
Overview of Intscope
Implementation
Evaluation and results
Strengths
Weakness
Introduction
• What is an integer overflow?
An integer overflow occurs when an arithmetic
operation attempts to create a numeric value that is
too large to be represented within the available storage
space.
Integer Overflow Example
#include <stdio.h>
Int main(void)
{
Printf (“1073741245*4= %d\n”,1073741245*4);
Return 0;
}
Output= 0
Integer Overflow growth
Vulnerabilities
2000
2001
2002
2003
2004
2005
2006
2007
1
2
5
29
40
66
96
124
Year
Num
Features of Integer Overflow.
• Untrusted Source
• Various types of sinks
Memory allocation
Memory access
Branch statement
• Incomplete or improper sanitization checks
Unsigned int x=read_int()------>
Incomplete
If(x>oxfffff)------>
check
Abort();
Unsigned int n= x*sizeof(int);-->
Sensitive
Char*p=malloc(n)-->
operator
Read_int_into_buf(p,x)---->
An Untrusted
source
Integer Overflow
Heap Overflow
Idea of IntScope
• Symbolically executing the x86 Binary on an
intermediate representation.
• Using Taint analysis
• Using Lazy Checking
Overview of IntScope
Pre-Process procedure
• De compiler
Translate it into Intermediate Representation (PANDA)
Constructs the control flow graph (G) and call graph (C)
• Component Extractor
Extract from C the candidate functions that are common
ancestors connecting source to a sink
• Profile Constructor
Computes a chop flow graph G’ based on G, that includes
only source-sink paths in candidate sub-graphs.
Detection Procedure
• Symbolically execute each path in the
components
Collect path constraints, and check the feasibility of
the path (constraint solver)
Track the propagation of untrusted (tainted) data
Only check whether untrusted data causes integer
overflows at sink points
Implementation
Chopping the CFG G in to G’
Symbolic Execution
• L1 x=y=read_from_net()
• L2 if(x==c)
• L3 p=malloc(y);
Evaluation and Results
• Detected integer overflow bugs in Windows
DLLs
• Detected bugs in several widely used
applications
Media player
VLC
Strengths
• A systematic method of combining taint
analysis and path-sensitive symbolic execution
to detect integer overflow vulnerabilities in
executable.
• A prototype called IntScope to analyze realworld binaries, which shows the approach is
highly effective
Weakness
• Lack of information on global variables may
lead to false positives
• Lack of information on intrinsic constraints between
inputs leads to false positives.
• No accurately simulation of block memory functions
Thank you…!!