Finding Buffer Overflow Inducing Loops in Binary Executables

2012 IEEE Sixth International Conference on Software Security and Reliability Pub Date : 2012-06-20 DOI:10.1109/SERE.2012.30

Sanjay Rawat, L. Mounier

{"title":"Finding Buffer Overflow Inducing Loops in Binary Executables","authors":"Sanjay Rawat, L. Mounier","doi":"10.1109/SERE.2012.30","DOIUrl":null,"url":null,"abstract":"Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.","PeriodicalId":191716,"journal":{"name":"2012 IEEE Sixth International Conference on Software Security and Reliability","volume":"100 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"29","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE Sixth International Conference on Software Security and Reliability","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SERE.2012.30","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 29

Abstract

Vulnerability analysis is one among the important components of overall software assurance practice. Buffer overflow (BoF) is one example of the such vulnerabilities and it is still the root cause of many effective attacks. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers, like the strcpy family. In these functions, data is moved from one buffer to another, within a loop, without considering destination buffer size. We argue that similar behaviour may also be present in many other functions that are coded separately, and therefore are equally vulnerable. In the present work, we investigate the detection of such functions by finding loops that exhibit similar behaviour. We call such loops Buffer Overflow Inducing Loops (BOIL). We implemented a lightweight static analysis to detect BOILs, and evaluated it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern happens to be very effective in practice to retrieve real vulnerabilities, providing a drastic reduction of the part of the code to be analysed.

查看原文本刊更多论文

在二进制可执行文件中查找缓冲区溢出诱导循环

漏洞分析是整个软件保障实践的重要组成部分之一。缓冲区溢出(BoF)是此类漏洞的一个例子，它仍然是许多有效攻击的根本原因。查找BoF的一般做法是查找操作字符串缓冲区的某些函数的存在，例如strcpy族。在这些函数中，数据在循环中从一个缓冲区移动到另一个缓冲区，而不考虑目标缓冲区的大小。我们认为，类似的行为也可能存在于许多其他单独编码的函数中，因此同样容易受到攻击。在目前的工作中，我们通过寻找表现出类似行为的循环来研究这些函数的检测。我们称这种循环为缓冲区溢出诱导循环(BOIL)。我们实现了一个轻量级的静态分析来检测疖子，并在实际的x86二进制可执行文件上对其进行评估。所获得的结果表明，这种(简单但有效的)漏洞模式在实际中非常有效地检索真正的漏洞，从而大大减少了需要分析的代码部分。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2012 IEEE Sixth International Conference on Software Security and Reliability

自引率

0.00%

发文量