Abstract
It usually takes rather long time to generate patches for vulnerabilities. For example, an analysis on 21 recent Microsoft patches shows that it usually takes 115 days on average to generate and release a patch. The longer it takes to generate a patch, the higher the risk a vulnerable system needs to take. In patch generation process, perhaps the core part is to find the vulnerable code in software from zero-day attacks or crash reports. However, this is not easy since there are millions of instructions in an ordinary execution path. In this paper, we present VulLocator, a system that aims at automatically locating vulnerable code in software without requiring any source code. VulLocator could analyze different types of vulnerabilities including stack/heap/integer overflow, double free, memory corruption, format string and division by zero. By generating vulnerability dependence tree, it decreases the number of instructions that need to be analyzed (from millions of instructions to dozens of instructions). VulLocator could also generate a sample patch for temporarily defending against attacks. Analysts could also benefit from the information given by VulLocator to generate more fine-grained patches. Several experiments with real-world exploits are made on VulLocator. The results show that VulLocator could successfully find the vulnerable code in binary programs both effectively and efficiently.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
CNN: Cost of ‘code red’ rising (2001), http://articles.cnn.com/2001-08-08/tech/code.red.II_1_russ-cooper-code-red-ii-internal-networks?_s=PM:TECH
Lin, Z., Jiang, X., Xu, D., Mao, B., Xie, L.: Autopag: towards automated software patch generation with source code root cause identification and repair. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 329–340. ACM (2007)
Chen, K., Lian, Y., Zhang, Y.: Automatically generating patch in binary programs using attribute-based taint analysis. Information and Communications Security, 367–382 (2010)
Perkins, J., et al.: Automatically patching errors in deployed software. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pp. 87–102. ACM (2009)
Weimer, W., Nguyen, T., Le Goues, C., Forrest, S.: Automatically finding patches using genetic programming. In: Proceedings of the 31st International Conference on Software Engineering, pp. 364–374. IEEE Computer Society (2009)
Johnson, N., Caballero, J., Chen, K., McCamant, S., Poosankam, P., Reynaud, D., Song, D.: Differential slicing: Identifying causal execution differences for security applications. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 347–362. IEEE (2011)
Forrest, S., Nguyen, T., Weimer, W., Le Goues, C.: A genetic programming approach to automated software repair. In: Proceedings of the 11th Annual Conference on Genetic and Evolutionary Computation, pp. 947–954. ACM (2009)
Nguyen, T., Weimer, W., Le Goues, C., Forrest, S.: Using execution paths to evolve software patches. In: Proceedings of the IEEE International Conference on Software Testing, Verification, and Validation Workshops, pp. 152–153. IEEE Computer Society (2009)
Kranakis, E., Haroutunian, E., Shahbazian, E.: The case for self-healing software. Aspects of Network and Information Security 47 (2008)
Sidiroglou, S., Keromytis, A.: Countering network worms through automatic patch generation. IEEE Security & Privacy 3(6), 41–49 (2005)
Chilimbi, T., Liblit, B., Mehra, K., Nori, A., Vaswani, K.: Holmes: Effective statistical debugging via efficient path profiling. In: Proceedings of the IEEE 31st International Conference on Software Engineering, pp. 34–44. IEEE Computer Society (2009)
Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. ACM SIGOPS Operating Systems Review 41(3), 128 (2007)
Smirnov, A., Chiueh, T.: Automatic patch generation for buffer overflow attacks. In: The Third International Symposium on Information Assurance and Security, pp. 165–170 (2007)
Weiser, M.: Program slicing. IEEE Transaction on Software Engineering, 352–357 (1984)
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS) 9(3), 319–349 (1987)
Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., Beebee Jr., W.: Enhancing server availability and security through failure-oblivious computing. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation, vol. 6, p. 21. USENIX Association (2004)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)
Newsome, J., Brumley, D., Song, D.: Vulnerability-specific execution filtering for exploit prevention on commodity software. In: Proceedings of the 13th Symposium on Network and Distributed System Security (NDSS) (2006)
Crandall, J., Su, Z., Wu, S., Chong, F.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 235–248. ACM, New York (2005)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: end-to-end containment of internet worms. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, pp. 133–147 (2005)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. In: Proceedings of the 2006 EuroSys Conference, pp. 15–27 (2006)
Baratloo, A., Singh, N., Tsai, T.: Transparent run-time defense against stack smashing attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 251–262 (2000)
Kc, G., Keromytis, A., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 272–280. ACM (2003)
Luk, C., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 190–200. ACM (2005)
Exploit DB: Exploit database (2012), http://www.exploit-db.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, Y., Chen, K., Lian, Y. (2013). VulLocator: Automatically Locating Vulnerable Code in Binary Programs. In: Deng, R.H., Feng, T. (eds) Information Security Practice and Experience. ISPEC 2013. Lecture Notes in Computer Science, vol 7863. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38033-4_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-38033-4_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38032-7
Online ISBN: 978-3-642-38033-4
eBook Packages: Computer ScienceComputer Science (R0)