Abstract
We present GUEB a static tool detecting Use after Free vulnerabilities on disassembled code. This tool has been evaluated on a real vulnerability in the ProFTPD application (CVE-2011-4130).
Notes
In C for a better understanding, but our analysis operates at the assembly level.
This is the case for instance with the libc.
Making our analysis context-sensitive, but not applicable to recursive calls.
A better approximation could be provided if it is required for the exploitability analysis.
References
Afek, J., Sharabani, A.: Dangling pointer: pointer. Smashing the pointer for fun and profit. Black Hat USA (2007)
Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage static analysis. In: Yi, K. (ed.) SAS ’06: static analysis symposium, volume 4134 of LNCS, pp. 221–239. Springer, Berlin (2006)
Balakrishnan, G., Reps, T.: Wysinwyx: what you see is not what you execute. ACM Trans. Program. Lang. Syst. 32(6), 23:1–23:84 (2010)
Balakrishnan, G., Reps, T.W.: Analyzing memory accesses in x86 executables. In: Duesterwald E (edi) CC, volume 2985 of LNCS, pp. 5–23. Springer, Berlin (2004)
Bardin, S., Herrmann, P., Leroux, J., Ly, O., Tabary, R., Vincent, A.: The bincoa framework for binary code analysis. In: Proceedings of CAV’11, pp. 165–170. Springer, Berlin (2011)
Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: Bap: a binary analysis platform. In: Proceedings of the 23rd International Conference on Computer Aided Verification. CAV’11, pp. 463–469. Springer, Heidelberg (2011)
Caballero, J., Grieco, G., Marron, M., Nappa, A.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: Heimdahl, M.P.E., Su, Z. (eds.) ISSTA, pp. 133–143. ACM (2012)
Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symp. S&P, pp. 380–394 (2012)
Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-c—a software analysis perspective. In: SEFM, pp. 233–247 (2012)
Dullien, Thomas, Porst, Sebastian: Reil: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest (2009)
Heelan, S.: Automatic generation of control flow hijacking exploits for software vulnerabilities. Master’s thesis, University of Oxford, Computing Laboratory (2009)
Nethercote, N., Seward, J.: Valgrind: a program supervision framework. Electr. Notes Theor. Comput. Sci. 89, 44–66 (2003)
Rawat, S., Mounier, L.: Finding buffer overflow inducing loops in binary executables. In: Proceedings of the Sixth International Conference on Software Security and Reliability, SERE 2012, pp. 177–186. IEEE (2012)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: USENIX ATC 2012 (2012)
Vupen. Technical analysis of proftpd response pool use-after-free (cve-2011-4130). http://www.vupen.com/blog/20120110.Technical_Analysis_of_ProFTPD_Remote_Use_after_free_CVE-2011-4130_Part_I.php
Author information
Authors and Affiliations
Corresponding author
Additional information
This work was partially funded by the Binsec project (ANR-12-INSE-0002-01).
Rights and permissions
About this article
Cite this article
Feist, J., Mounier, L. & Potet, ML. Statically detecting use after free on binary code. J Comput Virol Hack Tech 10, 211–217 (2014). https://doi.org/10.1007/s11416-014-0203-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0203-1