skip to main content
10.1145/2884781.2884820acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

IntEQ: recognizing benign integer overflows via equivalence checking across multiple precisions

Published: 14 May 2016 Publication History

Abstract

Integer overflow (IO) vulnerabilities can be exploited by attackers to compromise computer systems. In the mean time, IOs can be used intentionally by programmers for benign purposes such as hashing and random number generation. Hence, differentiating exploitable and harmful IOs from intentional and benign ones is an important challenge. It allows reducing the number of false positives produced by IO vulnerability detection techniques, helping developers or security analysts to focus on fixing critical IOs without inspecting the numerous false alarms. The difficulty of recognizing benign IOs mainly lies in inferring the intent of programmers from source code.
In this paper, we present a novel technique to recognize benign IOs via equivalence checking across multiple precisions. We determine if an IO is benign by comparing the effects of an overflowed integer arithmetic operation in the actual world (with limited precision) and the same operation in the ideal world (with sufficient precision to evade the IO). Specifically, we first extract the data flow path from the overflowed integer arithmetic operation to a security-related program point (i.e., sink) and then create a new version of the path using more precise types with sufficient bits to represent integers so that the IO can be avoided. Using theorem proving we check whether these two versions are equivalent, that is, if they yield the same values at the sink under all possible inputs. If so, the IO is benign. We implement a prototype, named IntEQ, based on the GCC compiler and the Z3 solver, and evaluate it using 26 harmful IO vulnerabilities from 20 real-world programs, and 444 benign IOs from SPECINT 2000, SPECINT 2006, and 7 real-world applications. The experimental results show that IntEQ does not misclassify any harmful IO bugs (no false negatives) and recognizes 355 out of 444 (about 79.95%) benign IOs, whereas the state of the art can only recognize 19 benign IOs.

References

[1]
CWE-190: Integer overflow or wraparound. http://cwe.mitre.org/data/definitions/190.html.
[2]
CWE-2011 CWE/SANS top 25 most dangerours software errors. http://cwe.mitre.org/top25/.
[3]
CWE-680: IO2BO vulnerabilities. http://cwe.mitre.org/data/definitions/680.html.
[4]
GCC, the GNU Compiler Collection. https://gcc.gnu.org/.
[5]
Overflow-inducing input for CVE-2005-0199. https://bugs.gentoo.org/show\_bug.cgi?id=79705.
[6]
Overflow-inducing input for CVE-2005-1141. http://www.overflow.pl/adv/gocr.txt.
[7]
Overflow-inducing input for CVE-2006-2971. http://www.exploit-db.com/exploits/1894/.
[8]
Overflow-inducing input for CVE-2006-4812. http://www.exploit-db.com/exploits/28760/.
[9]
Overflow-inducing input for CVE-2008-1384. http://cxsecurity.com/issue/WLB-2008030052.
[10]
Overflow-inducing input for CVE-2008-1801. http://www.securityfocus.com/bid/29097/exploit.
[11]
Overflow-inducing input for CVE-2008-3732. http://www.exploit-db.com/exploits/6252/.
[12]
Overflow-inducing input for CVE-2011-1092. http://www.exploit-db.com/exploits/16966/.
[13]
Spec cpu 2000 benchmark. http://www.spec.org/cpu2000/.
[14]
Spec cpu 2006 benchmarks. http://www.spec.org/cpu2006/.
[15]
The Z3 Constraint Solver. https://github.com/Z3Prover/z3.
[16]
Vulnerability Type Distributions in CVE (2001-2006). https://cve.mitre.org/docs/vuln-trends/vuln-trends.pdf.
[17]
J. Alglave, D. Kroening, and M. Tautschnig. Partial orders for efficient bounded model checking of concurrent software. In Proceedings of the 25th International Conference on Computer Aided Verification, pages 141--157, 2013.
[18]
S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. Vex: Vetting browser extensions for security vulnerabilities. In Proceedings of 19th USENIX Security Symposium, pages 339--354, 2010.
[19]
D. Brumley, D. X. Song, T. cker Chiueh, R. Johnson, and H. Lin. RICH: Automatically protecting against integer-based vulnerabilities. In Proceedings of 14th Annual Network and Distributed System Security Symposium, 2007.
[20]
CERT. Integerlib, a secure integer library. http://www.cert.org/secure-coding/IntegerLib.zip, 2006.
[21]
P. Chen, Y. Wang, Z. Xin, B. Mao, and L. Xie. BRICK: A binary tool for run-time detecting and locating integer-based vulnerability. In Proceedings of International Conference on Availability, Reliability and Security, pages 208--215, 2009.
[22]
B. Chimdyalwar, P. Darke, A. Chavda, S. Vaghani, and A. Chauhan. Eliminating static analysis false positives using loop abstraction and bounded model checking. In Proceedings of 20th International Symposium on Formal Methods, pages 573--576. 2015.
[23]
Z. Coker and M. Hafiz. Program transformations to fix C integers. In Proceedings of 35th International Conference on Software Engineering, pages 792--801, 2013.
[24]
L. Cordeiro, B. Fischer, and J. Marques-Silva. SMT-based bounded model checking for embedded ansi-c software. IEEE Transactions on Software Engineering, 38(4):957--974, 2012.
[25]
R. B. Dannenberg, W. Dormann, D. Keaton, R. C. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson, and T. Plum. As-if infinitely ranged integer model. In Proceedings of 21st International Symposium on Software Reliablity Engineering, pages 91--100, 2010.
[26]
W. Dietz, P. Li, J. Regehr, and V. S. Adve. Understanding integer overflow in C/C++. In Proceedings of 34th International Conference on Software Engineering, pages 760--770, 2012.
[27]
V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proceedings of 19th International Conference on Computer Aided Verification, pages 519--531, 2007.
[28]
J. Gennari, S. Hedrick, F. Long, J. Pincar, and R. C. Seacord. Ranged integers for the c programming language. Technical Note CMU/SEI-2007-TN-027, Carnegie Mellon University, 2007.
[29]
B. Godlin and O. Strichman. Regression verification. In Proceedings of the 46th Annual Design Automation Conference, pages 466--471, 2009.
[30]
A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. HAMPI: a solver for string constraints. In Proceedings of the 18th International Symposium on Software Testing and Analysis, pages 105--116. ACM, 2009.
[31]
S. K. Lahiri, C. Hawblitzel, M. Kawaguchi, and H. Rebêlo. SYMDIFF: A language-agnostic semantic diff tool for imperative programs. In Proceedings of the 24th International Conference on Computer Aided Verification, pages 712--717, 2012.
[32]
M. Lam, R. Sethi, J. Ullman, and A. Aho. Compilers: Principles, techniques and tools, 2006.
[33]
D. LeBlanc. Safeint. http://safeint.codeplex.com/.
[34]
L. Li, C. Cifuentes, and N. Keynes. Boosting the performance of flow-sensitive points-to analysis using value flow. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering, pages 343--353, 2011.
[35]
F. Long, S. Sidiroglou-Douskos, D. Kim, and M. C. Rinard. Sound input filter generation for integer overflow errors. In Proceeds of 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 439--452, 2014.
[36]
L. Luo, J. Ming, D. Wu, P. Liu, and S. Zhu. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 389--400, 2014.
[37]
D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proceedings of 18th USENIX Security Symposium, pages 67--82, 2009.
[38]
National Vulnerability Database. CVE-2006-2971. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2971.
[39]
National Vulnerability Database. CVE-2008-1722. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1722.
[40]
National Vulnerability Database. CVE-2008-1801. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1801.
[41]
National Vulnerability Database. CVE-2012-4405. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4405.
[42]
National Vulnerability Database. CVE-2014-0150. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0150.
[43]
S. Person, M. B. Dwyer, S. Elbaum, and C. S. Psreanu. Differential symbolic execution. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, pages 226--237. ACM, 2008.
[44]
M. Pomonis, T. Petsios, K. Jee, M. Polychronakis, and A. D. Keromytis. IntFlow: improving the accuracy of arithmetic error detection using information flow tracking. In Proceedings of 30th Annual Computer Security Applications Conference, pages 416--425, 2014.
[45]
R. E. Rodrigues, V. H. S. Campos, and F. M. Q. Pereira. A fast and low-overhead technique to secure programs against integer overflows. In Proceedings of International Symposium on Code Generation and Optimization, pages 1--11, 2013.
[46]
L. Shang, X. Xie, and J. Xue. On-demand dynamic summary-based points-to analysis. In Proceedings of the 10th International Symposium on Code Generation and Optimization, pages 264--274, 2012.
[47]
S. Sidiroglou-Douskos, E. Lahtinen, F. Long, and M. Rinard. Automatic error elimination by horizontal code transfer across multiple applications. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 43--54, 2015.
[48]
S. Sidiroglou-Douskos, E. Lahtinen, N. Rittenhouse, P. Piselli, F. Long, D. Kim, and M. Rinard. Targeted automatic integer overflow discovery using goal-directed conditional branch enforcement. In Proceedings of the 20th International Conference on Architectural Support for Programming Languages and Operating Systems, pages 473--486, 2015.
[49]
H. Sun, X. Zhang, C. Su, and Q. Zeng. Efficient dynamic tracking technique for detecting integer-overflow-to-buffer-overflow vulnerability. In Proceedings of 10th ACM Symposium on Information, Computer and Communications Security, pages 483--494, 2015.
[50]
T. Wang, C. Song, and W. Lee. Diagnose and emergency patch generation for integer overflow exploits. In Proceedings of 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, pages 255--275, 2014.
[51]
T. Wang, T. Wei, Z. Lin, andW. Zou. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proceedings of the Network and Distributed System Security Symposium, 2009.
[52]
X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Improving integer security for systems with KINT. In Proceedings of 10th USENIX Symposium on Operating Systems Design and Implementation, pages 163--177, 2012.
[53]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of 15th USENIX Security Symposium, pages 179--192, 2006.
[54]
G. Yorsh, E. Yahav, and S. Chandra. Generating precise and concise procedure summaries. In Proceeds of 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Citeseer, 2008.
[55]
C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In Proceedings of the 15th European Conference on Research in Computer Security, pages 71--86, 2010.
[56]
Y. Zheng and X. Zhang. Static detection of resource contention problems in server-side scripts. In Proceedings of 34th International Conference on Software Engineering, pages 584--594, 2012.
[57]
Y. Zheng and X. Zhang. Path sensitive static analysis of web applications for remote code execution vulnerability detection. In Proceedings of 35th International Conference on Software Engineering, pages 652--661, 2013.

Cited By

View all
  • (2024)IntTracer: Sanitization-aware IO2BO Vulnerability Detection across CodebasesProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3641223(447-449)Online publication date: 14-Apr-2024
  • (2024)PASDAJournal of Systems and Software10.1016/j.jss.2024.112037213:COnline publication date: 1-Jul-2024
  • (2023)A Comprehensive Taxonomy for Prediction Models in Software EngineeringInformation10.3390/info1402011114:2(111)Online publication date: 10-Feb-2023
  • Show More Cited By

Index Terms

  1. IntEQ: recognizing benign integer overflows via equivalence checking across multiple precisions

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ICSE '16: Proceedings of the 38th International Conference on Software Engineering
    May 2016
    1235 pages
    ISBN:9781450339001
    DOI:10.1145/2884781
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 14 May 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. benign
    2. equivalence checking
    3. integer overflow
    4. precision

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    ICSE '16
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 276 of 1,856 submissions, 15%

    Upcoming Conference

    ICSE 2025

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)9
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 30 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)IntTracer: Sanitization-aware IO2BO Vulnerability Detection across CodebasesProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3641223(447-449)Online publication date: 14-Apr-2024
    • (2024)PASDAJournal of Systems and Software10.1016/j.jss.2024.112037213:COnline publication date: 1-Jul-2024
    • (2023)A Comprehensive Taxonomy for Prediction Models in Software EngineeringInformation10.3390/info1402011114:2(111)Online publication date: 10-Feb-2023
    • (2021)IntRepair: Informed Repairing of Integer OverflowsIEEE Transactions on Software Engineering10.1109/TSE.2019.294614847:10(2225-2241)Online publication date: 1-Oct-2021
    • (2020)Integrity: Finding Integer Errors by Targeted FuzzingSecurity and Privacy in Communication Networks10.1007/978-3-030-63086-7_20(360-380)Online publication date: 12-Dec-2020
    • (2019)Tolerating C Integer Error via Precision ElevationIEEE Transactions on Computers10.1109/TC.2018.286638868:2(270-286)Online publication date: 1-Feb-2019
    • (2019)EasyFlowProceedings of the 41st International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion.2019.00029(23-26)Online publication date: 25-May-2019

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media