skip to main content
10.1145/2976749.2978403acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms

Published: 24 October 2016 Publication History

Abstract

Subtle flaws in integer computations are a prime source for exploitable vulnerabilities in system code. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, making the migration of code a notable security challenge. In this paper, we provide the first study on how code that works as expected on 32-bit platforms can become vulnerable on 64-bit platforms. To this end, we systematically review the effects of data model changes between platforms. We find that the larger width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in program code. We empirically evaluate the prevalence of these flaws on the source code of Debian stable ("Jessie") and 200 popular open-source projects hosted on GitHub. Moreover, we discuss 64-bit migration vulnerabilities that have been discovered as part of our study, including vulnerabilities in Chromium, the Boost C++ Libraries, libarchive, the Linux Kernel, and zlib.

References

[1]
H. S. Adiga. Porting linux applications to 64-bit systems. http://www.ibm.com/developerworks/linux/library/l-port64/index.html, 2006.
[2]
K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In phProc. of IEEE Symposium on Security and Privacy, pages 143--159, 2002.
[3]
}website:qmail_guaranteeD. J. Bernstein. The qmail security guarantee. https://cr.yp.to/qmail/guarantee.html, visited August 2016.
[4]
}website:softlimitD. J. Bernstein. The softlimit program. http://cr.yp.to/daemontools/softlimit.html, visited August 2016.
[5]
S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In Proc. of USENIX Security Symposium, 2003.
[6]
D. Brumley, T. Chiueh, R. Johnson, H. Lin, and D. X. Song. RICH: Automatically protecting against integer-based vulnerabilities. In Proc. of Network and Distributed System Security Symposium (NDSS), 2007.
[7]
P. Chen, Y. Wang, Z. Xin, B. Mao, and L. Xie. BRICK: A binary tool for run-time detecting and locating integer-based vulnerability. In Proc. of International Conference on Availability, Reliability and Security, pages 208--215, 2009.
[8]
R. Chinchani, A. Iyer, B. Jayaraman, and S. Upadhyaya. ARCHERR: Runtime environment driven program safety. In Proc. of European Symposium on Research in Computer Security (ESORICS), pages 385--406, 2004.
[9]
W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding integer overflow in C/C+. In phProc. of International Conference on Software Engineering(ICSE), pages 760--770, 2012.
[10]
S. Esser. PHP printf() family 64 bit casting vulnerabilities. http://www.php-security.org/MOPB/MOPB-38--2007.html, 2007.
[11]
Free Software Foundation, Inc. Warning options - using the gnu compiler collection (gcc). https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html, visited August 2016.
[12]
P. Godefroid, M. Y. Levin, and D. Molnar. Active property checking. In Proc. of ACM International Conference on Embedded Software (EMSOFT), pages 207--216, 2008.
[13]
G. Guninski. 64 bit qmail fun. http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html, 2005.
[14]
T. Heo. Control group v2. https://www.kernel.org/doc/Documentation/cgroup-v2.txt, 2015.
[15]
M. Howard. Safe integer arithmetic in c. http://blogs.msdn.com/b/michael_howard/archive/2006/02/02/523392.aspx, visited August 2016.
[16]
IBM Corp. XL C/C+: Optimization and programming guide. Technical report, IBM Corp., 2012.
[17]
IEEE and The Open Group. The open group base specifications issue 7. Technical Report IEEE Std 1003.1, IEEE and The Open Group, 2013.
[18]
ISO. The ANSI C standard (C99). Technical Report WG14 N1124, ISO/IEC, 1999.
[19]
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In phProc. of USENIX Annual Technical Conference (ATC), pages 275--288, 2002.
[20]
J. Koziol, D. Litchfield, D. Aitel, C. Anley, S. Eren, N. Mehta, and R. Hassell. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. John Wiley & Sons, 2004.
[21]
T. Lauer. Porting to Win32™: A Guide to Making Your Applications Ready for the 32-Bit Future of Windows™. Springer, 1996.
[22]
D. LeBlanc. Safeint. https://safeint.codeplex.com, visited August 2016.
[23]
Linux Programmer's Manual. ulimit - get and set user limits. http://man7.org/linux/man-pages/man3/ulimit.3.html, visited August 2016.
[24]
F. Long, S. Sidiroglou-Douskos, D. Kim, and M. Rinhard. Sound input filter generation for integer overflow errors. In Proc. of ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 439--452, 2014.
[25]
M. López-Ibánez and I. L. Taylor. The new Wconversion option. https://gcc.gnu.org/wiki/NewWconversion, visited August 2016.
[26]
Mac Developer Library. Making code 64-bit clean. https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/64bitPorting/MakingCode64-BitClean/MakingCode64-BitClean.html, 2012.
[27]
J. R. Mashey. The long road to 64 bits. ACM Queue Magazine, 4 (8): 24--35, 1996.
[28]
I. Medeiros and M. Correia. Finding vulnerabilities in software ported from 32 to 64-bit CPUs. In Proc. of Conference on Dependable Systems and Networks (DSN), 2009. (fast abstract).
[29]
Microsoft Security Research and Defense Blog. Software defense: mitigating common exploitation techniques. http://blogs.technet.com/b/srd/archive/2013/12/11/software-defense-mitigating-common-exploitation-techniques.aspx, 2013.
[30]
D. Molnar, X. C. Li, and D. Wagner. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proc. of USENIX Security Symposium, pages 67--82, 2009.
[31]
G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Proc. of ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), pages 128--139, 2002.
[32]
G. C. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. phACM Transactions on Programming Languages and Systems (TOPLAS), 27 (3): 477--526, 2005.
[33]
Oracle. Guidelines for converting to LP64. https://docs.oracle.com/cd/E18752_01/html/816--5138/convert-19.html, 2005.
[34]
M. Pomonis, T. Petsios, K. Jee, M. Polychronakis, and A. D. Keromytis. IntFlow: Improving the accuracy of arithmetic error detection using information flow tracking. In Proc. of Annual Computer Security Applications Conference (ACSAC), pages 416--425, 2014.
[35]
R. E. Rodrigues, V. H. S. Campos, and F. M. Q. Pereira. A fast and low-overhead technique to secure programs against integer overflows. In Proc. of International Symposium on Code Generation and Optimization (CGO), pages 1--11, 2013.
[36]
S. Sidiroglou-Douskos, E. Lahtinen, N. Rittenhouse, P. Piselli, F. Long, D. Kim, and M. Rinard. Targeted automatic integer overflow discovery using goal-directed conditional branch enforcement. In Proc. of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 473--486, 2015.
[37]
Software Engineering Institute, CERT Division. Converting a pointer to integer or integer to pointer. https://www.securecoding.cert.org/confluence/display/c/INT36-C/Converting+a+pointer+to+integer+or+integer+to+pointer, 2016.
[38]
H. Sun, X. Zhang, C. Su, and Q. Zeng. Efficient dynamic tracking technique for detecting integer-overflow-to-buffer-overflow vulnerability. In Proc. of ACM Symposium on Information, Computer and Communications Security (ASIACCS), pages 483--494, 2015.
[39]
The MITRE Corporation. CVE-2013-0211. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211, 2013.
[40]
The Open Group. 64-bit and data size neutrality. http://www.unix.org/version2/whatsnew/lp64_wp.html, 2000.
[41]
Viva64. Detect 64-bit portability issues. http://www.viva64.com/en/viva64-tool/, visitied February 2016.
[42]
T. Wang, T. Wei, Z. Lin, and W. Zou. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In Proc. of Network and Distributed System Security Symposium (NDSS), 2009.
[43]
X. Wang, H. Chen, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Improving integer security for systems with KINT. In Proc. of USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 163--177, 2012.
[44]
C. Zhang, T. Wang, T. Wei, Y. Chen, and W. Zou. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time. In Proc. of European Symposium on Research in Computer Security (ESORICS), pages 71--86, 2010.
[45]
Y. Zhang, X. Sun, Y. Deng, L. Cheng, S. Zeng, Y. Fu, and D. Feng. Improving accuracy of static integer overflow detection in binary. In Proc. of International Symposium on Research in Attacks, Intrusions and Defenses (RAID), pages 247--269, 2015.

Cited By

View all
  • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
  • (2024)NanoHook: An Efficient System Call Hooking Technique with One-Byte InvasiveDependable Software Engineering. Theories, Tools, and Applications10.1007/978-981-96-0602-3_20(363-381)Online publication date: 25-Nov-2024
  • (2023)Video game performance analysis on selected operating systemsJournal of Computer Sciences Institute10.35784/jcsi.377229(317-324)Online publication date: 29-Dec-2023
  • Show More Cited By

Index Terms

  1. Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
      October 2016
      1924 pages
      ISBN:9781450341394
      DOI:10.1145/2976749
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 24 October 2016

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. data models
      2. integer-based vulnerabilities
      3. software security

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CCS'16
      Sponsor:

      Acceptance Rates

      CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)48
      • Downloads (Last 6 weeks)6
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
      • (2024)NanoHook: An Efficient System Call Hooking Technique with One-Byte InvasiveDependable Software Engineering. Theories, Tools, and Applications10.1007/978-981-96-0602-3_20(363-381)Online publication date: 25-Nov-2024
      • (2023)Video game performance analysis on selected operating systemsJournal of Computer Sciences Institute10.35784/jcsi.377229(317-324)Online publication date: 29-Dec-2023
      • (2021)BadASLR: Exceptional Cases of ASLR Aiding ExploitationInformation Security Applications10.1007/978-3-030-89432-0_23(278-289)Online publication date: 27-Oct-2021
      • (2020)Efficient machine learning for attack detectionit - Information Technology10.1515/itit-2020-001562:5-6(279-286)Online publication date: 10-Nov-2020
      • (2019)Attainable Hacks on Keystore Files in Ethereum Wallets—A Systematic AnalysisFuture Network Systems and Security10.1007/978-3-030-34353-8_7(99-117)Online publication date: 28-Oct-2019
      • (2019)TypeMiner: Recovering Types in Binary Programs Using Machine LearningDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-22038-9_14(288-308)Online publication date: 6-Jun-2019
      • (2018)Check It AgainProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243844(1899-1913)Online publication date: 15-Oct-2018
      • (2017)Lenient Execution of C on a Java Virtual MachineProceedings of the 14th International Conference on Managed Languages and Runtimes10.1145/3132190.3132204(35-47)Online publication date: 27-Sep-2017

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media