research-article

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free

Authors:
Josselin Feist

Verimag / UGA, Grenoble, France

Verimag / UGA, Grenoble, France
View Profile

,
Laurent Mounier

Verimag / UGA, Grenoble, France

Verimag / UGA, Grenoble, France
View Profile

,
Sébastien Bardin

Université Paris-Saclay, France

Université Paris-Saclay, France
View Profile

,
Robin David

Université Paris-Saclay, France

Université Paris-Saclay, France
View Profile

,
Marie-Laure Potet

Verimag / UGA, Grenoble, France

Verimag / UGA, Grenoble, France
View Profile

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse EngineeringDecember 2016Article No.: 2Pages 1–12https://doi.org/10.1145/3015135.3015137

Published:05 December 2016Publication History

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

Pages 1–12

ABSTRACT

This paper presents a fully automated technique to find and trigger Use-After-Free vulnerabilities (UAF) on binary code. The approach combines a static analyzer and a dynamic symbolic execution engine. We also introduce several original heuristics for the dynamic symbolic execution part, speeding up the exploration and making this combination effective in practice. The tool we developed is open-source, and it has successfully been applied on real world vulnerabilities. As an example, we detail a proof-of-concept exploit triggering a previously unknown vulnerability on JasPer leading to the CVE-2015-5221.

References

AFL. American fuzzy lop. http://lcamtuf.coredump.cx/afl/.Google Scholar
T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. Enhancing symbolic execution with VeriTesting. In Proceedings of the 36th International Conference on Software Engineering, ICSE '14. ACM Press, 2014. Google ScholarDigital Library
D. Babic, L. Martignoni, S. McCamant, and D. Song. Statically-directed dynamic automated test generation. In ISSTA. ACM, 2011. Google ScholarDigital Library
G. Balakrishnan and T. Reps. Wysinwyx: What you see is not what you execute. ACM Trans. Program. Lang. Syst., 32(6), 2010. Google ScholarDigital Library
S. Bardin, P. Baufreton, N. Cornuet, P. Herrmann, and S. Labbé. Binary-level testing of embedded programs. In 13th International Conference on Quality Software, QRS'13, 2013. Google ScholarDigital Library
S. Bardin, O. Chebaro, M. Delahaye, and N. Kosmatov. An all-in-one toolkit for automated white-box testing. In Tests and Proofs - 8th International Conference, TAP 2014, Held as Part of STAF 2014, York, UK, July 24--25, 2014. Proceedings. Springer, 2014.Google Scholar
S. Bardin, M. Delahaye, R. David, N. Kosmatov, M. Papadakis, Y. L. Traon, and J. Marion. Sound and quasi-complete detection of infeasible test requirements. In 8th IEEE International Conference on Software Testing, Verification and Validation, ICST 2015, Graz, Austria, April 13--17, 2015. IEEE, 2015.Google ScholarCross Ref
S. Bardin and P. Herrmann. Osmose: Automatic structural testing of executables. Software Testing, Verification Reliability, 21(1), 2011. Google ScholarDigital Library
S. Bardin, P. Herrmann, J. Leroux, O. Ly, R. Tabary, and A. Vincent. The Bincoa Framework for Binary Code Analysis. In Computer Aided Verification - 23rd International Conference, CAV 2011, 2011. Springer, 2011. Google ScholarDigital Library
S. Bardin, P. Herrmann, and F. Védrine. Refinement-based CFG reconstruction from unstructured programs. In Verification, Model Checking, and abstract Interpretation - 12th International Conference, VMCAI 2011, Austin, TX, USA, January 23--25, 2011. Proceedings. Springer, 2011. Google ScholarDigital Library
A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2), 2010. Google ScholarDigital Library
D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In SP 2008. IEEE, 2008. Google ScholarDigital Library
R. Brummayer and A. Biere. Boolector: An efficient smt solver for bit-vectors and arrays. In TACAS, volume 5505 of Lecture Notes in Computer Science. Springer, 2009. Google ScholarDigital Library
J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012. ACM, 2012. Google ScholarDigital Library
C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08. USENIX Association, 2008. Google ScholarDigital Library
C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06. ACM, 2006. Google ScholarDigital Library
C. Cadar and K. Sen. Symbolic execution for software testing: Three decades later. Commun. ACM, 56(2), 2013. Google ScholarDigital Library
S. Cesare. Bugalyze.com - detecting bugs using decompilation and data flow analysis. In BlackHatUSA, 2013.Google Scholar
S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2012. Google ScholarDigital Library
S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12. IEEE Computer Society, 2012. Google ScholarDigital Library
O. Chebaro, P. Cuoq, N. Kosmatov, B. Marre, A. Pacalet, N. Williams, and B. Yakobowski. Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom. Softw. Eng., 21(1), 2014. Google ScholarDigital Library
V. Chipounov, V. Kuznetsov, and G. Candea. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst., 30(1), 2012. Google ScholarDigital Library
H. Cui, G. Hu, J. Wu, and J. Yang. Verifying systems rules using rule-directed symbolic execution. In Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2013. Google ScholarDigital Library
Darpa. Cyber grand challenge. https://www.cybergrandchallenge.com.Google Scholar
R. David, S. Bardin, J. Feist, J.-Y. Marion, L. Mounier, M.-L. Potet, and T. D. Ta. Specification of concretization and symbolization policies in symbolic execution. In Proceedings of ISSTA. ACM, 2016. Google ScholarDigital Library
R. David, S. Bardin, J. Feist, J.-Y. Marion, M.-L. Potet, and T. D. Ta. Binsec/se: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of SANER 2016. IEEE, 2016.Google ScholarCross Ref
A. Djoudi and S. Bardin. Binsec: Binary code analysis with low-level regions. In TACAS 2015. Springer, 2015. Google ScholarDigital Library
T. Dullien and S. Porst. Reil: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest, 2009.Google Scholar
P. Emanuelsson and U. Nilsson. A comparative study of industrial static analysis tools. Electr. Notes Theor. Comput. Sci., 217, 2008. Google ScholarDigital Library
J. Feist, L. Mounier, and M. Potet. Statically detecting use after free on binary code. J. Computer Virology and Hacking Techniques, 10(3), 2014.Google Scholar
J. Feist, L. Mounier, and M.-L. Potet. Guided dynamic symbolic execution using subgraph control-flow information. In Proceedings of SEFM. Springer, 2016.Google ScholarCross Ref
P. Godefroid. Higher-order test generation. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4--8, 2011, 2011. Google ScholarDigital Library
P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. SIGPLAN Not., 40(6), 2005. Google ScholarDigital Library
P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10th February - 13th February 2008. The Internet Society, 2008.Google Scholar
P. Godefroid, M. Y. Levin, and D. A. Molnar. SAGE: whitebox fuzzing for security testing. Commun. ACM, 55(3), 2012. Google ScholarDigital Library
P. Goodman. Pointsto: Static use-after-free detector for c/c++. https://blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/.Google Scholar
GUEB. Static analyzer detecting use-after-free on binary. https://github.com/montyly/gueb.Google Scholar
I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13. USENIX Association, 2013. Google ScholarDigital Library
Hex-rays. Hex-rays decompiler. https://www.hex-rays.com/products/decompiler/index.shtml.Google Scholar
HP. Fortify static code analyzer. http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/.Google Scholar
W. Landi. Undecidability of static analysis. LOPLAS, 1(4), 1992. Google ScholarDigital Library
B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing use-after-free with dangling pointers nullification. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarCross Ref
M. Li, Y. Chen, L. Wang, and G. Xu. Dynamically validating static memory leak warnings. In Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013. ACM, 2013. Google ScholarDigital Library
R. Majumdar and K. Sen. Hybrid concolic testing. In 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, USA, May 20--26, 2007. IEEE Computer Society, 2007. Google ScholarDigital Library
S. Nagarakatte. Softboundcets. http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/.Google Scholar
S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Softbound: highly compatible and complete spatial memory safety for c. In M. Hind and A. Diwan, editors, PLDI, pages 245--258. ACM, 2009. Google ScholarDigital Library
S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Cets: compiler enforced temporal safety for c. In ISMM, 2010. Google ScholarDigital Library
N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6), 2007. Google ScholarDigital Library
radamsa. A general purpose fuzzer. https://github.com/aoh/radamsa.Google Scholar
K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes, 30(5), 2005. Google ScholarDigital Library
K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12. USENIX Association, 2012. Google ScholarDigital Library
N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. The Internet Society, 2016.Google ScholarCross Ref
M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007. Google ScholarDigital Library
N. Williams, B. Marre, and P. Mouy. On-the-fly generation of k-path tests for C functions. In Automated Software Engineering, 2004. IEEE, 2004. Google ScholarDigital Library
T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, Estoril, Lisbon, Portugal, June 29 - July 2, 2009. IEEE Computer Society, 2009.Google ScholarCross Ref
Y. Younan. Freesentry: protecting against use-after-free vulnerabilities due to dangling pointers. In NDSS, 2015.Google ScholarCross Ref
C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In EuroSys. ACM, 2010. Google ScholarDigital Library
Y. Zhang, Z. Clien, J. Wang, W. Dong, and Z. Liu. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering - Volume 1, ICSE '15. IEEE Press, 2015. Google ScholarDigital Library
Zynamics. BinNavi. http://www.zynamics.com/binnavi.html.Google Scholar

Index Terms

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free
1. Security and privacy

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Read More
POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Use-after-free vulnerabilities are gaining more and more attentions in recent years, since they are commonly exploited in applications like browsers, and exposed in abundant security updates, e.g., from Microsoft, Google or Mozilla. This kind of ...
Read More
VTPin: practical VTable hijacking protection for binaries
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering
December 2016
85 pages
ISBN:9781450348416
DOI:10.1145/3015135
General Chair:
J. Todd McDonald
University of South Alabama
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 December 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
automated exploit generation
binary code analysis
dynamic symbolic execution
use-after-free
vulnerability detection
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate6of13submissions,46%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 406
  Total Downloads
- Downloads (Last 12 months)45
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection

POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities

VTPin: practical VTable hijacking protection for binaries

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection

POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities

VTPin: practical VTable hijacking protection for binaries

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media