ABSTRACT
This paper presents a fully automated technique to find and trigger Use-After-Free vulnerabilities (UAF) on binary code. The approach combines a static analyzer and a dynamic symbolic execution engine. We also introduce several original heuristics for the dynamic symbolic execution part, speeding up the exploration and making this combination effective in practice. The tool we developed is open-source, and it has successfully been applied on real world vulnerabilities. As an example, we detail a proof-of-concept exploit triggering a previously unknown vulnerability on JasPer leading to the CVE-2015-5221.
- AFL. American fuzzy lop. http://lcamtuf.coredump.cx/afl/.Google Scholar
- T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. Enhancing symbolic execution with VeriTesting. In Proceedings of the 36th International Conference on Software Engineering, ICSE '14. ACM Press, 2014. Google ScholarDigital Library
- D. Babic, L. Martignoni, S. McCamant, and D. Song. Statically-directed dynamic automated test generation. In ISSTA. ACM, 2011. Google ScholarDigital Library
- G. Balakrishnan and T. Reps. Wysinwyx: What you see is not what you execute. ACM Trans. Program. Lang. Syst., 32(6), 2010. Google ScholarDigital Library
- S. Bardin, P. Baufreton, N. Cornuet, P. Herrmann, and S. Labbé. Binary-level testing of embedded programs. In 13th International Conference on Quality Software, QRS'13, 2013. Google ScholarDigital Library
- S. Bardin, O. Chebaro, M. Delahaye, and N. Kosmatov. An all-in-one toolkit for automated white-box testing. In Tests and Proofs - 8th International Conference, TAP 2014, Held as Part of STAF 2014, York, UK, July 24--25, 2014. Proceedings. Springer, 2014.Google Scholar
- S. Bardin, M. Delahaye, R. David, N. Kosmatov, M. Papadakis, Y. L. Traon, and J. Marion. Sound and quasi-complete detection of infeasible test requirements. In 8th IEEE International Conference on Software Testing, Verification and Validation, ICST 2015, Graz, Austria, April 13--17, 2015. IEEE, 2015.Google ScholarCross Ref
- S. Bardin and P. Herrmann. Osmose: Automatic structural testing of executables. Software Testing, Verification Reliability, 21(1), 2011. Google ScholarDigital Library
- S. Bardin, P. Herrmann, J. Leroux, O. Ly, R. Tabary, and A. Vincent. The Bincoa Framework for Binary Code Analysis. In Computer Aided Verification - 23rd International Conference, CAV 2011, 2011. Springer, 2011. Google ScholarDigital Library
- S. Bardin, P. Herrmann, and F. Védrine. Refinement-based CFG reconstruction from unstructured programs. In Verification, Model Checking, and abstract Interpretation - 12th International Conference, VMCAI 2011, Austin, TX, USA, January 23--25, 2011. Proceedings. Springer, 2011. Google ScholarDigital Library
- A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2), 2010. Google ScholarDigital Library
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In SP 2008. IEEE, 2008. Google ScholarDigital Library
- R. Brummayer and A. Biere. Boolector: An efficient smt solver for bit-vectors and arrays. In TACAS, volume 5505 of Lecture Notes in Computer Science. Springer, 2009. Google ScholarDigital Library
- J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012. ACM, 2012. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08. USENIX Association, 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06. ACM, 2006. Google ScholarDigital Library
- C. Cadar and K. Sen. Symbolic execution for software testing: Three decades later. Commun. ACM, 56(2), 2013. Google ScholarDigital Library
- S. Cesare. Bugalyze.com - detecting bugs using decompilation and data flow analysis. In BlackHatUSA, 2013.Google Scholar
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2012. Google ScholarDigital Library
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12. IEEE Computer Society, 2012. Google ScholarDigital Library
- O. Chebaro, P. Cuoq, N. Kosmatov, B. Marre, A. Pacalet, N. Williams, and B. Yakobowski. Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom. Softw. Eng., 21(1), 2014. Google ScholarDigital Library
- V. Chipounov, V. Kuznetsov, and G. Candea. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst., 30(1), 2012. Google ScholarDigital Library
- H. Cui, G. Hu, J. Wu, and J. Yang. Verifying systems rules using rule-directed symbolic execution. In Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2013. Google ScholarDigital Library
- Darpa. Cyber grand challenge. https://www.cybergrandchallenge.com.Google Scholar
- R. David, S. Bardin, J. Feist, J.-Y. Marion, L. Mounier, M.-L. Potet, and T. D. Ta. Specification of concretization and symbolization policies in symbolic execution. In Proceedings of ISSTA. ACM, 2016. Google ScholarDigital Library
- R. David, S. Bardin, J. Feist, J.-Y. Marion, M.-L. Potet, and T. D. Ta. Binsec/se: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of SANER 2016. IEEE, 2016.Google ScholarCross Ref
- A. Djoudi and S. Bardin. Binsec: Binary code analysis with low-level regions. In TACAS 2015. Springer, 2015. Google ScholarDigital Library
- T. Dullien and S. Porst. Reil: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest, 2009.Google Scholar
- P. Emanuelsson and U. Nilsson. A comparative study of industrial static analysis tools. Electr. Notes Theor. Comput. Sci., 217, 2008. Google ScholarDigital Library
- J. Feist, L. Mounier, and M. Potet. Statically detecting use after free on binary code. J. Computer Virology and Hacking Techniques, 10(3), 2014.Google Scholar
- J. Feist, L. Mounier, and M.-L. Potet. Guided dynamic symbolic execution using subgraph control-flow information. In Proceedings of SEFM. Springer, 2016.Google ScholarCross Ref
- P. Godefroid. Higher-order test generation. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4--8, 2011, 2011. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. SIGPLAN Not., 40(6), 2005. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10th February - 13th February 2008. The Internet Society, 2008.Google Scholar
- P. Godefroid, M. Y. Levin, and D. A. Molnar. SAGE: whitebox fuzzing for security testing. Commun. ACM, 55(3), 2012. Google ScholarDigital Library
- P. Goodman. Pointsto: Static use-after-free detector for c/c++. https://blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/.Google Scholar
- GUEB. Static analyzer detecting use-after-free on binary. https://github.com/montyly/gueb.Google Scholar
- I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13. USENIX Association, 2013. Google ScholarDigital Library
- Hex-rays. Hex-rays decompiler. https://www.hex-rays.com/products/decompiler/index.shtml.Google Scholar
- HP. Fortify static code analyzer. http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/.Google Scholar
- W. Landi. Undecidability of static analysis. LOPLAS, 1(4), 1992. Google ScholarDigital Library
- B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing use-after-free with dangling pointers nullification. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.Google ScholarCross Ref
- M. Li, Y. Chen, L. Wang, and G. Xu. Dynamically validating static memory leak warnings. In Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013. ACM, 2013. Google ScholarDigital Library
- R. Majumdar and K. Sen. Hybrid concolic testing. In 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, USA, May 20--26, 2007. IEEE Computer Society, 2007. Google ScholarDigital Library
- S. Nagarakatte. Softboundcets. http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/.Google Scholar
- S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Softbound: highly compatible and complete spatial memory safety for c. In M. Hind and A. Diwan, editors, PLDI, pages 245--258. ACM, 2009. Google ScholarDigital Library
- S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Cets: compiler enforced temporal safety for c. In ISMM, 2010. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6), 2007. Google ScholarDigital Library
- radamsa. A general purpose fuzzer. https://github.com/aoh/radamsa.Google Scholar
- K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes, 30(5), 2005. Google ScholarDigital Library
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12. USENIX Association, 2012. Google ScholarDigital Library
- N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. The Internet Society, 2016.Google ScholarCross Ref
- M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007. Google ScholarDigital Library
- N. Williams, B. Marre, and P. Mouy. On-the-fly generation of k-path tests for C functions. In Automated Software Engineering, 2004. IEEE, 2004. Google ScholarDigital Library
- T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, Estoril, Lisbon, Portugal, June 29 - July 2, 2009. IEEE Computer Society, 2009.Google ScholarCross Ref
- Y. Younan. Freesentry: protecting against use-after-free vulnerabilities due to dangling pointers. In NDSS, 2015.Google ScholarCross Ref
- C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In EuroSys. ACM, 2010. Google ScholarDigital Library
- Y. Zhang, Z. Clien, J. Wang, W. Dong, and Z. Liu. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering - Volume 1, ICSE '15. IEEE Press, 2015. Google ScholarDigital Library
- Zynamics. BinNavi. http://www.zynamics.com/binnavi.html.Google Scholar
Index Terms
- Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free
Recommendations
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceTypestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityUse-after-free vulnerabilities are gaining more and more attentions in recent years, since they are commonly exploited in applications like browsers, and exposed in abundant security updates, e.g., from Microsoft, Google or Mozilla. This kind of ...
VTPin: practical VTable hijacking protection for binaries
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security ApplicationsVTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In ...
Comments