short-paper

Integer Overflow Detection with Delayed Runtime Test

Authors:

Xiaowei YuAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 28, Pages 1 - 6

https://doi.org/10.1145/3465481.3465771

Published: 17 August 2021 Publication History

Abstract

Detecting integer overflow vulnerabilities is critical for software security. Many techniques have been proposed to dynamically detect integer overflow vulnerabilities by instrumenting integer overflow tests into target programs. Their major drawback is that they can produce many false positives. In this paper, we propose an approach to eliminate the false positives stemming from incorrectly or not considering the sanitization code in target programs that is designed by developers to catch integer overflows.

Unlike prior work that performs integer overflow test at arithmetic operations, our approach delays the test until the locations where the result of the arithmetic operation is about to be used by sensitive operations. This approach allows the sanitization code to filter out integer overflows before our integer overflow tests take place. As a result, it will not produce false positives for integer overflows that can be caught by the sanitization code.

We have implemented a prototype and our evaluation shows that it can effectively detect integer overflow vulnerabilities without producing false positives.

References

[1]

2019. 2019 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html. (2019).

[2]

2020. 2020 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html. (2020).

[3]

David Brumley, T Chiueh, R Johnson, and H Lin. 2007. RICH: Automatically protecting against integer-based vulnerabilities. In Ndss ’07. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.73.7344

[4]

David Brumley, Tzi cker Chiueh, and Robert Johnson. 2007. RICH: Automatically Protecting Against Integer-Based Vulnerabilities. In Proceedings of NDSS Symposium 2007. NDSS, New York, NY, USA.

[5]

Xi Cheng, Min Zhou, Xiaoyu Song, Ming Gu, and Jiaguang Sun. 2017. IntPTI: Automatic integer error repair with proper-type inference. In ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. 996–1001. https://doi.org/10.1109/ASE.2017.8115718

[6]

Zack Coker and Munawar Hafiz. 2013. Program Transformations to Fix C Integers. In Proceedings of the 2013 International Conference on Software Engineering(ICSE ’13). IEEE Press, 792–801.

Digital Library

[7]

Will Dietz, Peng Li, John Regehr, and Vikram Adve. 2012. Understanding Integer Overflow in C/C++. In Proceedings of the 34th International Conference on Software Engineering(ICSE ’12). IEEE Press, 760–770.

Digital Library

[8]

Will Dietz, Peng Li, John Regehr, and Vikram Adve. 2015. Understanding integer overflow in C/C++. In the 34th International Conference on Software Engineering, Vol. 25. https://doi.org/10.1145/2743019

Digital Library

[9]

Jeanne Ferrante, Karl J. Ottenstein, and Joe D. Warren. 1987. The Program Dependence Graph and Its Use in Optimization. ACM Trans. Program. Lang. Syst. 9, 3 (July 1987), 319–349. https://doi.org/10.1145/24039.24041

Digital Library

[10]

Fan Long, Stelios Sidiroglou-Douskos, Deokhwan Kim, and Martin Rinard. 2014. Sound Input Filter Generation for Integer Overflow Errors. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(POPL ’14). ACM, New York, NY, USA, 439–452. https://doi.org/10.1145/2535838.2535888

Digital Library

[11]

David Molnar, Xue Cong Li, and David A. Wagner. 2009. Dynamic Test Generation to Find Integer Bugs in X86 Binary Linux Programs. In Proceedings of the 18th Conference on USENIX Security Symposium(SSYM’09). USENIX Association, USA, 67–82.

Digital Library

[12]

Raphael Ernani Rodrigues, Victor Hugo Sperle Campos, and Fernando Magno Quintao Pereira. 2013. A fast and low-overhead technique to secure programs against integer overflows. In Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2013. https://doi.org/10.1109/CGO.2013.6494996

Digital Library

[13]

Julian Schütte. 2016. Osiris : Hunting for Integer Bugs in Ethereum Smart Contracts, Vol. D. 664–676.

[14]

Stelios Sidiroglou-Douskos, Eric Lahtinen, Nathan Rittenhouse, Paolo Piselli, Fan Long, Deokhwan Kim, and C. Martin Rinard. 2015. Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement. ASPLOS (2015), 473–486.

[15]

Hao Sun, Xiangyu Zhang, Chao Su, and Qingkai Zeng. 2015. Efficient Dynamic Tracking Technique for Detecting Integer-Overflow-to-Buffer-Overflow Vulnerability. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security(ASIA CCS ’15). Association for Computing Machinery, New York, NY, USA, 483–494. https://doi.org/10.1145/2714576.2714605

Digital Library

[16]

[16] The LLVM Compiler Infrastructure 2018. http://llvm.org/. (2018).

[17]

Tielei Wang, Tao Wei, Zhiqiang Lin, and Wei Zou. 2009. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009. The Internet Society. http://dblp.uni-trier.de/db/conf/ndss/ndss2009.html#WangWLZ09

[18]

Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12). USENIX Association, Hollywood, CA, 163–177. https://www.usenix.org/conference/osdi12/technical-sessions/presentation/wang

[19]

Chao Zhang, Tielei Wang, Tao Wei, Yu Chen, and Wei Zou. 2010. IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time. In Computer Security – ESORICS 2010, Dimitris Gritzalis, Bart Preneel, and Marianthi Theoharidou (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 71–86.

[20]

Yang Zhang, Xiaoshan Sun, Yi Deng, Liang Cheng, Shuke Zeng, Yu Fu, and Dengguo Feng. 2015. Improving Accuracy of Static Integer Overflow Detection in Binary. In Research in Attacks, Intrusions, and Defenses, Herbert Bos, Fabian Monrose, and Gregory Blanc(Eds.). Springer International Publishing, Cham, 247–269.

Cited By

Huang Z(2024)Debloating Feature-Rich Closed-Source Windows Software2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00047(400-405)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00047
Contreras CDokic HHuang ZStan Raicu DFurst JTchoua R(2023)Multiclass Classification of Software Vulnerabilities with Deep LearningProceedings of the 2023 15th International Conference on Machine Learning and Computing10.1145/3587716.3587738(134-140)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3587716.3587738
Huang Z(2023)Targeted Symbolic Execution for UAF Vulnerabilities2023 7th International Conference on System Reliability and Safety (ICSRS)10.1109/ICSRS59833.2023.10381130(282-289)Online publication date: 22-Nov-2023
https://doi.org/10.1109/ICSRS59833.2023.10381130
Show More Cited By

Index Terms

Integer Overflow Detection with Delayed Runtime Test

Index terms have been assigned to the content through auto-classification.

Recommendations

Efficient Dynamic Tracking Technique for Detecting Integer-Overflow-to-Buffer-Overflow Vulnerability
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerabilities can be exploited by attackers to cause severe damages to computer systems. In this paper, we present the design and implementation of IntTracker, an efficient dynamic tracking technique for ...
Understanding Integer Overflow in C/C++

Integer overflow bugs in C and C++ programs are difficult to track down and may lead to fatal errors or exploitable vulnerabilities. Although a number of tools for finding these bugs exist, the situation is complicated because not all overflows are ...
Static Analysis of Integer Overflow of Smart Contracts in Ethereum
ICCSP 2020: Proceedings of the 2020 4th International Conference on Cryptography, Security and Privacy

In recent years, vulnerabilities of smart contracts have frequently break out. In particular, integer overflow of smart contracts, a high-risk vulnerability, has caused huge financial losses. However, most tools currently fail to detect integer overflow ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
112
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)2

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Huang Z(2024)Debloating Feature-Rich Closed-Source Windows Software2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00047(400-405)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00047
Contreras CDokic HHuang ZStan Raicu DFurst JTchoua R(2023)Multiclass Classification of Software Vulnerabilities with Deep LearningProceedings of the 2023 15th International Conference on Machine Learning and Computing10.1145/3587716.3587738(134-140)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3587716.3587738
Huang Z(2023)Targeted Symbolic Execution for UAF Vulnerabilities2023 7th International Conference on System Reliability and Safety (ICSRS)10.1109/ICSRS59833.2023.10381130(282-289)Online publication date: 22-Nov-2023
https://doi.org/10.1109/ICSRS59833.2023.10381130
Aumpansub AHuang Z(2022)Learning-based Vulnerability Detection in Binary CodeProceedings of the 2022 14th International Conference on Machine Learning and Computing10.1145/3529836.3529926(266-271)Online publication date: 18-Feb-2022
https://dl.acm.org/doi/10.1145/3529836.3529926
Huang Z(2022)Runtime Recovery for Integer Overflows2022 6th International Conference on System Reliability and Safety (ICSRS)10.1109/ICSRS56243.2022.10067783(324-330)Online publication date: 23-Nov-2022
https://doi.org/10.1109/ICSRS56243.2022.10067783
Zhou QDai HLiu LShi KChen JJiang H(2022)The final security problem in IOT: Don’t count on the canary!2022 7th IEEE International Conference on Data Science in Cyberspace (DSC)10.1109/DSC55868.2022.00090(599-604)Online publication date: Jul-2022
https://doi.org/10.1109/DSC55868.2022.00090
Huang ZWhite M(2022)Semantic-Aware Vulnerability Detection2022 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR54599.2022.9850330(68-75)Online publication date: 27-Jul-2022
https://doi.org/10.1109/CSR54599.2022.9850330

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten