skip to main content
10.1145/3639478.3641223acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
short-paper

IntTracer: Sanitization-aware IO2BO Vulnerability Detection across Codebases

Published: 23 May 2024 Publication History

Abstract

Integer Overflow to Buffer Overflow (IO2BO) vulnerability represents a common vulnerability pattern in system software and can be detected by various program analysis methods. Mainstream static approaches apply taint analysis to find source-sink pairs and then submit those suspicious bug traces to dynamic instrumentation or static encoding.
However, previous works utilizing those methods either fail to handle sanitization code well or cannot generalize across codebases. In this paper, we present IntTracer, which is enhanced with interval domain to model the effect of sanitization code in IO2BO bug trace and can find recurring vulnerabilities across different codebases. IntTracer can prevent false positives under 8 cases while keeping an overhead of 6.3% compared to previous work Tracer.

References

[1]
Cristiano Calcagno and Dino Distefano. 2011. Infer: An Automatic Program Verifier for Memory Safety of C Programs. In Proceedings of the Third International Conference on NASA Formal Methods (Pasadena, CA) (NFM'11). Springer-Verlag, Berlin, Heidelberg, 459--465.
[2]
Xiang Chen. 2023. Real-world CWE680: Integer Overflow to Buffer Overflow (IO2BO) vulnerability collections. GitHub. https://github.com/cascades-sjtu/rw-io2bo
[3]
The MITRE Corporation. 2023. CWE-190: Integer Overflow or Wraparound. The MITRE Corporation. Retrieved October 26, 2023 from https://cwe.mitre.org/data/definitions/190.html
[4]
The MITRE Corporation. 2023. CWE-680: Integer Overflow to Buffer Overflow. The MITRE Corporation. Retrieved October 26, 2023 from https://cwe.mitre.org/data/definitions/680.html
[5]
Will Dietz, Peng Li, John Regehr, and Vikram Adve. 2012. Understanding Integer Overflow in C/C++. In Proceedings of the 34th International Conference on Software Engineering (ICSE '12). IEEE Press, Zurich, Switzerland, 760--770.
[6]
Horn Jann. 2024. Linux 5.6 io_uring Cred Refcount Overflow. packet storm. https://packetstormsecurity.com/files/176649/Linux-5.6-io_uring-Cred-Refcount-Overflow.html
[7]
Wooseok Kang, Byoungho Son, and Kihong Heo. 2022. TRACER: Signature-Based Static Analysis for Detecting Recurring Vulnerabilities. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (Los Angeles, CA, USA) (CCS '22). Association for Computing Machinery, New York, NY, USA, 1695--1708.
[8]
Andreas D. Kellas, Alan Cao, Peter Goodman, and Junfeng Yang. 2023. Divergent Representations: When Compiler Optimizations Enable Exploitation. In 2023 IEEE Security and Privacy Workshops (SPW). 337--348.
[9]
Alexander Küchler, Leon Wenning, and Florian Wendland. 2023. AbsIntIO: Towards Showing the Absence of Integer Overflows in Binaries Using Abstract Interpretation. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (Melbourne, VIC, Australia) (ASIA CCS '23). Association for Computing Machinery, New York, NY, USA, 247--258.
[10]
Fan Long, Stelios Sidiroglou-Douskos, Deokhwan Kim, and Martin Rinard. 2014. Sound Input Filter Generation for Integer Overflow Errors. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (San Diego, California, USA) (POPL '14). Association for Computing Machinery, New York, NY, USA, 439--452.
[11]
MITRE. 2017. CVE-2017-16612 Detail. NVD. https://nvd.nist.gov/vuln/detail/CVE-2017-16612
[12]
Marios Pomonis, Theofilos Petsios, Kangkook Jee, Michalis Polychronakis, and Angelos D. Keromytis. 2014. IntFlow: Improving the Accuracy of Arithmetic Error Detection Using Information Flow Tracking. In Proceedings of the 30th Annual Computer Security Applications Conference (New Orleans, Louisiana, USA) (ACSAC '14). Association for Computing Machinery, New York, NY, USA, 416--425.
[13]
Hao Sun, Xiangyu Zhang, Chao Su, and Qingkai Zeng. 2015. Efficient Dynamic Tracking Technique for Detecting Integer-Overflow-to-Buffer-Overflow Vulnerability. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (Singapore, Republic of Singapore) (ASIA CCS '15). Association for Computing Machinery, New York, NY, USA, 483--494.
[14]
Hao Sun, Xiangyu Zhang, Yunhui Zheng, and Qingkai Zeng. 2016. IntEQ: Recognizing Benign Integer Overflows via Equivalence Checking across Multiple Precisions. In Proceedings of the 38th International Conference on Software Engineering (Austin, Texas) (ICSE '16). Association for Computing Machinery, New York, NY, USA, 1051--1062.
[15]
Wang Tielei, Wei Tao, Lin Zhiqiang, and Zou Wei. 2009. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA, 8th February - 11th February 2009. The Internet Society, USA. https://www.ndss-symposium.org/ndss2009/intscope-automatically-detecting-integer-overflow-vulnerability-in-x86-binary-using-symbolic-execution/
[16]
Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, and M. Frans Kaashoek. 2012. Improving Integer Security for Systems with KINT. In Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation (Hollywood, CA, USA) (OSDI'12). USENIX Association, USA, 163--177.
[17]
Wikipedia. 2024. Year 2038 problem. Wikipedia. https://en.wikipedia.org/wiki/Year_2038_problem
[18]
Kwangkeun Yi. 2017. Inferbo: Infer-based buffer overrun analyzer. Meta Research. Retrieved Feburary 6, 2023 from https://research.facebook.com/blog/2017/02/inferbo-infer-based-buffer-overrun-analyzer/
[19]
Chao Zhang, Tielei Wang, Tao Wei, Yu Chen, and Wei Zou. 2010. IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time. In Proceedings of the 15th European Conference on Research in Computer Security (Athens, Greece) (ESORICS'10). Springer-Verlag, Berlin, Heidelberg, 71--86.

Index Terms

  1. IntTracer: Sanitization-aware IO2BO Vulnerability Detection across Codebases

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    ICSE-Companion '24: Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings
    April 2024
    531 pages
    ISBN:9798400705021
    DOI:10.1145/3639478
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Sponsors

    In-Cooperation

    • Faculty of Engineering of University of Porto

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 23 May 2024

    Check for updates

    Author Tags

    1. integer overflow
    2. taint analysis
    3. recurring vulnerability
    4. interval analysis

    Qualifiers

    • Short-paper

    Conference

    ICSE-Companion '24
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 276 of 1,856 submissions, 15%

    Upcoming Conference

    ICSE 2025

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 75
      Total Downloads
    • Downloads (Last 12 months)75
    • Downloads (Last 6 weeks)11
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media