微信服务号

微信订阅号

2025-4-16- 7
Home > Archive>Volume 21, Issue 2, 2010 >179-193
PDF HTML XML Export Cite reminder
High-Trusted-Software-Oriented Automatic Testing for Integer Overflow Bugs
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [20]
    • |
  • Related [20]
    • |
  • Cited by [2]
    • | |
  • Comments
    Abstract:

    This paper presents an automatic testing method, DAIDT (dynamic automatic integer-overflow detection and testing), for finding integer overflow fatal bugs in binary code. DAIDT can thoroughly test the binary code and automatically find unknown integer overflow bugs without necessarily knowing their symbol tables. It is formally proved in this paper that DAIDT can theoretically detect all the high-risk integer overflow bugs with no false positives and no false negatives. In additional, any bugs find by DAIDT can be replayed. To demonstrate the effectiveness of this theory, IntHunter has been implemented. It has found 4 new high risk integer overflow bugs in the latest releases of three high-trusted applications (two Microsoft WINS services in Windows 2000 and 2003 Server, Baidu Hi Instant Messager) by testing each for 24 hours. Three of these bugs allow arbitrary code execution and have received confirmed vulnerabilities numbers, CVE-2009-1923, CVE-2009-1924 from Microsoft Security Response Center and CVE-2008-6444 from Baidu.

    Reference
    [1] Chen HW, Wang J, Dong W. High confidence software engineering technologies. Acta Electronica Sinica, 2003,31(B12): 1934-1938 (in Chinese with English abstract).
    [2] Christey S, Martin RA. Vulnerability Type Distributions in CVE. The MITRE Corporation, 2007. 1-38.
    [3] Gries D. The Science of Programming. New York: Springer-Verlag, 1981. 107-163.
    [4] Ball T, Ragamani SK. Generating abstract explanations of spurious counterexamples in C programs. In: Proc. of the MSR-TR- 2002-09. Redmond: Microsoft Corporation, 2002. http://research.microsoft.com/research/pubs/view.aspx-msr_tr_id=MSR-TR-2002-09
    [5] Cifuentes C, Sendall S. Specifying the semantics of machine instructions. In: Proc. of the Int’l Workshop on Program Comprehension. Washington: IEEE Computer Society Press, 1998. 126-133.
    [6] Ganesh V, Dill DL. A decision procedure for bit-vectors and arrays. In: Damm W, ed. Proc. of the Computer Aided Verification. Berlin: Lecture Notes in Computer Science, 2007. 524-536.
    [7] Ashcraft K, Engler D. Using programmer-written compiler extensions to catch security holes. In: Proc. of the IEEE Symp. on Security and Privacy. Washington: IEEE Computer Society Press, 2002. 143-159.
    [8] Ceesay EN, Zhou J, Gertz M, Levitt K, Bishop M. Using type qualifiers to analyze untrusted integers and detecting security flaws in C programs. In: Büschkes R, Laskov P, eds. Proc. of the Detection of Intrusions and Malware & Vulnerability Assessment. Berlin, Heidelberg: Springer-Verlag, 2006. 1-16.
    [9] Zhang X, Edwards A, Jaeger T. Using CQUAL for static analysis of authorization hook placement. In: Dan B, ed. Proc. of the Usenix Security. San Francisco: USENIX Association, 2002. 33-48.
    [10] Wojtczuk R. UQBTng: A tool capable of automatically finding integer overflows in Win32 binaries. In: Proc. of the 22nd Chaos Communication Congress. Berlin: Chaos Computer Club, 2005.
    [11] Brumley D, Song DXD, Chiueh TC, Johnson R, Lin HJ. RICH: Automatically protecting against integer-based vulnerabilities. In: William A, ed. Proc. of the 14th Annual Network and Distributed System Security Symp. San Diego: Internet Society, 2007.
    [12] Howard M. Lessons learned from the animated cursor security bug. 2007. http://blogs.msdn.com/sdl/archive/2007/04/ 26/lessons-learned-from-the-animated-cursor-security-bug.aspx
    [13] Nethercote N, Seward J. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Notices, 2007, 42(6):89-100.
    [14] Nethercote N, Seward J. How to shadow every byte of memory used by a program. In: Proc. of the ACM/Usenix Int’l Conf. on Virtual Execution Environments. New York: ACM Press, 2007. 65-74.
    [15] Chow J, Garfinkel T, Chen PM. Decoupling dynamic program analysis from execution in virtual environments. In: Proc. of the 2008 Usenix Annual Technical Conf. Boston: USENIX Association, 2008. 1-14.
    [16] Drewry W, Ormandy T. Flayer: Exposing application internals. In: Proc. of the 1st USENIX Workshop on Offensive Technologies. Boston: USENIX Association, 2007. 1-9.
    [17] Lu S, Zhou P, Liu W, Zhou YY, Torrellas J. PathExpander: Architectural support for increasing the path coverage of dynamic bug detection. In: Proc. of the 39th Annual IEEE/ACM Int’l Symp. on Microarchitecture. Washington: IEEE Computer Society Press, 2006. 38-52.
    [18] Godefroid P, Levin MY, Molnar DA. Automated Whitebox fuzz testing. In: Proc. of the 2008 Network and Distributed System Security Symp. San Diego: ISOC, 2008.
    [19] Wang TL, Wei T, Lin ZQ, Zou W. IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: Proc. of the 2009 Network and Distributed System Security Symp. San Diego: ISOC, 2009.
    附中文参考文献: [1] 陈火旺,王戟,董威.高可信软件工程技术.电子学报,2003,31(B12):1934-1938.
    Comments
    Comments
    分享到微博
    Submit
Get Citation

卢锡城,李根,卢凯,张英.面向高可信软件的整数溢出错误的自动化测试.软件学报,2010,21(2):179-193

Copy
Share
Article Metrics
  • Abstract:10272
  • PDF: 11075
  • HTML: 0
  • Cited by: 0
History
  • Received:June 15,2009
  • Revised:December 07,2009
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2035261Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063