Presentation is loading. Please wait.

Presentation is loading. Please wait.

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Published byZsigmond Fehér Modified over 5 years ago

Similar presentations

Presentation on theme: "IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue."— Presentation transcript:

1 IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue University and Peking University Annapurna Sagi Proceedings of NDSS'09: Network and Distributed System Security Symposium.

2 Contents Introduction Overview of Intscope Implementation
Evaluation and results Strengths Weakness

3 Introduction What is an integer overflow?
An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is too large to be represented within the available storage space. An integer overflow occurs when an operation results in a value greater than the maximum one of the integral data type

4 Integer Overflow Example
#include <stdio.h> Int main(void) { Printf (“ *4= %d\n”, *4); Return 0; } Output= 0

5 Integer Overflow growth Vulnerabilities
Year 2000 2001 2002 2003 2004 2005 2006 2007 Num 1 2 5 29 40 66 96 124

6 Features of Integer Overflow.
Untrusted Source Various types of sinks Memory allocation Memory access Branch statement Incomplete or improper sanitization checks

7 Unsigned int x=read_int()------> If(x>oxfffff)------> Abort(); Unsigned int n= x*sizeof(int);--> Char*p=malloc(n)--> Read_int_into_buf(p,x)----> An Untrusted source Incomplete check Integer Overflow Sensitive operator Heap Overflow

8 Idea of IntScope Symbolically executing the x86 Binary on an intermediate representation. Using Taint analysis Using Lazy Checking

9 Overview of IntScope

10 Pre-Process procedure
De compiler Translate it into Intermediate Representation (PANDA) Constructs the control flow graph (G) and call graph (C) Component Extractor Extract from C the candidate functions that are common ancestors connecting source to a sink Profile Constructor Computes a chop flow graph G’ based on G, that includes only source-sink paths in candidate sub-graphs.

11 Detection Procedure Symbolically execute each path in the components
Collect path constraints, and check the feasibility of the path (constraint solver) Track the propagation of untrusted (tainted) data Only check whether untrusted data causes integer overflows at sink points

12 Implementation

13 Chopping the CFG G in to G’

14 Symbolic Execution

15 L1 x=y=read_from_net()
L2 if(x==c) L3 p=malloc(y);

16 Evaluation and Results
Detected integer overflow bugs in Windows DLLs Detected bugs in several widely used applications Media player VLC

17

18 Strengths A systematic method of combining taint analysis and path-sensitive symbolic execution to detect integer overflow vulnerabilities in executable. A prototype called IntScope to analyze real-world binaries, which shows the approach is highly effective

19 Weakness Lack of information on global variables may lead to false positives Lack of information on intrinsic constraints between inputs leads to false positives. No accurately simulation of block memory functions

20 Thank you…!!

Download ppt "IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue."

Similar presentations

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi – 110 025

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi –
Test Yaodong Bi.

Test Yaodong Bi.
IT 325 OPERATING SYSTEM C programming language. Why use C instead of Java Intermediate-level language:  Low-level features like bit operations  High-level.

IT 325 OPERATING SYSTEM C programming language. Why use C instead of Java Intermediate-level language:  Low-level features like bit operations  High-level.
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.

Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.

Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Introduction to C Programming

Introduction to C Programming
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.

Representing programs Goals. Representing programs Primary goals –analysis is easy and effective just a few cases to handle directly link related things.
Run-Time Storage Organization

Run-Time Storage Organization
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.
CIS Computer Programming Logic

CIS Computer Programming Logic
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
1 Code Generation Part II Chapter 9 COP5621 Compiler Construction Copyright Robert van Engelen, Florida State University, 2005.

1 Code Generation Part II Chapter 9 COP5621 Compiler Construction Copyright Robert van Engelen, Florida State University, 2005.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

Similar presentations

Ads by Google