Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.4.919

Automated Method for Detecting OOB Vulnerability of Heap Memory Using Dynamic Symbolic Execution  

Kang, Sangyong (Interdisciplinary Program of Information Security, Chonnam National University)
Park, Sunghyun (Interdisciplinary Program of Information Security, Chonnam National University)
Noh, Bongnam (Interdisciplinary Program of Information Security, Chonnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.4, 2018 , pp. 919-928 More about this Journal
Abstract
Out-Of-Bounds (OOB) is one of the most powerful vulnerabilities in heap memory. The OOB vulnerability allows an attacker to exploit unauthorized access to confidential information by tricking the length of the array and reading or writing memory of that length. In this paper, we propose a method to automatically detect OOB vulnerabilities in heap memory using dynamic symbol execution and shadow memory table. First, a shadow memory table is constructed by hooking heap memory allocation and release function. Then, when a memory access occurs, it is judged whether OOB can occur by referencing the shadow memory, and a test case for causing a crash is automatically generated if there is a possibility of occurrence. Using the proposed method, if a weak block search is successful, it is possible to generate a test case that induces an OOB. In addition, unlike traditional dynamic symbol execution, exploitation of vulnerabilities is possible without setting clear target points.
Keywords
Dynamic Symbolic Execution; Software Vulnerability; Heap Memory Vulnerability; Out-of-bounds;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Secunia. "Resources vulnerability review 2017". http://secunia.com/resources/vulnerability-review/introduction/.
2 C. Details. "Vulnerability distribution of CVE security vulnerabilities by type". http://www.cvedetails.com/vulnerabilities-by-types.php.
3 DARPA. "Cyber Grand Challenge". https://www.darpa.mil/program/cyber-grand-challenge
4 SEREBRYANY, K., BRUENING, D., POTAPENKO, A., AND VYUKOV, D. "AddressSanitizer: A fast address sanity checker". In Proceedings of USENIX Annual Technical Conference. 2012.
5 T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. "Enhancing symbolic execution with veritesting". In Proceedings of the International Conference on Software Engineering (ICSE), pages 1083-1094. ACM, 2014.
6 Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna. "Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware". In Proceedings of the Symposium on Network and Distributed System Security (NDSS), 2015.
7 CVE Details, "The ultimate security vulnerability datasource", https://www.cvedetails.com/cve/CVE-2016-2385/.
8 P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Communications of the ACM, 55(3):40-44, 2012.   DOI
9 V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in-vivo multi-path analysis of software systems. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI, pages 265-278. ACM, 2011.
10 D. Caselden et al. Transformation-aware Exploit Gen- eration using a HI-CFG. Tech. rep. University of Cal- ifornia, Berkeley, 2013.
11 S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing Mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.
12 N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, "Driller: Augmenting fuzzing through selective symbolic execution," in NDSS'16. Internet Society, pp. 1-16. 2016.
13 I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the USENIX Security Symposium, 2013.
14 V. Ganesh, T. Leek, and M. Rinard. Taint-based directed whitebox fuzzing. In Proceedings of the International Conference on Software Engineering (ICSE), 2009.
15 Nicholas Nethercote and Julian Seward. "Valgrind: A framework for heavyweight dynamic binary instrumentation". In Proc. of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07), pages 89-100, June 2007
16 Derek Bruening and Qin Zhao. "Practical memory checking with Dr. Memory". In Proc. of the International Symposium on Code Generation and Optimization (CGO '11), pages 213-223, April 2011.