Abstract
The Integer-Overflow-to-Buffer-Overflow (IO2BO) vulnerability is an underestimated threat. Automatically identifying and fixing this kind of vulnerability are critical for software security. In this paper, we present the design and implementation of IntPatch, a compiler extension for automatically fixing IO2BO vulnerabilities in C/C++ programs at compile time. IntPatch utilizes classic type theory and dataflow analysis framework to identify potential IO2BO vulnerabilities, and then instruments programs with runtime checks. Moreover, IntPatch provides an interface for programmers to facilitate checking integer overflows. We evaluate IntPatch on a number of real-world applications. It has caught all 46 previously known IO2BO vulnerabilities in our test suite and found 21 new bugs. Applications patched by IntPatch have a negligible runtime performance loss which is averaging about 1%.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Carnegie Mellon University’s Computer Emergency Response Team, http://www.cert.org/advisories/
Common vulnerabilities and exposures, http://cve.mitre.org
Cssbench: a css benchmark devised by nontroppo, http://www.howtocreate.co.uk/csstest.html
CUPS: a standards-based, open source printing system developed by Apple Inc., http://www.cups.org/
Cups’ erroneous patch, http://www.cups.org/str.php?L2974
CUPS Vulnerability, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1722
Cwe-680: Io2bo vulnerabilities, http://cwe.mitre.org/data/definitions/680.html
Dillo: a lightweight browser, http://www.dillo.org
Discussion between programmers and gcc developers, http://gcc.gnu.org/bugzilla/show_bug.cgi?id=30475#c2
Draft of the c99 standard with corrigenda tc1, tc2, and tc3 included, http://www.open-std.org/jtc1/sc22/WG14/www/docs/n1256.pdf
FAAD2: A MPEG-4 and MPEG-2 AAC Decoder, http://www.audiocoding.com/faad2.html
GStreamer: a framework for streaming media applications, http://gstreamer.freedesktop.org/
Intel 64 and ia-32 architectures software developer’s manuals, http://www.intel.com/products/processor/manuals/
libtiff: TIFF Library and Utilities, http://www.libtiff.org/
Ming: a library for generating Macromedia Flash files, http://www.libming.org/
Mp4point: a source for free mp4 / mpeg-4 video movie clips, http://www.mp4point.com/
National vulnerability database, http://nvd.nist.gov/
oCERT: Open Source Computer Emergency Response Team, http://www.ocert.org/
Pngsuite: The ”official” test-suite for png applications like viewers, converters and editors, http://www.schaik.com/pngsuite/
Python interpreter suffers from gcc’s behavior, http://bugs.python.org/issue1608
Secunia: a Danish computer security service provider, http://secunia.com/
Vupen: a company providing security intelligence, http://www.vupen.com/english/
Ahmad, D.: The rising threat of vulnerabilities due to integer errors. IEEE Security and Privacy 1(4), 77–82 (2003)
Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Princiles, Techniques, and Tools, 2nd edn. Addison-Wesley, Reading (2006)
Brumley, D., Chiueh, T.c, Johnson, R., Lin, H., Song, D.: Rich: Automatically protecting against integer-based vulnerabilities. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)
Cadar, C., Dunbar, D., Engler, D.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX Symposium on Operating Systems Design and Implementation (OSDI 2008), San Diego, CA, USA (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: automatically generating inputs of death. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006 (2006)
Ceesay, E., Zhou, J., Gertz, M., Levitt, K., Bishop, M.: Using type qualifiers to analyze untrusted integers and detecting security flaws in c programs. Detection of Intrusions and Malware & Vulnerability Assessment (2006)
Chen, S., Kalbarczyk, Z., Xu, J., Iyer, R.K.: A data-driven finite state machine model for analyzing security vulnerabilities. In: IEEE International Conference on Dependable Systems and Networks, pp. 605–614 (2003)
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 12 (2005)
Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: Archerr: Runtime environment driven program safety. In: 9th European Symposium on Research in Computer Security, Sophia Antipolis (2004)
Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph (1991)
Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: PLDI 1999: Proceedings of the ACM SIGPLAN 1999 Conference on Programming Language Design and Implementation, pp. 192–203. ACM, New York (1999)
Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, Berlin, Germany, pp. 1–12 (2002)
Godefroid, P., Klarlund, N., Sen, K.: Dart: directed automated random testing. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 213–223 (2005)
Lattner, C.: LLVM: An Infrastructure for Multi-Stage Optimization. Master’s thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL (December 2002), http://llvm.cs.uiuc.edu
Lattner, C., Adve, V.: LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In: Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO 2004), Palo Alto, California (March 2004)
Molnar, D., Li, X.C., Wagner, D.A.: Dynamic test generation to find integer bugs in x86 binary linux programs. In: Proceedings of the 18th USENIX Security Symposium (2009)
Sen, K., Marinov, D., Agha, G.: Cute: a concolic unit testing engine for c. In: ESEC/FSE-13: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 263–272 (2005)
Sotirov, A.: Heap feng shui in javascript. In: Proceedings of Blackhat Europe (2007)
Wang, T., Wei, T., Lin, Z., Zou, W.: IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, San Diego, CA (February 2009)
Weiser, M.: Program slicing. In: Proceedings of the 5th International Conference on Software Engineering (1981)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, C., Wang, T., Wei, T., Chen, Y., Zou, W. (2010). IntPatch: Automatically Fix Integer-Overflow-to-Buffer-Overflow Vulnerability at Compile-Time. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)