Towards designing an extendable vulnerability detection method for executable codes

Context: Software vulnerabilities allow the attackers to harm the computer systems. Timely detection and removal of vulnerabilities help to improve the security of computer systems and avoid the losses from exploiting the vulnerabilities.Objective: Various methods have been proposed to detect the vulnerabilities in the past decades. However, most of these methods are suggested for detecting one or a limited number of vulnerability classes and require fundamental changes to be able to detect other vulnerabilities.In this paper, we present a first step towards designing an extendable vulnerability detection method that is independent from the characteristics of specific vulnerabilities.Method: To do so, we first propose a general model for specifying software vulnerabilities. Based on this model, a general specification method and an extendable algorithm is then presented for detecting the specified vulnerabilities in executable codes.As the first step, single-instruction vulnerabilities-the vulnerabilities that appear in one instruction-are specified and detected. We present a formal definition for single-instruction vulnerabilities. In our method, detection of the specified vulnerabilities is considered as solving a satisfaction problem. The suggested method is implemented as a plug-in for Valgrind binary instrumentation framework and the vulnerabilities are specified by the use of Valgrind intermediate language, called Vex.Results: Three classes of single-instruction vulnerabilities are specified in this paper, i. e. division by zero, integer bugs and NULL pointer dereference. The experiments demonstrate that the presented specification for these vulnerabilities are accurate and the implemented method can detect all the specified vulnerabilities.Conclusion: As we employ a general model for specifying the vulnerabilities and the structure of our vulnerability detection method does not depend on a specific vulnerability, our method can be extended to detect other specified vulnerabilities.

[1]  Babak Sadeghiyan,et al.  A Smart Fuzzing Method for Detecting Heap-Based Buffer Overflow in Executable Codes , 2015, 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC).

[2]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[3]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[4]  Somesh Jha,et al.  Buffer overrun detection using linear programming and static analysis , 2003, CCS '03.

[5]  Ting Chen,et al.  State of the art: Dynamic symbolic execution for automated test generation , 2013, Future Gener. Comput. Syst..

[6]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[7]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[8]  Nahid Shahmehri,et al.  Modeling Software VulnerabilitiesWith Vulnerability Cause Graphs , 2006, 2006 22nd IEEE International Conference on Software Maintenance.

[9]  John Grundy,et al.  Supporting automated vulnerability analysis using formalized vulnerability signatures , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[10]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[11]  Babak Sadeghiyan,et al.  Smart fuzzing method for detecting stack-based buffer overflow in binary codes , 2016, IET Softw..

[12]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[13]  Zhihua Cai,et al.  Evaluation Measures of the Classification Performance of Imbalanced Data Sets , 2009 .

[14]  Junfeng Yang,et al.  MECA: an extensible, expressive system and language for statically checking security properties , 2003, CCS '03.

[15]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[16]  Erik Meijer Your mouse is a database , 2012, CACM.

[17]  Amel Mammar,et al.  VDC-Based Dynamic Code Analysis: Application to C Programs , 2011, J. Internet Serv. Inf. Secur..

[18]  John A. Hamilton,et al.  Static analysis of anomalies and security vulnerabilities in executable files , 2006, ACM-SE 44.

[19]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[20]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[21]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[22]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[23]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[24]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[25]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[26]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[27]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[28]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[29]  Tihamer Levendovszky,et al.  An Incremental OCL Compiler for Modeling Environments , 2008, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..