论文信息 - An effective taint‐based software vulnerability miner

An effective taint‐based software vulnerability miner

Purpose – The purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approach – Current dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.Findings – Conversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/value – This paper proposes an approach...

[1] R. Sekar,et al. On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[2] David Brumley,et al. TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[3] David Brumley,et al. RICH: Automatically Protecting Against Integer-Based Vulnerabilities , 2007, NDSS.

[4] Anh Nguyen-Tuong,et al. Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[5] Zhenkai Liang,et al. BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[6] Carla E. Brodley,et al. SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address , 2006, IEEE Transactions on Computers.

[7] Vern Paxson,et al. Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8] Alessandro Orso,et al. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[9] Anneli Folkesson,et al. Secure Computer Systems , 2013 .

[10] Fabrice Bellard,et al. QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[11] Harish Patil,et al. Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[12] Hao Wang,et al. Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13] John Johansen,et al. PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[14] Tao Wei,et al. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[15] Stephen McCamant,et al. DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[16] R. Sekar. An Efficient Black-box Technique for Defeating Web Application Attacks , 2009, NDSS.

[17] Hao Wang,et al. Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures , 2008, IEEE Transactions on Dependable and Secure Computing.

[18] David A. Wagner,et al. Efficient character-level taint tracking for Java , 2009, SWS '09.

[19] Zhenkai Liang,et al. HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[20] James Newsome,et al. Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[21] Vikram S. Adve,et al. LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[22] Derek Bruening,et al. Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[23] Sencun Zhu,et al. STILL: Exploit Code Detection via Static Taint and Initialization Analyses , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[24] Cheng Wang,et al. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[25] Daniel C. DuVarney,et al. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[26] Heng Yin. TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution , 2010 .

[27] D. E. Bell,et al. Secure Computer Systems : Mathematical Foundations , 2022 .

[28] Alessandro Orso,et al. Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[29] Nicholas Nethercote,et al. Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[30] Heng Yin,et al. Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[31] Hovav Shacham,et al. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[32] Heng Yin,et al. Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[33] Wei Xu,et al. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.