Learning Fine-Grained Structured Input for Memory Corruption Detection

Inputs to many application and server programs contain rich and consistent structural information. The propagation of such input in program execution could serve as accurate and reliable signatures for detecting memory corruptions. In this paper, we propose a novel approach to detect memory corruptions at the binary level. The basic insight is that different parts of an input are usually processed in different ways, e.g., by different instructions. Identifying individual parts in an input and learning the pattern in which they are processed is an attractive approach to detect memory corruptions. We propose a fine-grained dynamic taint analysis system to detect different fields in an input and monitor the propagation of these fields, and show that deviations from the execution pattern learned signal a memory corruption. We implement a prototype of our system and demonstrate its success in detecting a number of memory corruption attacks in the wild. In addition, we evaluate the overhead of our system and discuss its advantages over existing approaches and limitations.

[1]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[2]  Navjot Singh,et al.  Libsafe: transparent system-wide protection against buffer overflow attacks , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[4]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[5]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[6]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[8]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[9]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[10]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[11]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[12]  Herbert Bos,et al.  Pointless tainting?: evaluating the practicality of pointer tainting , 2009, EuroSys '09.

[13]  Wouter Joosen,et al.  PAriCheck: an efficient pointer arithmetic checker for C programs , 2010, ASIACCS '10.

[14]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[15]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[16]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[17]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[18]  Xiangyu Zhang,et al.  Reverse Engineering Input Syntactic Structure from Program Execution and Its Applications , 2010, IEEE Transactions on Software Engineering.

[19]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[20]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[21]  Herbert Bos,et al.  Minemu: The World's Fastest Taint Tracker , 2011, RAID.

[22]  Benjamin Livshits,et al.  Tracking pointers with path and context sensitivity for bug detection in C programs , 2003, ESEC/FSE-11.

[23]  Alessandro Orso,et al.  Effective and Efficient Memory Protection Using Dynamic Tainting , 2012, IEEE Transactions on Computers.

[24]  Catherine A. Meadows Introduction to ACM TISSEC special issue on CCS 2005 , 2009, TSEC.

[25]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.