Statically detecting use after free on binary code

Feist, Josselin; Mounier, Laurent; Potet, Marie-Laure

doi:10.1007/s11416-014-0203-1

Cited by 58 publications

(42 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…References [9] and [10] add codes that detect dangling pointers in a compilation and detect UAF attacks in runtime. References [9] and [11] detect dangling pointers by a static analysis of a binary program. Reference [12] inserts dynamic runtime checks for protecting against UAF vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

Yamauchi

Ikegami

Ban

2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYRecently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. In particular, large-scale programs such as browsers often include many dangling pointers, and UAF vulnerabilities are frequently exploited by drive-by download attacks. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attackprevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. The first condition for reuse is that the total size of the freed memory area is beyond the designated size. The threshold for the conditions of reuse of the freed memory area can be randomized by HeapRevolver. Furthermore, we add a second condition for reuse in which the freed memory area is merged with an adjacent freed memory area before release. Furthermore, HeapRevolver can be applied without modifying the target programs. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small.

show abstract

Section: Related Workmentioning

confidence: 99%

Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

Yamauchi

Ikegami

Ban

2017

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Another problem is that the search for vulnerability at the source program level may have high false positive rate [9]. They establish the vulnerability knowledge database and find the similar functions to the test ones to determine the vulnerability types.…”

Section: Introductionmentioning

confidence: 99%

SemHunt: Identifying Vulnerability Type with Double Validation in Binary Code

Li¹,

Xu²,

Tang

et al. 2017

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

Abstract-when manufacturers release patches, they are usually released as binary executable programs. Vendors generally do not disclose the exact location of the vulnerabilities, even they may conceal some of the vulnerabilities, which is not conducive to study the in-depth situation of security for the need of consumers. In this paper we introduce a vulnerability discover method using machine learning based on patch information -SemHunt. Firstly, we use it to compare two versions of the same program to get the potential vulnerability-patched function pairs using binary comparison technology. Then, we combine it with vulnerability and patch knowledge database to classify these function pairs and identify the possible vulnerable functions and the vulnerability types. We completed a prototype of SemHunt, which can effectively identify vulnerable function types and the location of corresponding vulnerabilities, which are not revealed in the released patch files. Finally, we test some programs containing real-world CWE vulnerabilities, and one of the experimental results about CWE843 shows that the results returned from only searching source program are about twice as much as the results from SemHunt. We can see that using SemHunt can significantly reduce false positive rate of discovering vulnerabilities compared with analyzing source files alone.

show abstract

“…Intraprocedural analysis limit to the scope of the current function, however, interprocedural analysis has the ability to enter sub-functions [9]. Needless to say, in-process analysis is much simpler than the process.…”

Section: Introductionmentioning

confidence: 99%

SemDiff: Finding Semtic Differences in Binary Programs based on Angr

et al. 2017

View full text Add to dashboard Cite

Abstract:We introduce SemDiff, a novel technology for finding semantic differences between two binary files. Now, the vendor will release the information to patch the previous version which has vulnerability. Then, we can compare the differences and similarities between the two versions to get the unpublished details of the 1day vulnerabilities. Tools, such as BinDiff, BinHunt and iBinHunt ,have worked on this project before, however , there are some weaknesses on them. Just like BinDiff, a comparison method based on structure, can not be effective for judging the semantic differences. Though the other two tools(BindHunt and iBinHunt) can recognize the differences we focus on, they can not effectively verify the functional inlining and spend a pretty long time to finish the process because the use of graph-based isomorphism algorithm. In the paper, we first propose SemDiff, which uses the existing tool(angr) to generate the intermediate language(VEX). Then, because of the nature of program, the data read from and written to the memories, we record these information to implement the comparison. Last, an improved BinDiff algorithm is used to match the basic blocks. In this paper, we take some real vulnerabilities as examples, such as CVE-2010-3974-Microsoft Windows to test our tool, reaching a good goal, matching more blocks than BinDiff and taking less time than BinHunt and iBinHunt.

show abstract

Statically detecting use after free on binary code

Cited by 58 publications

References 9 publications

Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library

SemHunt: Identifying Vulnerability Type with Double Validation in Binary Code

SemDiff: Finding Semtic Differences in Binary Programs based on Angr

Contact Info

Product

Resources

About