Uncovering access control weaknesses and flaws with security-discordant software clones

Gauthier, François; Lavoie, Thierry; Merlo, Ettore

doi:10.1145/2523649.2523650

Cited by 21 publications

(20 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yamaguchi et al [28] are the first to describe the extrapolation of vulnerabilities by finding close neighbors. They, as well as Gauthier et al [9], further describe finding missing checks through anomaly detection. Modern approaches for binaries follow strategies to compare the semantics of code.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Cross-architecture bug search in binary executables

Pewny

Garmany

Gawlik

et al. 2017

It - Information Technology

177

View full text Add to dashboard Cite

Abstract:With the general availability of closed-source software for various CPU architectures, there is a need to identify security-critical vulnerabilities at the binary level. Unfortunately, existing bug finding methods fall short in that they i) require source code, ii) only work on a single architecture (typically x86), or iii) rely on dynamic analysis, which is difficult for embedded devices. In this paper, we propose a system to derive bug signatures for known bugs. First, we compute semantic hashes for the basic blocks of the binary. When can then use these semantics to find code parts in the binary that behave similarly to the bug signature, effectively revealing code parts that contain the bug. As a result, we can find vulnerabilities, e.g., the famous Heartbleed vulnerabilities, in buggy binary code for any of the supported architectures (currently, ARM, MIPS and x86).

show abstract

Section: Related Workmentioning

confidence: 99%

“…The problem of finding bugs at the source code level has been addressed by a lot of researchers [9,11,12,16,28]. Professional code verification tools ensure source code quality and a number of automated bug finding proposals analyze source code to find security-critical bugs.…”

Section: Introductionmentioning

confidence: 99%

Cross-architecture bug search in binary executables

Pewny

Garmany

Gawlik

et al. 2017

It - Information Technology

177

View full text Add to dashboard Cite

show abstract

“…In future work we will look into methods how to further improve the performance. For example, an M-Tree, a data structure for fast k-nearest neighbor search in metric spaces [8], could speed up the candidate search.…”

Section: Discussion and Future Workmentioning

confidence: 99%

Leveraging semantic signatures for bug search in binary programs

Pewny

Schuster

Bernhard

et al. 2014

Proceedings of the 30th Annual Computer Security Applications Conference

113

View full text Add to dashboard Cite

Software vulnerabilities still constitute a high security risk and there is an ongoing race to patch known bugs. However, especially in closed-source software, there is no straightforward way (in contrast to source code analysis) to find buggy code parts, even if the bug was publicly disclosed.To tackle this problem, we propose a method called Tree Edit Distance based Equational Matching (TEDEM) to automatically identify binary code regions that are "similar" to code regions containing a reference bug. We aim to find bugs both in the same binary as the reference bug and in completely unrelated binaries (even compiled for different operating systems). Our method even works on proprietary software systems, which lack source code and symbols.The analysis task is split into two phases. In a preprocessing phase, we condense the semantics of a given binary executable by symbolic simplification to make our approach robust against syntactic changes across different binaries. Second, we use tree edit distances as a basic blockcentric metric for code similarity. This allows us to find instances of the same bug in different binaries and even spotting its variants (a concept called vulnerability extrapolation). To demonstrate the practical feasibility of the proposed method, we implemented a prototype of TEDEM that can find real-world security bugs across binaries and even across OS boundaries, such as in MS Word and the popular messengers Pidgin (Linux) and Adium (Mac OS).

show abstract

“…In contrast to both Merlin and Chucky, sources, sanitizers, and sinks are expressed as regular expressions as part of traversals, making it easy for the analyst to adapt them to further improve the specification. Finally, several authors employ similarity measures to determine vulnerabilities similar to a known vulnerability [17,24,42,61].…”

Section: Related Workmentioning

confidence: 99%

Automatic Inference of Search Patterns for Taint-Style Vulnerabilities

Yamaguchi

Maier

Gascón

et al. 2015

2015 IEEE Symposium on Security and Privacy

149

View full text Add to dashboard Cite

Taint-style vulnerabilities are a persistent problem in software development, as the recently discovered "Heartbleed" vulnerability strikingly illustrates. In this class of vulnerabilities, attacker-controlled data is passed unsanitized from an input source to a sensitive sink. While simple instances of this vulnerability class can be detected automatically, more subtle defects involving data flow across several functions or projectspecific APIs are mainly discovered by manual auditing. Different techniques have been proposed to accelerate this process by searching for typical patterns of vulnerable code. However, all of these approaches require a security expert to manually model and specify appropriate patterns in practice.In this paper, we propose a method for automatically inferring search patterns for taint-style vulnerabilities in C code. Given a security-sensitive sink, such as a memory function, our method automatically identifies corresponding source-sink systems and constructs patterns that model the data flow and sanitization in these systems. The inferred patterns are expressed as traversals in a code property graph and enable efficiently searching for unsanitized data flows-across several functions as well as with project-specific APIs. We demonstrate the efficacy of this approach in different experiments with 5 open-source projects. The inferred search patterns reduce the amount of code to inspect for finding known vulnerabilities by 94.9% and also enable us to uncover 8 previously unknown vulnerabilities.

show abstract

Uncovering access control weaknesses and flaws with security-discordant software clones

Cited by 21 publications

References 26 publications

Cross-architecture bug search in binary executables

Cross-architecture bug search in binary executables

Leveraging semantic signatures for bug search in binary programs

Automatic Inference of Search Patterns for Taint-Style Vulnerabilities

Contact Info

Product

Resources

About