HAN Xinhui1, WEI Shuang1, YE Jiayi1, ZHANG Chao2, YE Zhiyuan1
1. Institute of Computer Science and Technology, Peking University, Beijing 100080, China;
2. Institute for Network Science and Cyberspace, Tsinghua University, Beijing 100084, China
Abstract:Use-after-free (UaF) vulnerabilities are one of the most common and risky memory corruption vulnerabilities. However, UaF vulnerabilities are difficult to detect. A UaF vulnerability is triggered if and only if three operations occur on the same memory region, in an order of allocating memory, freeing memory, and using the freed memory. These three operations may be conducted anywhere in the program in any order, so the analysis must track a long execution sequence and search for potential vulnerable event sequences to detect UaF vulnerabilities. This study analyzes the root causes of UaF vulnerabilities, ways to exploit them, the severity of the threat and the challenges in detecting them. A solution is then given based on a static analysis and dynamic symbolic execution to detect UaF vulnerabilities in binaries. Tests show that this solution can detect known vulnerabilities in a benchmark. Thus, this detection system can be used to identify and fix bugs to improve application security.
李舟军, 张俊贤, 廖湘科, 等. 软件安全漏洞检测技术[J]. 计算机学报, 2015, 38(4):717-732.LI Zhoujun, ZHANG Junxian, LIAO Xiangke, et al. Survey of software vulnerability detection techniques[J]. Journal of Computers, 2015, 38(4):717-732. (in Chinese)
[2]
Afek J, Sharabani A. Dangling pointer-smashing the pointer for fun and profit[J]. A Whitepaper from Watchfire Citado na, 2007, 41(1):1-21.
[3]
Corporation M. Common vulnerabilities and exposures (CVE)[Z/OL].[2016-5-10]. http://cve.mitre.org.
[4]
Daniel M, Honoroff J, Miller C. Engineering heap overflow exploits with JavaScript[C]//USENIX Workshop on Offensive Technologies. San Jose, CA, USA:USENIX, 2008:1-6.
[5]
Sotirov A. Heap feng shui in JavaScript[C]//Black Hat Europe 2013. Amesterdam, Netherlands:Black Hat, 2013:1-20.
[6]
Chess B, McGraw G. Static analysis for security[J]. IEEE Security & Privacy, 2004, 2(6):76-79.
[7]
Pistoia M, Chandra S, Fink S J, et al. A survey of static analysis methods for identifying security vulnerabilities in software systems[J]. Ibm Systems Journal, 2007, 46(2):265-288.
[8]
Cesare S. Bugalyze.com-detecting bugs using decompilation and data flow analysis[C]//Black Hat USA 2013. Las Vegas, NV, USA:Black Hat, 2013:1-9.
[9]
Feist J, Mounier L, Potet M L. Statically detecting use after free on binary code[J]. Journal of Computer Virology and Hacking Techniques, 2014, 10(3):211-217.
[10]
Dewey D, Reaves B, Traynor P. Uncovering use-after-free conditions in compiled code[C]//201510th International Conference on Availability, Reliability and Security. Reggio Calabria, Italy:IEEE, 2015:90-99.
[11]
Caballero J, Grieco G, Marron M, et al. Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis. Minneapolis, MN, USA:ACM, 2012:133-143.
[12]
Hastings R, Joyce B. Purify:Fast detection of memory leaks and access errors[C]//Proceedings of the Winter 1992 USENIX Conference. San Antonio, TX, USA:USENIX, 1991:125-136.
[13]
Nethercote N, Seward J. Valgrind:A framework for heavyweight dynamic binary instrumentation[J]. Acm Sigplan Notices, 2007, 42(6):89-100.
[14]
Serebryany K, Bruening D, Potapenko A, et al. AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference (USENIX ATC 12). Boston, MA, USA:USENIX, 2012:309-318.
[15]
Cadar C, Dunbar D, Engler D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation. San Diego, CA, USA:USENIX, 2008:209-224.
[16]
Eagle C. The IDA Pro Book:The Unofficial Guide to the World's Most Popular Disassembler[M]. San Francisco, CA, USA:No Starch Press, 2011.
[17]
王学, 李学新, 周智鹏, 等. S<sup>2</sup>E测试平台及并行性能分析[J]. 信息网络安全, 2012(7):16-19.WANG Xue, LI Xuexin, ZHOU Zhipeng, et al. Analysis of the software testing platform:S<sup>2</sup>E[J]. Netinfo Security, 2012(7):16-19.(in Chinese)