Detect use-after-free vulnerabilities in binaries

doi:10.16511/j.cnki.qhdxxb.2017.25.040

Download: PDF(1180 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract Use-after-free (UaF) vulnerabilities are one of the most common and risky memory corruption vulnerabilities. However, UaF vulnerabilities are difficult to detect. A UaF vulnerability is triggered if and only if three operations occur on the same memory region, in an order of allocating memory, freeing memory, and using the freed memory. These three operations may be conducted anywhere in the program in any order, so the analysis must track a long execution sequence and search for potential vulnerable event sequences to detect UaF vulnerabilities. This study analyzes the root causes of UaF vulnerabilities, ways to exploit them, the severity of the threat and the challenges in detecting them. A solution is then given based on a static analysis and dynamic symbolic execution to detect UaF vulnerabilities in binaries. Tests show that this solution can detect known vulnerabilities in a benchmark. Thus, this detection system can be used to identify and fix bugs to improve application security.

Keywords use-after-free static analysis dynamic symbolic execution

ZTFLH:

TP393.08

Issue Date: 15 October 2017

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	HAN Xinhui
	WEI Shuang
	YE Jiayi
	ZHANG Chao
	YE Zhiyuan

Cite this article:

HAN Xinhui,WEI Shuang,YE Jiayi, et al. Detect use-after-free vulnerabilities in binaries[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(10): 1022-1029.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2017.25.040 OR http://jst.tsinghuajournals.com/EN/Y2017/V57/I10/1022

[1]	李舟军, 张俊贤, 廖湘科, 等. 软件安全漏洞检测技术[J]. 计算机学报, 2015, 38(4):717-732.LI Zhoujun, ZHANG Junxian, LIAO Xiangke, et al. Survey of software vulnerability detection techniques[J]. Journal of Computers, 2015, 38(4):717-732. (in Chinese)
[2]	Afek J, Sharabani A. Dangling pointer-smashing the pointer for fun and profit[J]. A Whitepaper from Watchfire Citado na, 2007, 41(1):1-21.
[3]	Corporation M. Common vulnerabilities and exposures (CVE)[Z/OL].[2016-5-10]. http://cve.mitre.org. url: http://cve.mitre.org.
[4]	Daniel M, Honoroff J, Miller C. Engineering heap overflow exploits with JavaScript[C]//USENIX Workshop on Offensive Technologies. San Jose, CA, USA:USENIX, 2008:1-6.
[5]	Sotirov A. Heap feng shui in JavaScript[C]//Black Hat Europe 2013. Amesterdam, Netherlands:Black Hat, 2013:1-20.
[6]	Chess B, McGraw G. Static analysis for security[J]. IEEE Security & Privacy, 2004, 2(6):76-79. url: http://dx.doi.org/Security
[7]	Pistoia M, Chandra S, Fink S J, et al. A survey of static analysis methods for identifying security vulnerabilities in software systems[J]. Ibm Systems Journal, 2007, 46(2):265-288.
[8]	Cesare S. Bugalyze.com-detecting bugs using decompilation and data flow analysis[C]//Black Hat USA 2013. Las Vegas, NV, USA:Black Hat, 2013:1-9.
[9]	Feist J, Mounier L, Potet M L. Statically detecting use after free on binary code[J]. Journal of Computer Virology and Hacking Techniques, 2014, 10(3):211-217.
[10]	Dewey D, Reaves B, Traynor P. Uncovering use-after-free conditions in compiled code[C]//201510th International Conference on Availability, Reliability and Security. Reggio Calabria, Italy:IEEE, 2015:90-99.
[11]	Caballero J, Grieco G, Marron M, et al. Undangle:Early detection of dangling pointers in use-after-free and double-free vulnerabilities[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis. Minneapolis, MN, USA:ACM, 2012:133-143.
[12]	Hastings R, Joyce B. Purify:Fast detection of memory leaks and access errors[C]//Proceedings of the Winter 1992 USENIX Conference. San Antonio, TX, USA:USENIX, 1991:125-136.
[13]	Nethercote N, Seward J. Valgrind:A framework for heavyweight dynamic binary instrumentation[J]. Acm Sigplan Notices, 2007, 42(6):89-100.
[14]	Serebryany K, Bruening D, Potapenko A, et al. AddressSanitizer:A fast address sanity checker[C]//2012 USENIX Annual Technical Conference (USENIX ATC 12). Boston, MA, USA:USENIX, 2012:309-318.
[15]	Cadar C, Dunbar D, Engler D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//8th USENIX Symposium on Operating Systems Design and Implementation. San Diego, CA, USA:USENIX, 2008:209-224.
[16]	Eagle C. The IDA Pro Book:The Unofficial Guide to the World's Most Popular Disassembler[M]. San Francisco, CA, USA:No Starch Press, 2011.
[17]	王学, 李学新, 周智鹏, 等. S<sup>2</sup>E测试平台及并行性能分析[J]. 信息网络安全, 2012(7):16-19.WANG Xue, LI Xuexin, ZHOU Zhipeng, et al. Analysis of the software testing platform:S<sup>2</sup>E[J]. Netinfo Security, 2012(7):16-19.(in Chinese)

[1]	LI Xueliang, ZHAO Qianchuan, YANG Wen, Syed Naeem HAIDER. A syntax analysis method of PLC instruction list program and its application in static testing[J]. Journal of Tsinghua University(Science and Technology), 2021, 61(10): 1159-1165.
[2]	HAN Xinhui, DING Yijing, WANG Dongqi, LI Tongxin, YE Zhiyuan. Android malicious AD threat analysis and detection techniques[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 468-477.
[3]	DONG Guowei, WANG Meilin, SHAO Shuai, ZHU Longhua. Android application security vulnerability analysis framework based on feature matching[J]. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 461-467.