Article

Memsherlock: an automated debugger for unknown memory corruption vulnerabilities

Authors:

Chongkyung Kil,

Jun XuAuthors Info & Claims

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Pages 562 - 572

https://doi.org/10.1145/1315245.1315314

Published: 28 October 2007 Publication History

Abstract

Software vulnerabilities have been the main contributing factor to the Internet security problems such as fast spreading worms. Among these software vulnerabilities, memory corruption vulnerabilities such as buffer overflow and format string bugs have been the most common ones exploited by network-based attacks. Many security countermeasures (e.g., patching, automatic signature generation for intrusion detection systems) require vulnerability information to function correctly. However, despite many years of research, automatically identifying unknown software vulnerabilities still remains an open problem.

In this paper, we present the development of a security debugging tool named MemSherlock, which can automatically identify unknown memory corruption vulnerabilities upon the detection of malicious payloads that exploit such vulnerabilities. MemSherlock provides critical information for unknown memory corruption vulnerabilities, including (1) the corruption point in the source code (i.e., the statement that allows the exploitation of memory corruption vulnerability), (2) the slice of source code that helps the malicious input to reach the corruption point, and (3) the description of how the malicious input exploits the unknown vulnerability. We evaluate MemSherlock with a set of 11 real-world applications that have buffer overflow, heap overflow, and format string vulnerabilities. The evaluation results indicate that MemSherlock is a useful tool to facilitate the automatic vulnerability analysis process.

References

[1]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[2]

H. Chen, D. Dean, and D. Wagner. Model checking one million lines of c code. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), February 2004.

[3]

H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02), November 2002.

Digital Library

[4]

S. Chen, J. Xu, and E. C. Sezer. Non-control-data attacks are realistic threats. In Proceedings of 14th USENIX Security Symposium, 2005.

Digital Library

[5]

CodeSurfer. http://www.grammatech.com/products/codesurfer/.

[6]

J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, pages 221--232, December 2004.

Digital Library

[7]

J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 235--248, 2005.

Digital Library

[8]

H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, May 2004.

[9]

D. S. James Newsome, David Brumley. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS '06), Feb 2006.

[10]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22st Annual Computer Security Applications Conference (ACSAC '06), pages 339--348, December 2006.

Digital Library

[11]

H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2004.

Digital Library

[12]

C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.

[13]

W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems, 1(4):323--337, December 1992.

Digital Library

[14]

D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001.

Digital Library

[15]

Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 213--222, 2005.

Digital Library

[16]

Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proceedings of 12th ACM Conference on Computer and Communication Security (CCS '05), pages 213--222, 2005.

Digital Library

[17]

G. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. ACM Transaction on Programming Languages and Systems, 27(3):477--526, May 2005.

Digital Library

[18]

G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pages 128--139, 2002.

Digital Library

[19]

N. Nethercote. Dynamic binary analysis and instrumentation, 2004. valgrind.org/docs/phd2004.pdf.

[20]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of The 12th Annual Network and Distributed System Security Symposium (NDSS '05), February 2005.

[21]

PaX Team. http://pax.grsecurity.net/docs/aslr.txt.

[22]

G. Ramalingam. The undecidability of aliasing. ACM Transactions on Programming Languages and Systems, 16(5):1467--1471, September 1994.

Digital Library

[23]

S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In Proceedings of USENIX Annual Technical Conference, pages 149--161, April 2005.

Digital Library

[24]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), December 2004.

Digital Library

[25]

A. Smirnov and T. Chiueh. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of The 12th Annual Network and Distributed System Security Symposium (NDSS '05), February 2005.

[26]

G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 21--30, New York, NY, USA, 2004. ACM Press.

Digital Library

[27]

H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM, August 2004.

Digital Library

[28]

J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In Proceedings of 22nd Symposium on Reliable Distributed Systems - SRDS 2003, pages 260--269, 2003. IEEE Computer Society, Oct.

[29]

J. Xu, P. Ning, C. Kil, Y Zhai, and C. Bookhold. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 223--234, 2005.

Digital Library

[30]

P. Zhou, W. Liu, L. Fei, S. Lu, F. Qin, Y. Zhou, S. Midkiff, and J. Torrellas. Accmon: Automatically detecting memory-related bugs via program counter-based invariants. In MICRO 37: Proceedings of the 37th annual International Symposium on Microarchitecture, pages 269--280, Washington, DC, USA, 2004. IEEE Computer Society.

Digital Library

[31]

P. Zhou, F. Qin, W. Liu, Y. Zhou, and J. Torrellas. iWatcher: Efficient architectural support for software debugging. In Proceedings of the 31st International Symposium on Computer Architecture (ISCA), 2004.

Digital Library

Cited By

Zhao LJiang KZhu YWang LMing J(2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3145022
Xu ZGupta AMalik S(2017)Trace-based Analysis of Memory Corruption Malware AttacksHardware and Software: Verification and Testing10.1007/978-3-319-70389-3_5(67-82)Online publication date: 12-Nov-2017
https://doi.org/10.1007/978-3-319-70389-3_5
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Show More Cited By

Index Terms

Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it ...
deExploit

We propose to detect memory corruption by identifying misuses of input data.We propose a binary level approach for memory corruption detection and diagnosis.Our approach is generic to typical memory corruption attacks.Our approach is effective in ...
Measuring and ranking attacks based on vulnerability analysis

As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

October 2007

628 pages

ISBN:9781595937032

DOI:10.1145/1315245

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Sabrina De Capitani di Vimercati
University of Milan, Italy
,
Paul Syverson
Naval Research Laboratory, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2 - October 31, 2007

Virginia, Alexandria, USA

Acceptance Rates

CCS '07 Paper Acceptance Rate 55 of 302 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
762
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)3

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhao LJiang KZhu YWang LMing J(2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3145022
Xu ZGupta AMalik S(2017)Trace-based Analysis of Memory Corruption Malware AttacksHardware and Software: Verification and Testing10.1007/978-3-319-70389-3_5(67-82)Online publication date: 12-Nov-2017
https://doi.org/10.1007/978-3-319-70389-3_5
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Evtyushkin DPonomarev DAbu-Ghazaleh N(2016)Jump over ASLR: Attacking branch predictors to bypass ASLR2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO.2016.7783743(1-13)Online publication date: Oct-2016
https://doi.org/10.1109/MICRO.2016.7783743
Araujo FHamlen K(2015)Compiler-instrumented, dynamic secret-redaction of legacy processes for attacker deceptionProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831153(145-159)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831153
Nanavati JWu FHarman MJia YKrinke J(2015)Mutation testing of memory-related operators2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW)10.1109/ICSTW.2015.7107449(1-10)Online publication date: May-2015
https://doi.org/10.1109/ICSTW.2015.7107449
Li HKim TBat-Erdene MLee H(2013)Software Vulnerability Detection Using Backward Trace Analysis and Symbolic ExecutionProceedings of the 2013 International Conference on Availability, Reliability and Security10.1109/ARES.2013.59(446-454)Online publication date: 2-Sep-2013
https://dl.acm.org/doi/10.1109/ARES.2013.59
KITAGAWA THANAOKA MKONO K(2011)A State-Aware Protocol Fuzzer Based on Application-Layer ProtocolsIEICE Transactions on Information and Systems10.1587/transinf.E94.D.1008E94-D:5(1008-1017)Online publication date: 2011
https://doi.org/10.1587/transinf.E94.D.1008
Wang WLei YLiu DKung DCsallner CZhang DKacker RKuhn R(2011)A combinatorial approach to detecting buffer overflow vulnerabilitiesProceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks10.1109/DSN.2011.5958225(269-278)Online publication date: 27-Jun-2011
https://dl.acm.org/doi/10.1109/DSN.2011.5958225
Chen KLian YZhang Y(2011)AutoDuntProceedings of the 14th international conference on Information Security and Cryptology10.1007/978-3-642-31912-9_10(140-154)Online publication date: 30-Nov-2011
https://dl.acm.org/doi/10.1007/978-3-642-31912-9_10
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents