Abstract
Incomplete or improper input validation is one of the major sources of security bugs in programs. While traditional approaches often focus on detecting string related buffer overflow vulnerabilities, we present an approach to automatically detect potential integer misuse, such as integer overflows in C programs. Our tool is based on CQual, a static analysis tool using type theory. Our techniques have been implemented and tested on several widely used open source applications. Using the tool, we found known and unknown integer related vulnerabilities in these applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
The ICAT team: Icat vulnerability statistics (2005), http://icat.nist.gov/icat.cfm?function=statistics
Foster, J.S., Fähndrich, M., Aiken, A.: A theory of type qualifiers. In: Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999), Atlanta, Georgia (1999)
Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting format string vulnerabilities with type qualifiers. In: Proceedings of the 10th Usenix Security Symposium, Washington, DC (2001)
Blexim: Basic integer overflows. Phrack Issue 0x3c, Phile 0x0a of 0x10 (2002)
CERT: Apache web server chunk handling vulnerability. Advisory CA-2002-17 (2002)
CERT: Openssh vulnerabilities in challenge response. Advisory CA-2002-18 (2002)
CERT: Integer overflow in sun rpc xdr library routines. Advisory CA-2003-10 (2003)
CERT: Apple quicktime contains an integer overflow in the “quicktime.qts” extension. Vulnerability Note VU#782958 (2004)
X-Force: Sendmail debugging function signed integer overflow. Vulnerability DB Entry 7016 (2001)
Chinchani, R., Iyer, A., Jayaraman, B., Upadhyaya, S.: ARCHERR: Runtime environment driven program safety. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 385–406. Springer, Heidelberg (2004)
Horovitz, O.: Big loop integer protection. Phrack Issue 0x3c, Phile 0x09 of 0x10 (2002)
Howard, M.: An overlooked construct and an integer overflow redux (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure09112003.asp
Howard, M.: Reviewing code for integer manipulation vulnerabilities (2003), http://msdn.microsoft.com/library/en-us/dncode/html/secure04102003.asp
LeBlanc, D.: Integer handling with the c++ safeint class (2004), http://msdn.microsoft.com/library/en-us/dncode/html/secure01142004.asp
Biba, K.J.: Integrity considerations for secure computer system. Technical Report ESD-TR-76-372, MTR-3153, The MITRE Corporation, USAF Electronic Systems Division, Bedford, MA (1977)
Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: Proceedings of the 13th USENIX Security Symposium, San Diego, CA (2004)
Foster, J.S.: Type Qualifiers: Lightweight Specifications to Improve Software Quality. PhD thesis. University of California, Berkeley (2002)
Boutell.com: Gd graphics library (2004), http://www.boutell.com/gd/
Gentoo Linux: Gd: Integer overflow. Security Advisory GLSA 200411-08 (2004)
The rsync project: News for rsync 2.5.7 (2003), http://rsync.samba.org
Sirainen, T.: Possible security hole (2003), http://www.mail-archive.com/rsync.lists.samba.org/msg08271.html
The GNOME Project: Gnome imaging model - gdkpixbuf (2003), http://developer.gnome.org/arch/imaging/gdkpixbuf.html
CERT: Gdkpixbuf xpm parser contains a heap overflow vulnerability. Vulnerability Note VU#729894 (2004)
CERT: Gdkpixbuf ico parser contains a integer overflow vulnerability. Vulnerability Note VU#577654 (2004)
CERT: Libtiff contains multiple heap-based buffer overflows. Vulnerability Note VU#948752 (2004)
Su, Z., Wagner, D.: A class of polynomially solvable range constraints for interval analysis without widenings and narrowings. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 280–295. Springer, Heidelberg (2004)
Viega, J., Bloch, J.T., Kohno, T., McGraw, G.: ITS4: A static vulnerability scanner for C and C++ code. ACM Transactions on Information and System Security 5 (2002)
Secure Software Inc.: Rats: Rough auditing tool for security (2002), http://www.securesw.com/rats.php
Wheeler, D.A.: Flawfinder (2001), http://www.dwheeler.com/flawfinder/
Evans, D.: Static detection of dynamic memory errors. In: Proceedings of the 1996 ACM Conference on Programming Language Design and Implementation (SIGPLAN), pp. 44–53 (1996)
Ashcraft, K., Engler, D.R.: Using programmer-written compiler extensions to catch security holes. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 143–159 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ceesay, E.N., Zhou, J., Gertz, M., Levitt, K., Bishop, M. (2006). Using Type Qualifiers to Analyze Untrusted Integers and Detecting Security Flaws in C Programs. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_1
Download citation
DOI: https://doi.org/10.1007/11790754_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36014-8
Online ISBN: 978-3-540-36017-9
eBook Packages: Computer ScienceComputer Science (R0)