research-article

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free

Authors:

Josselin Feist,

Laurent Mounier,

Sébastien Bardin,

Marie-Laure PotetAuthors Info & Claims

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

Article No.: 2, Pages 1 - 12

https://doi.org/10.1145/3015135.3015137

Published: 05 December 2016 Publication History

Abstract

This paper presents a fully automated technique to find and trigger Use-After-Free vulnerabilities (UAF) on binary code. The approach combines a static analyzer and a dynamic symbolic execution engine. We also introduce several original heuristics for the dynamic symbolic execution part, speeding up the exploration and making this combination effective in practice. The tool we developed is open-source, and it has successfully been applied on real world vulnerabilities. As an example, we detail a proof-of-concept exploit triggering a previously unknown vulnerability on JasPer leading to the CVE-2015-5221.

References

[1]

AFL. American fuzzy lop. http://lcamtuf.coredump.cx/afl/.

[2]

T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. Enhancing symbolic execution with VeriTesting. In Proceedings of the 36th International Conference on Software Engineering, ICSE '14. ACM Press, 2014.

Digital Library

[3]

D. Babic, L. Martignoni, S. McCamant, and D. Song. Statically-directed dynamic automated test generation. In ISSTA. ACM, 2011.

Digital Library

[4]

G. Balakrishnan and T. Reps. Wysinwyx: What you see is not what you execute. ACM Trans. Program. Lang. Syst., 32(6), 2010.

Digital Library

[5]

S. Bardin, P. Baufreton, N. Cornuet, P. Herrmann, and S. Labbé. Binary-level testing of embedded programs. In 13th International Conference on Quality Software, QRS'13, 2013.

Digital Library

[6]

S. Bardin, O. Chebaro, M. Delahaye, and N. Kosmatov. An all-in-one toolkit for automated white-box testing. In Tests and Proofs - 8th International Conference, TAP 2014, Held as Part of STAF 2014, York, UK, July 24--25, 2014. Proceedings. Springer, 2014.

[7]

S. Bardin, M. Delahaye, R. David, N. Kosmatov, M. Papadakis, Y. L. Traon, and J. Marion. Sound and quasi-complete detection of infeasible test requirements. In 8th IEEE International Conference on Software Testing, Verification and Validation, ICST 2015, Graz, Austria, April 13--17, 2015. IEEE, 2015.

[8]

S. Bardin and P. Herrmann. Osmose: Automatic structural testing of executables. Software Testing, Verification Reliability, 21(1), 2011.

Digital Library

[9]

S. Bardin, P. Herrmann, J. Leroux, O. Ly, R. Tabary, and A. Vincent. The Bincoa Framework for Binary Code Analysis. In Computer Aided Verification - 23rd International Conference, CAV 2011, 2011. Springer, 2011.

Digital Library

[10]

S. Bardin, P. Herrmann, and F. Védrine. Refinement-based CFG reconstruction from unstructured programs. In Verification, Model Checking, and abstract Interpretation - 12th International Conference, VMCAI 2011, Austin, TX, USA, January 23--25, 2011. Proceedings. Springer, 2011.

Digital Library

[11]

A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2), 2010.

Digital Library

[12]

D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In SP 2008. IEEE, 2008.

Digital Library

[13]

R. Brummayer and A. Biere. Boolector: An efficient smt solver for bit-vectors and arrays. In TACAS, volume 5505 of Lecture Notes in Computer Science. Springer, 2009.

Digital Library

[14]

J. Caballero, G. Grieco, M. Marron, and A. Nappa. Undangle: Early detection of dangling pointers in use-after-free and double-free vulnerabilities. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, ISSTA 2012. ACM, 2012.

Digital Library

[15]

C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08. USENIX Association, 2008.

Digital Library

[16]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS '06. ACM, 2006.

Digital Library

[17]

C. Cadar and K. Sen. Symbolic execution for software testing: Three decades later. Commun. ACM, 56(2), 2013.

Digital Library

[18]

S. Cesare. Bugalyze.com - detecting bugs using decompilation and data flow analysis. In BlackHatUSA, 2013.

[19]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2012.

Digital Library

[20]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12. IEEE Computer Society, 2012.

Digital Library

[21]

O. Chebaro, P. Cuoq, N. Kosmatov, B. Marre, A. Pacalet, N. Williams, and B. Yakobowski. Behind the scenes in SANTE: a combination of static and dynamic analyses. Autom. Softw. Eng., 21(1), 2014.

Digital Library

[22]

V. Chipounov, V. Kuznetsov, and G. Candea. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst., 30(1), 2012.

Digital Library

[23]

H. Cui, G. Hu, J. Wu, and J. Yang. Verifying systems rules using rule-directed symbolic execution. In Architectural Support for Programming Languages and Operating Systems, ASPLOS, 2013.

Digital Library

[24]

Darpa. Cyber grand challenge. https://www.cybergrandchallenge.com.

[25]

R. David, S. Bardin, J. Feist, J.-Y. Marion, L. Mounier, M.-L. Potet, and T. D. Ta. Specification of concretization and symbolization policies in symbolic execution. In Proceedings of ISSTA. ACM, 2016.

Digital Library

[26]

R. David, S. Bardin, J. Feist, J.-Y. Marion, M.-L. Potet, and T. D. Ta. Binsec/se: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of SANER 2016. IEEE, 2016.

[27]

A. Djoudi and S. Bardin. Binsec: Binary code analysis with low-level regions. In TACAS 2015. Springer, 2015.

Digital Library

[28]

T. Dullien and S. Porst. Reil: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest, 2009.

[29]

P. Emanuelsson and U. Nilsson. A comparative study of industrial static analysis tools. Electr. Notes Theor. Comput. Sci., 217, 2008.

Digital Library

[30]

J. Feist, L. Mounier, and M. Potet. Statically detecting use after free on binary code. J. Computer Virology and Hacking Techniques, 10(3), 2014.

[31]

J. Feist, L. Mounier, and M.-L. Potet. Guided dynamic symbolic execution using subgraph control-flow information. In Proceedings of SEFM. Springer, 2016.

[32]

P. Godefroid. Higher-order test generation. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4--8, 2011, 2011.

Digital Library

[33]

P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. SIGPLAN Not., 40(6), 2005.

Digital Library

[34]

P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10th February - 13th February 2008. The Internet Society, 2008.

[35]

P. Godefroid, M. Y. Levin, and D. A. Molnar. SAGE: whitebox fuzzing for security testing. Commun. ACM, 55(3), 2012.

Digital Library

[36]

P. Goodman. Pointsto: Static use-after-free detector for c/c++. https://blog.trailofbits.com/2016/03/09/the-problem-with-dynamic-program-analysis/.

[37]

GUEB. Static analyzer detecting use-after-free on binary. https://github.com/montyly/gueb.

[38]

I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the 22Nd USENIX Conference on Security, SEC'13. USENIX Association, 2013.

Digital Library

[39]

Hex-rays. Hex-rays decompiler. https://www.hex-rays.com/products/decompiler/index.shtml.

[40]

HP. Fortify static code analyzer. http://www8.hp.com/us/en/software-solutions/static-code-analysis-sast/.

[41]

W. Landi. Undecidability of static analysis. LOPLAS, 1(4), 1992.

Digital Library

[42]

B. Lee, C. Song, Y. Jang, T. Wang, T. Kim, L. Lu, and W. Lee. Preventing use-after-free with dangling pointers nullification. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.

[43]

M. Li, Y. Chen, L. Wang, and G. Xu. Dynamically validating static memory leak warnings. In Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013. ACM, 2013.

Digital Library

[44]

R. Majumdar and K. Sen. Hybrid concolic testing. In 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, USA, May 20--26, 2007. IEEE Computer Society, 2007.

Digital Library

[45]

S. Nagarakatte. Softboundcets. http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/.

[46]

S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Softbound: highly compatible and complete spatial memory safety for c. In M. Hind and A. Diwan, editors, PLDI, pages 245--258. ACM, 2009.

Digital Library

[47]

S. Nagarakatte, J. Zhao, M. M. K. Martin, and S. Zdancewic. Cets: compiler enforced temporal safety for c. In ISMM, 2010.

Digital Library

[48]

N. Nethercote and J. Seward. Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not., 42(6), 2007.

Digital Library

[49]

radamsa. A general purpose fuzzer. https://github.com/aoh/radamsa.

[50]

K. Sen, D. Marinov, and G. Agha. Cute: A concolic unit testing engine for C. SIGSOFT Softw. Eng. Notes, 30(5), 2005.

Digital Library

[51]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference, USENIX ATC'12. USENIX Association, 2012.

Digital Library

[52]

N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. The Internet Society, 2016.

[53]

M. Sutton, A. Greene, and P. Amini. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007.

Digital Library

[54]

N. Williams, B. Marre, and P. Mouy. On-the-fly generation of k-path tests for C functions. In Automated Software Engineering, 2004. IEEE, 2004.

Digital Library

[55]

T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, Estoril, Lisbon, Portugal, June 29 - July 2, 2009. IEEE Computer Society, 2009.

[56]

Y. Younan. Freesentry: protecting against use-after-free vulnerabilities due to dangling pointers. In NDSS, 2015.

[57]

C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In EuroSys. ACM, 2010.

Digital Library

[58]

Y. Zhang, Z. Clien, J. Wang, W. Dong, and Z. Liu. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering - Volume 1, ICSE '15. IEEE Press, 2015.

Digital Library

[59]

Zynamics. BinNavi. http://www.zynamics.com/binnavi.html.

Cited By

Huang Z(2023)Targeted Symbolic Execution for UAF Vulnerabilities2023 7th International Conference on System Reliability and Safety (ICSRS)10.1109/ICSRS59833.2023.10381130(282-289)Online publication date: 22-Nov-2023
https://doi.org/10.1109/ICSRS59833.2023.10381130
Busse FGharat PCadar CDonaldson ARyu SSmaragdakis Y(2022)Combining static analysis error traces with dynamic symbolic execution (experience paper)Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534384(568-579)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534384
XIE BLI QLUO J(2022)Program Vulnerability Mining System based on Symbolic ExecutionProceedings of the 2022 7th International Conference on Intelligent Information Technology10.1145/3524889.3524903(83-89)Online publication date: 25-Feb-2022
https://dl.acm.org/doi/10.1145/3524889.3524903
Show More Cited By

Index Terms

Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free
1. Security and privacy

Recommendations

Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
POSTER: UAFChecker: Scalable Static Detection of Use-After-Free Vulnerabilities
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Use-after-free vulnerabilities are gaining more and more attentions in recent years, since they are commonly exploited in applications like browsers, and exposed in abundant security updates, e.g., from Microsoft, Google or Mozilla. This kind of ...
VTPin: practical VTable hijacking protection for binaries
ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

VTable hijacking has lately been promoted to the de facto technique for exploiting C++ applications, and in particular web browsers. VTables, however, can be manipulated without necessarily corrupting memory, simply by leveraging use-after-free bugs. In ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

December 2016

85 pages

ISBN:9781450348416

DOI:10.1145/3015135

General Chair:
J. Todd McDonald
University of South Alabama
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Agence Nationale de la Recherche

Conference

SSPREW '16

SSPREW '16: Software Security, Protection, and Reverse Engineering Workshop

December 5 - 6, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 6 of 13 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
416
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)5

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Huang Z(2023)Targeted Symbolic Execution for UAF Vulnerabilities2023 7th International Conference on System Reliability and Safety (ICSRS)10.1109/ICSRS59833.2023.10381130(282-289)Online publication date: 22-Nov-2023
https://doi.org/10.1109/ICSRS59833.2023.10381130
Busse FGharat PCadar CDonaldson ARyu SSmaragdakis Y(2022)Combining static analysis error traces with dynamic symbolic execution (experience paper)Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534384(568-579)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534384
XIE BLI QLUO J(2022)Program Vulnerability Mining System based on Symbolic ExecutionProceedings of the 2022 7th International Conference on Intelligent Information Technology10.1145/3524889.3524903(83-89)Online publication date: 25-Feb-2022
https://dl.acm.org/doi/10.1145/3524889.3524903
Bose PDas DChen YFeng YKruegel CVigna G(2022)SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833721(161-178)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833721
Lu FTang MBao YWang X(2022)A Survey of Detection Methods for Software Use-After-Free VulnerabilityData Science10.1007/978-981-19-5209-8_19(272-297)Online publication date: 10-Aug-2022
https://doi.org/10.1007/978-981-19-5209-8_19
Qasem AShirani PDebbabi MWang LLebel BAgba B(2021)Automatic Vulnerability Detection in Embedded Devices and FirmwareACM Computing Surveys10.1145/343289354:2(1-42)Online publication date: 5-Mar-2021
https://dl.acm.org/doi/10.1145/3432893
Recoules FBardin SBonichon RLemerre MMounier LPotet M(2021)Interface Compliance of Inline AssemblyProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00113(1236-1247)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00113
Karthikeyan PAnandaraj SVignesh RPoornima S(2021)Review on Trustworthy Analysis in binary code2021 7th International Conference on Advanced Computing and Communication Systems (ICACCS)10.1109/ICACCS51430.2021.9442052(1386-1389)Online publication date: 19-Mar-2021
https://doi.org/10.1109/ICACCS51430.2021.9442052
Brown FStefan DEngler DCapkun SRoesner F(2020)SysProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489224(199-216)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489224
Redini NMachiry AWang RSpensky CContinella AShoshitaishvili YKruegel CVigna G(2020)Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00036(1544-1561)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00036
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents