research-article

Pinpointing Vulnerabilities

Authors:

Mustakimur Khandaker,

Zhi WangAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 334 - 345

https://doi.org/10.1145/3052973.3053033

Published: 02 April 2017 Publication History

Abstract

Memory-based vulnerabilities are a major source of attack vectors. They allow attackers to gain unauthorized access to computers and their data. Previous research has made significant progress in detecting attacks. However, developers still need to locate and fix these vulnerabilities, a mostly manual and time-consuming process. They face a number of challenges. Particularly, the manifestation of an attack does not always coincide with the exploited vulnerabilities, and many attacks are hard to reproduce in the lab environment, leaving developers with limited information to locate them. In this paper, we propose Ravel, an architectural approach to pinpoint vulnerabilities from attacks. Ravel consists of an online attack detector and an offline vulnerability locator linked by a record & replay mechanism. Specifically, Ravel records the execution of a production system and simultaneously monitors it for attacks. If an attack is detected, the execution is replayed to reveal the targeted vulnerabilities by analyzing the program's memory access patterns under attack. We have built a prototype of Ravel based on the open-source FreeBSD operating system. The evaluation results in security and performance demonstrate that Ravel can effectively pinpoint various types of memory vulnerabilities and has low performance overhead.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity: Principles, Implementations, and Applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security, November 2005.

Digital Library

[2]

S. V. Adve, M. D. Hill, B. P. Miller, and R. H. Netzer. Detecting Data Races on Weak Memory Systems. ACM SIGARCH Computer Architecture News, 19(3):234--243, 1991.

Digital Library

[3]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing Memory Error Exploits with WIT. In Proceedings of the 29th IEEE Symposium on Security and Privacy, May 2008.

Digital Library

[4]

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In Proceedings of the 21st ACM Conference on Computer and Communications Security, 2014.

Digital Library

[5]

S. Bekrar, C. Bekrar, R. Groz, and L. Mounier. A Taint Based Approach for Smart Fuzzing. In Proceedings of the IEEE Fifth International Conference on Software Testing, Verification and Validation, pages 818--825. IEEE, 2012.

Digital Library

[6]

D. Bigelow, T. Hobson, R. Rudd, W. Streilein, and H. Okhravi. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM Conference on Computer and Communications Security, pages 268--279. ACM, 2015.

Digital Library

[7]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking Blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy, pages 227--242. IEEE, 2014.

Digital Library

[8]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, October 2008.

Digital Library

[9]

N. Burow, S. A. Carr, S. Brunthaler, M. Payer, J. Nash, P. Larsen, and M. Franz. Control-flow Integrity: Precision, Security, and Performance. ACM Computing Surveys, 2017.

Digital Library

[10]

N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-Flow Bending: On the Effectiveness of Control-Flow Integrity. In Proceedings of the 24th USENIX Security Symposium, volume 14, pages 28--38, 2015.

Digital Library

[11]

M. Castro, M. Costa, and T. Harris. Securing Software by Enforcing Data-flow Integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, OSDI '06, 2006.

Digital Library

[12]

S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. K. Iyer. Defeating Memory Corruption Attacks via Pointer Taintedness Detection. In Proceedings of the 2005 International Conference on Dependable Systems and Networks, pages 378--387. IEEE, 2005.

Digital Library

[13]

S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the 14th USENIX Security Symposium, August 2005.

Digital Library

[14]

Y. Chen, Z. Wang, D. Whalley, and L. Lu. Remix: On-demand Live Randomization. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pages 50--61, New Orelans, LA, Mar 2016. ACM.

Digital Library

[15]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In 36th IEEE Symposium on Security and Privacy (Oakland), May 2015.

Digital Library

[16]

CVE-2013--2028. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028.

[17]

CVE-2015--3864. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3864.

[18]

DARPA. Cyber Grand Challenge. https://cgc.darpa.mil.

[19]

Memory Protection Technologies. http://technet.microsoft.com/en-us/library/bb457155.aspx.

[20]

x86 NX support. http://lwn.net/Articles/87814/.

[21]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Conference on Security, 2014.

Digital Library

[22]

Data Execution Prevention. http://en.wikipedia.org/wiki/Data_Execution_Prevention.

[23]

D. Devecsery, M. Chow, X. Dou, J. Flinn, and P. M. Chen. Eidetic Systems. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, 2014.

Digital Library

[24]

W. Dietz, P. Li, J. Regehr, and V. Adve. Understanding Integer Overflow in C/C

[25]

. ACM Transactions on Software Engineering and Methodology, 25(1):2, 2015.

Digital Library

[26]

B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan. LAVA: Large-scale Automated Vulnerability Addition. In Proceedings of the 37th IEEE Symposium on Security and Privacy, May 2016.

[27]

M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing Near-optimal Malware Specifications from Suspicious Behaviors. In Proceedings of the 31th IEEE Symposium on Security and Privacy, pages 45--60. IEEE, 2010.

Digital Library

[28]

T. Garfinkel. Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. In Proceedings of the 20th Annual Network and Distributed Systems Security Symposium, February 2003.

[29]

T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A Delegating Architecture for Secure System Call Interposition. In Proceedings of the 10th Network and Distributed System Security Symposium, 2003.

[30]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.

Digital Library

[31]

I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker. In Proceedings of the 6th USENIX Security Symposium, 1996.

Digital Library

[32]

Z. Guo, X. Wang, J. Tang, X. Liu, Z. Xu, M. Wu, M. F. Kaashoek, and Z. Zhang. R2: An Application-level Kernel for Record and Replay. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008.

Digital Library

[33]

J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka. Verifying Information Flow Goals in Security-enhanced Linux. Journal of Computer Security, 13(1):115--134, 2005.

Digital Library

[34]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In Proceedings of the 33rd IEEE Symposium on Security and Privacy, pages 571--585. IEEE, 2012.

Digital Library

[35]

S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion Detection Using Sequences of System Calls. Journal of computer security, 6(3):151--180, 1998.

Digital Library

[36]

H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In Proceedings of the 24th USENIX Security Symposium, pages 177--192, 2015.

Digital Library

[37]

H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In Proceedings of the 37th IEEE Symposium on Security and Privacy, May 2016.

[38]

B. Kasikci, B. Schubert, C. Pereira, G. Pokam, and G. Candea. Failure Sketching: A Technique for Automated Root Cause Diagnosis of In-production Failures. In Proceedings of the 25th Symposium on Operating Systems Principles, pages 344--360. ACM, 2015.

Digital Library

[39]

S. T. King and P. M. Chen. Backtracking Intrusions. In Proceedings of the 2003 Symposium on Operating Systems Principles, October 2003.

Digital Library

[40]

A. P. Kosoresow and S. A. Hofmeyr. Intrusion Detection via System Call Traces. IEEE software, 14(5):35, 1997.

Digital Library

[41]

C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the Detection of Anomalous System Call Arguments. In Proceedings of the 8th European Symposium on Research in Computer Security, pages 326--343. Springer, 2003.

[42]

O. Laadan, N. Viennot, and J. Nieh. Transparent, Lightweight Application Execution Replay on Commodity Multiprocessor Operating Systems. In Proceedings of the 2010 International Conference on Measurement and Modeling of Computer Systems, 2010.

Digital Library

[43]

P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated Software Diversity. In Proceedings of the 35th IEEE Symposium on Security and Privacy, pages 276--291. IEEE, 2014.

Digital Library

[44]

W. Lee, S. J. Stolfo, et al. Data Mining Approaches for Intrusion Detection. In Proceedings of the 7th USENIX Security Symposium, 1998.

Digital Library

[45]

J. R. Levine. Linkers and Loaders. Morgan Kaufmann, San Francisco, CA, 1999.

Digital Library

[46]

F. Maggi, M. Matteucci, and S. Zanero. Detecting Intrusions Through System Call Sequence and Argument Analysis. IEEE Transactions on Dependable and Secure Computing, 7(4):381--395, 2010.

Digital Library

[47]

D. Mutz, F. Valeur, G. Vigna, and C. Kruegel. Anomalous System Call Detection. ACM Transactions on Information and System Security, 9(1):61--93, 2006.

Digital Library

[48]

N. Nethercote and J. Seward. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In ACM Sigplan notices, volume 42, pages 89--100. ACM, 2007.

Digital Library

[49]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Network and Distributed System Security Symposium, Feburary 2005.

[50]

NGINX. NGINX. https://www.nginx.com.

[51]

S. Palahan, D. Babić, S. Chaudhuri, and D. Kifer. Extraction of Statistically Significant Malware Behaviors. In Proceedings of the 29th Annual Computer Security Applications Conference, pages 69--78. ACM, 2013.

Digital Library

[52]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[53]

M. Payer, A. Barresi, and T. R. Gross. Fine-grained Control-flow Integrity through Binary Hardening. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 144--164. Springer, 2015.

Digital Library

[54]

M. Ronsse and K. De Bosschere. RecPlay: A Fully Integrated Practical Record/Replay System. ACM Transactions on Computer Systems, 17(2), May 1999.

Digital Library

[55]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[56]

Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. (State of) The Art of War: Offensive Techniques in Binary Analysis . In Proceedings of the 37th IEEE Symposium on Security and Privacy, May 2016.

[57]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time Code Reuse: On the Effectiveness of Fine-grained Address Space Layout Randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588. IEEE, 2013.

Digital Library

[58]

C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In Proceedings of the 23rd Network and Distributed System Security Symposium, Feb 2016.

[59]

N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 23rd Network and Distributed System Security Symposium, Feb 2016.

[60]

L. Szekeres, M. Payer, T. Wei, and D. Song. Sok: Eternal War in Memory. In Proceedings of the 34th IEEE Symposium on Security and Privacy, pages 48--62. IEEE, 2013.

Digital Library

[61]

P. Team. PaX Address Space Layout Randomization (ASLR), 2003.

[62]

V. van der Veen, D. Andriesse, E. Göktaş, B. Gras, L. Sambuc, A. Slowinska, H. Bos, and C. Giuffrida. Practical Context-sensitive CFI. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 927--940. ACM, 2015.

Digital Library

[63]

V. van der Veen, E. Göktas, M. Contag, A. Pawoloski, X. Chen, S. Rawat, H. Bos, T. Holz, E. Athanasopoulos, and C. Giuffrida. A Tough Call: Mitigating Advanced Code-reuse Attacks at the Binary Level. In Proceedings of the 37th IEEE Symposium on Security and Privacy, pages 934--953. IEEE, 2016.

[64]

X. Wang, Y. Chen, Z. Wang, Y. Qi, and Y. Zhou. SecPod: a Framework for Virtualization-based Security Systems. In Proceedings of the 2015 USENIX Annual Technical Conference, pages 347--360, 2015.

Digital Library

[65]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 19th ACM Conference on Computer and Communications Security, 2012.

Digital Library

[66]

Wikipedia. Shellshock (software bug). https://en.wikipedia.org/wiki/Shellshock_(software_bug).

[67]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.

Digital Library

[68]

M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium, 2013.

Digital Library

Cited By

Xu DTang DChen YWang XChen KTang HLi LBalzarotti DXu W(2024)Racing on the negative forceProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699137(4229-4246)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699137
Zhao LJiang KZhu YWang LMing J(2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3145022
Sagdatullin A(2023)Cybersecurity System with State Observer and K-Means Clustering Machine Learning ModelDistributed Computer and Communication Networks10.1007/978-3-031-30648-8_15(183-195)Online publication date: 1-May-2023
https://doi.org/10.1007/978-3-031-30648-8_15
Show More Cited By

Index Terms

Pinpointing Vulnerabilities
1. Security and privacy
  1. Software and application security
  2. Systems security
    1. Vulnerability management

Recommendations

Prevention of DoS Attacks on Use-After-Free Vulnerabilities in Mosquitto
Abstract
Smartification of public services is being promoted, but smart public services are at significant risk of cyberattacks. One of the most common cyberattacks is a denial-of-service (DoS) attack on unknown vulnerabilities. Recovery from DoS requires ...
Overcoming programming flaws: indexing of common software vulnerabilities
InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development

The goal of this research project was to identify categories of programming flaws that lead to software bugs and index existing vulnerability reports against those categories. A keyword-based search placed 70% of the records from the OSVDB and CVE ...
Survey of return-oriented programming defense mechanisms

A prominent software security violation-buffer overflow attack has taken various forms and poses serious threats until today. One such vulnerability is return-oriented programming attack. An return-oriented programming attack circumvents the dynamic ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

US National Science Foundation

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
491
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)1

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xu DTang DChen YWang XChen KTang HLi LBalzarotti DXu W(2024)Racing on the negative forceProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699137(4229-4246)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699137
Zhao LJiang KZhu YWang LMing J(2023)Capturing Invalid Input Manipulations for Memory Corruption DiagnosisIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314502220:2(917-930)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3145022
Sagdatullin A(2023)Cybersecurity System with State Observer and K-Means Clustering Machine Learning ModelDistributed Computer and Communication Networks10.1007/978-3-031-30648-8_15(183-195)Online publication date: 1-May-2023
https://doi.org/10.1007/978-3-031-30648-8_15
Du SLiu XLai GLuo XYin HStavrou ACremers CShi E(2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560666
Filho ARodríguez RFeitosa E(2022)Evasion and Countermeasures Techniques to Detect Dynamic Binary Instrumentation FrameworksDigital Threats: Research and Practice10.1145/34804633:2(1-28)Online publication date: 8-Feb-2022
https://dl.acm.org/doi/10.1145/3480463
Liu YTilevich EErwig MGray J(2020)VarSem: declarative expression and automated inference of variable usage semanticsProceedings of the 19th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences10.1145/3425898.3426962(84-97)Online publication date: 16-Nov-2020
https://dl.acm.org/doi/10.1145/3425898.3426962
Fang XXu MXu SZhao P(2019)A deep learning framework for predicting cyber attacks ratesEURASIP Journal on Information Security10.1186/s13635-019-0090-62019:1Online publication date: 22-May-2019
https://doi.org/10.1186/s13635-019-0090-6
Wang HXie XLin SLin YLi YQin SLiu YLiu TDumas MPfahl DApel SRusso A(2019)Locating vulnerabilities in binaries via memory layout recoveringProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338966(718-728)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338966
D'Elia DCoppa ENicchi SPalmaro FCavallaro LGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)SoKProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329819(15-27)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329819
Xiong LChun SHu CYun ZXiong W(2019)A Vulnerability Detection Model for Java Systems Based on Complex Networks2019 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI)10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00246(1339-1347)Online publication date: Aug-2019
https://doi.org/10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00246
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten