Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Statically detecting use after free on binary code

  • Correspondence
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

We present GUEB a static tool detecting Use after Free vulnerabilities on disassembled code. This tool has been evaluated on a real vulnerability in the ProFTPD application (CVE-2011-4130).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Notes

  1. In C for a better understanding, but our analysis operates at the assembly level.

  2. This is the case for instance with the libc.

  3. http://www.mathworks.fr/products/polyspace.

  4. Making our analysis context-sensitive, but not applicable to recursive calls.

  5. A better approximation could be provided if it is required for the exploitability analysis.

  6. https://www.hex-rays.com/products/ida/index.shtml.

  7. http://www.zynamics.com/binnavi.html.

References

  1. Afek, J., Sharabani, A.: Dangling pointer: pointer. Smashing the pointer for fun and profit. Black Hat USA (2007)

  2. Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage static analysis. In: Yi, K. (ed.) SAS ’06: static analysis symposium, volume 4134 of LNCS, pp. 221–239. Springer, Berlin (2006)

    Google Scholar 

  3. Balakrishnan, G., Reps, T.: Wysinwyx: what you see is not what you execute. ACM Trans. Program. Lang. Syst. 32(6), 23:1–23:84 (2010)

  4. Balakrishnan, G., Reps, T.W.: Analyzing memory accesses in x86 executables. In: Duesterwald E (edi) CC, volume 2985 of LNCS, pp. 5–23. Springer, Berlin (2004)

  5. Bardin, S., Herrmann, P., Leroux, J., Ly, O., Tabary, R., Vincent, A.: The bincoa framework for binary code analysis. In: Proceedings of CAV’11, pp. 165–170. Springer, Berlin (2011)

  6. Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: Bap: a binary analysis platform. In: Proceedings of the 23rd International Conference on Computer Aided Verification. CAV’11, pp. 463–469. Springer, Heidelberg (2011)

  7. Caballero, J., Grieco, G., Marron, M., Nappa, A.: Undangle: early detection of dangling pointers in use-after-free and double-free vulnerabilities. In: Heimdahl, M.P.E., Su, Z. (eds.) ISSTA, pp. 133–143. ACM (2012)

  8. Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symp. S&P, pp. 380–394 (2012)

  9. Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-c—a software analysis perspective. In: SEFM, pp. 233–247 (2012)

  10. Dullien, Thomas, Porst, Sebastian: Reil: A platform-independent intermediate representation of disassembled code for static code analysis. CanSecWest (2009)

  11. Heelan, S.: Automatic generation of control flow hijacking exploits for software vulnerabilities. Master’s thesis, University of Oxford, Computing Laboratory (2009)

  12. Nethercote, N., Seward, J.: Valgrind: a program supervision framework. Electr. Notes Theor. Comput. Sci. 89, 44–66 (2003)

    Article  Google Scholar 

  13. Rawat, S., Mounier, L.: Finding buffer overflow inducing loops in binary executables. In: Proceedings of the Sixth International Conference on Software Security and Reliability, SERE 2012, pp. 177–186. IEEE (2012)

  14. Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: Addresssanitizer: a fast address sanity checker. In: USENIX ATC 2012 (2012)

  15. Vupen. Technical analysis of proftpd response pool use-after-free (cve-2011-4130). http://www.vupen.com/blog/20120110.Technical_Analysis_of_ProFTPD_Remote_Use_after_free_CVE-2011-4130_Part_I.php

Download references

Author information

Authors and Affiliations

  1. Vérimag Laboratoy, University of Grenoble, Centre Équation, 2 Avenue de Vignate, Gières, 38610, France

    Josselin Feist, Laurent Mounier & Marie-Laure Potet

Authors
  1. Josselin Feist
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laurent Mounier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marie-Laure Potet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Laurent Mounier.

Additional information

This work was partially funded by the Binsec project (ANR-12-INSE-0002-01).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Feist, J., Mounier, L. & Potet, ML. Statically detecting use after free on binary code. J Comput Virol Hack Tech 10, 211–217 (2014). https://doi.org/10.1007/s11416-014-0203-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0203-1

Keywords

Search

Navigation