An effective taint‐based software vulnerability miner

• Zhi Liu ^[1] ; Xiaosong Zhang ^[1] ; Yue Wu ^[1] ; Ting Chen ^[1]
  1. [1] University of Electronic Science and Technology of China

     University of Electronic Science and Technology of China

     China

     
• Localización: Compel: International journal for computation and mathematics in electrical and electronic engineering, ISSN 0332-1649, Vol. 32, Nº 2 (Special Issue: CAC 2010), 2013, págs. 467-484
• Idioma: inglés
• Enlaces
  • Texto completo
• Resumen

  • Purpose – The purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.

    Design/methodology/approach – Current dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.

    Findings – Conversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.

    Originality/value – This paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.