Different is Good: Detecting the Use of Uninitialized Variables through Differential Replay
作者: Mengchen Cao , Xiantong Hou , Tao Wang , Hunter Qu , Yajin Zhou
关键词:
摘要: The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., address space layout randomization (KASLR). Though recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue still largely behind. In paper, we propose new technique, differential replay, that variables. Specifically, it records and replays program's execution instances. One instance with vanilla memory, other one changes (or poisons) values allocated from stack heap. Then compares program states find references idea if variable properly initialized, will overwrite poisoned value two running instances should be same. After detecting differences, our leverages symbolic taint analysis further identify location where was allocated. This helps us root facilitate development real exploits. We have implemented prototype TimePlayer. applying both 7 10 kernels (x86/x64), successfully identified 34 issues another 85 ones had been patched (some them were publicly unknown.) Among issues, 17 confirmed as zero-day vulnerabilities by Microsoft.
acm.org
sci-hub.se 参考文章(54)
Anushri Jana, Ravindra Naik, Precise Detection of Uninitialized Variables Using Dynamic Analysis - Extending to Aggregate and Vector Types working conference on reverse engineering. pp. 197- 201 ,(2012) , 10.1109/WCRE.2012.29
Michiel Ronsse, Koen De Bosschere, RecPlay: a fully integrated practical record/replay system ACM Transactions on Computer Systems. ,vol. 17, pp. 133- 152 ,(1999) , 10.1145/312203.312214
Yuting Chen, Zhendong Su, Guided differential testing of certificate validation in SSL/TLS implementations foundations of software engineering. pp. 793- 804 ,(2015) , 10.1145/2786805.2786835
Rahul Jiresal, Adnan Contractor, Ravindra Naik, Precise detection of un-initialized variables in large, real-life COBOL programs in presence of unrealizable paths international conference on software maintenance. pp. 448- 456 ,(2011) , 10.1109/ICSM.2011.6080812
Baojiang Cui, Fuwei Wang, Tao Guo, Guowei Dong, Bing Zhao, FlowWalker: A Fast and Precise Off-Line Taint Analysis Framework international conference on emerging intelligent data and web technologies. pp. 583- 588 ,(2013) , 10.1109/EIDWT.2013.105
Yasushi Saito, Jockey: a user-space library for record-replay debugging international symposium on open collaboration. pp. 69- 76 ,(2005) , 10.1145/1085130.1085139
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, Anmol N. Sheth, TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones ACM Transactions on Computer Systems. ,vol. 32, pp. 5- ,(2014) , 10.1145/2619091
Konstantin Serebryany, Evgeniy Stepanov, MemorySanitizer: fast detector of uninitialized memory use in C++ symposium on code generation and optimization. pp. 46- 55 ,(2015) , 10.5555/2738600.2738607
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, Giovanni Vigna, None, Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. network and distributed system security symposium. ,(2015) , 10.14722/NDSS.2015.23294
Xuejun Yang, Yang Chen, Eric Eide, John Regehr, Finding and understanding bugs in C compilers programming language design and implementation. ,vol. 46, pp. 283- 294 ,(2011) , 10.1145/1993316.1993532