Memory violation detection method in binary code

In this paper memory violation detection method is considered. This method applied to program binaries, without requiring debug information. It allows to find such memory violations as out-of-bound read or writing in some buffer. The technique is based on dynamic analysis and symbolic execution. We present a tool implemented the method. We used this tool to find 11 bugs in both Linux and Windows programs, 7 of which were undocumented at the time this paper was written.

bug finding, symbolic execution, binary code, dynamic analysis

1. Common Weakness Enumeration, a community-developed dictionary of software weakness types. https://cwe.mitre.org Date of treatment: 8.04.2015

2. K. Batuzov, P. Dovgalyuk, V. Koshelev, V. Padaryan. Dva sposoba organizatsii mehanizma polnosistemnogo determinirovannogo vosproizvedeniya v simulyatore QEMU.[Two methods full-system deterministic replay in QEMU]// Trudy ISP RAN [The Proceedings of ISP RAS], vol. 22, 2012, pp. 77-94 (in Russian)

3. Tikhonov А.Yu., Avetisyan A.I., Padaryan V.A., Metodika izvlecheniya algoritma iz binarnogo koda na osnove dinamicheskogo analiza [Methodology of exploring of an algorithm from binary code by dynamic analysis]. Problemy informatsionnoj bezopasnosti. Komp'yuternye sistemy [Informations security aspects. Computer sistems], 2008, №3. pp. 66-71 (in Russian)

4. Tikhonov А.Yu., Padaryan V.A., Primenenie programmnogo slaysinga dlya analiza binarnogo koda, predstavlennogo trassami vyipolneniya.[Using program slicing for bynary code represented by execution traces] Materialyi XVIII Obscherossiyskoy nauchno-tehnicheskoy konferentsii «Metodyi i tehnicheskie sredstva obespecheniya bezopasnosti informatsii». [The Proceedings of XVIII Russian science technical conference "Methods and technical information security tools"] 2009. pp 131 (In Russian).

5. Tikhonov А.Yu., Avetisyan A.I. Kombinirovannyj (staticheskij i dinamicheskij) analiz binarnogo koda. [Combined (static and dynamic) analysis of binary code]. Trudy ISP RAN [The Proceedings of ISP RAS], vol. 22, 2012, pp. 131-152 (in Russian).

6. Alexander Getman, Vartan Padaryan, and Mikhail Solovyev. Combined approach to solving problems in binary code analysis. // Proceedings of 9th International Conference on Computer Science and Information Technologies (CSIT’2013), pp. 295-297.

7. Dovgalyuk P.M., Makarov V.A., Romaneev M.S., Fursova N.I. Primenenie programmyih emulyatorov v zadachah analiza binarnogo koda.[Applying program emulators for binary code analysis] // Trudy ISP RAN [The Proceedings of ISP RAS], vol. 26, issue 2014, pp. 277-296. DOI: 10.15514/ISPRAS-2014-26(1)-9.

8. King J.C. Symbolic execution and program testing. // Commun. ACM. – 1976. – No 19.

9. Padaryan V.A., Kaushan V.V., Fedotov A.N. Avtomatizirovannyiy metod postroeniya eksploytov dlya uyazvimosti perepolneniya bufera na steke.[Automated exploit generaton method for stack buffer overflow vulnerabilities] // Trudy ISP RAN [The Proceedings of ISP RAS], vol. 26, issue 3, 2014, pp.. 127-144. DOI: 10.15514/ISPRAS-2014-26(3)-7

10. E. J. Schwartz, T. Avgerinos, D. Brumley. // All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). // IEEE Symposium on Security and Privacy, May 2010, pp. 317–331.

11. Ru-Gang Xu, Patrice Godefroid, Rupak Majumdar. // Testing for Buffer OverFlows with Length Abstraction. // ISSTA, 2008

12. V.A. Padaryan, A.I. Getman, M.A. Solovyev, M.G. Bakulin, A.I. Borzilov, V.V. Kaushan, I.N. Ledovskich, U.V. Markin, S.S. Panasenko. Metody i programmnye sredstva, podderzhivayushhie kombinirovannyj analiz binarnogo koda [Methods and software tools for combined binary code analysis]. Trudy ISP RAN [The Proceedings of ISP RAS], 2014, vol. 26, no. 1, pp. 251-276 (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-8

13. Padaryan V.A., Solov’ev M.A., Kononov A.I. Modelirovanie operatsionnoy semantiki mashinnyih instruktsiy. [Simulation of operational semantics of machine instructions]. Programming and Computer Software, May 2011, Volume 37, Issue 3, pp 161 – 170 , DOI 10.1134/S0361768811030030 (In Russian)

14. Nikolaj Bjørner, Leonardo de Moura. // Z3: Applications, Enablers, Challenges and Directions/ // Sixth International Workshop on Constraints in Formal Verification Grenoble, 2009.

15. Avetisyan A.I., Getman A.I. Vosstanovlenie struktury binarnykh dannykh po trassam program [Recovery the structure of binary data on the program traces]. Trudy ISP RAN [The Proceedings of ISP RAS], 2012, vol. 22, pp. 95-118 (in Russian)

16. Prateek Saxena, Pongsin Poosankam, Stephen McCamant, Dawn Song. // Loop-Extended Symbolic Execution on Binary Programs. // ISSTA, 2009.

17. J. Caballero, P. Poosankam, S. McCamant, D. Babic, and D. Song. Input generation via decomposition and re-stitching: Finding bugs in malware. In Proc. of the ACM Conference on Computer and Communications Security, Chicago, IL, October 2010.

18. L. Martignoni, S. McCamant, P. Poosankam, D. Song, and P. Maniatis. Path-exploration lifting: Hi-fi tests for lo-fi emulators. // In Proc. of the International Conference on Architectural Support for Programming Languages and Operating Systems, London, UK, Mar. 2012.

19. P. Godefroid, M. Levin, and D. Molnar. Automated whitebox fuzz testing. // In Proc. of the Network and Distributed System Security Symposium, Feb. 2008.

20. Isaev, I. K., Sidorov, D. V., Gerasimov, А. YU., Ermakov, M. K. (2011). Primenenie dinamicheskogo analiza dlya avtomaticheskogo obnaruzheniya oshibok v programmakh ispol'zuyushhikh setevye sokety [Using dynamic analysis for automatic bug detection in software that use network sockets]. Trudy ISP RAN [The Proceedings of ISP RAS], 2011, vol. 21, pp. 55-70 (In Russian).