Search method for format string vulnerabilities

In this paper search method for format string vulnerabilities is presented. The method is based on dynamic analysis and symbolic execution. It is applied to program binaries, without requiring debug information. We present a tool implementing this method. We have used this tool to detect known vulnerabilities in Linux programs.

format string vulnerability, binary code, vulnerability exploitation, dynamic analysis, symbolic execution

1. B.P. Miller; L. Fredriksen; B So. An Empirical Study of the Reliability of UNIX Utilities. // Commun. ACM. – 1990. – No 33.

2. V.P. Ivannikov, A.A. Belevantsev, A.E. Borodin, V.N. Ignatiev, D.M. Zhurikhin, A.I. Avetisyan, M.I. Leonov. Staticheskij analizator Svace dlja poiska defektov v ishodnom kode programm. [Static analyzer Svace for finding of defects in program source code] // Trudy ISP RAN [The Proceedings of ISP RAS], vol. 26, issue 1, 2014, pp. 231-250 (in Russian). DOI: DOI: 10.15514/ISPRAS-2014-26(1)-7

3. Isaev, I. K., Sidorov, D. V., Gerasimov, А. YU., Ermakov, M. K. (2011). Primenenie dinamicheskogo analiza dlya avtomaticheskogo obnaruzheniya oshibok v programmakh ispol'zuyushhikh setevye sokety [Using dynamic analysis for automatic bug detection in software that use network sockets]. Trudy ISP RAN [The Proceedings of ISP RAS], 2011, vol. 21, pp. 55-70 (In Russian).

4. V.A. Padaryan, V.V. Kaushan, A.N. Fedotov. Avtomatizirovannyj metod postroenija jeksplojtov dlja ujazvimosti perepolnenija bufera na steke. [Automated exploit generation method for stack buffer overflow vulnerabilities] // Trudy ISP RAN [The Proceedings of ISP RAS], vol. 26, issue 3, 2014, pp. 127-144 (in Russian). DOI: 10.15514/ISPRAS-2014-26(3)-7).

5. King J.C. Symbolic execution and program testing. // Commun. ACM. – 1976. – No 19.

6. C. Cadar, K. Sen. Symbolic Execution for Software Testing: Three Decades Later. // Commun. ACM. – 2013. – No 56.

7. T. Avgerinos, S. K. Cha, Alexandre Rebert, Edard J. Schwartz, Maverick Woo, and D. Brumley. AEG: Automatic exploit generation // Commun. ACM. – 2014. – №2.

8. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley. Unleashing MAYHEM on Binary Code // IEEE Symposium on Security and Privacy. – 2012.

9. G. C. Vitaly Chipounov, Volodymyr Kuznetsov. S2E: A platform for in-vivo multi-path analysis of software systems. // In Proc. of the International Conference on Architectural Support for Programming Languages and Operating Systems, 2011, pp. 265–278.

10. Kaushan V.V., Mamontov A.Yu., Padaryan V.A., Fedotov A.N. // Metod vyyavleniya nekotorykh tipov oshibok raboty s pamyat'yu v binarnom kode programm. [Memory violation detection method in binary code]. Trudy ISP RAN [The Proceedings of ISP RAS], vol. 27, issue 2, 2015, pp. 105-126 (in Russian). DOI: 10.15514/ISPRAS-2015-27(2)-7

11. Ericson J. Hacking: The Art of Exploitation. 2nd Edition. // No Starch Press, 2008, pp.167-183.

12. Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, Zhenkai Liang. Automatic Generation of Data-Oriented Exploits. // 24th USENIX Security Symposium 2015

13. Tikhonov А.YU., Avetisyan A.I. Kombinirovannyj (staticheskij i dinamicheskij) analiz binarnogo koda. [Combined (static and dynamic) analysis of binary code]. Trudy ISP RAN [The Proceedings of ISP RAS], vol. 22, 2012, pp. 131-152 (in Russian). DOI: 10.15514/ISPRAS-2012-22-9

14. Dovgalyuk P.M., Fursova N.I., Dmitriev D.S. Perspektivyi primeneniya determinirovannogo vosproizvedeniya rabotyi virtualnoy mashinyi pri reshenii zadach kompyuternoy bezopasnosti. [Prospects of using virtual machine deterministic replay insolving computer security problems]. Materialyi konferentsii RusKripto’2013 [The Proceedings RusCrypto'2013], 2014 (In Russian).

15. Dovgalyuk P.M., Makarov V.A., Romaneev M.S., Fursova N.I. Primenenie programmyih emulyatorov v zadachah analiza binarnogo koda.[Applying program emulators for binary code analysis] // Trudy ISP RAN [The Proceedings of ISP RAS], vol. 26, issue 1, 2014, pp. 277-296 (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-9.

16. V.A. Padaryan, A.I. Getman, M.A. Solovyev, M.G. Bakulin, A.I. Borzilov, V.V. Kaushan, I.N. Ledovskich, U.V. Markin, S.S. Panasenko. Metody i programmnye sredstva, podderzhivayushhie kombinirovannyj analiz binarnogo koda [Methods and software tools for combined binary code analysis]. Trudy ISP RAN [The Proceedings of ISP RAS], 2014, vol. 26, no. 1, pp. 251-276 (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-8.

17. Tikhonov А.YU., Padaryan V.A., Primenenie programmnogo slaysinga dlya analiza binarnogo koda, predstavlennogo trassami vyipolneniya.[Using program slicing for bynary code represented by execution traces] Materialyi XVIII Obscherossiyskoy nauchno-tehnicheskoy konferentsii «Metodyi i tehnicheskie sredstva obespecheniya bezopasnosti informatsii». [The Proceedings of XVIII Russian science technical conference "Methods and technical information security tools"] 2009. pp 131 (In Russian).

18. Padaryan V.A., Solov’ev M.A., Kononov A.I. Modelirovanie operatsionnoy semantiki mashinnyih instruktsiy. [Simulation of operational semantics of machine instructions]. Programming and Computer Software, May 2011, Volume 37, Issue 3, pp 161 – 170, DOI 10.1134/S0361768811030030.

19. Silvio Ranise and Cesare Tinelli. The SMT-LIB Format: An Initial Proposal. Proceedings of PDPAR'03, July 2003

20. Nikolaj Bjørner, Leonardo de Moura. Z3: Applications, Enablers, Challenges and Directions // Sixth International Workshop on Constraints in Formal Verification Grenoble, 2009.

21. Huang S. K. et al. Software Crash Analysis for Automatic Exploit Generation on Binary Programs // Reliability, IEEE Transactions on. – 2014. – Т. 63. – №. 1. – С. 270-289.

22. Wu B. et al. Directed symbolic execution for binary vulnerability mining // Electronics, Computer and Applications, 2014 IEEE Workshop on. – IEEE, 2014. – pp. 614-617.