Research On Key Issues In Integer-based Vulnerability Security

With the rapid development of information technology, diverse software applications have been widely used in modern society. Because of the expansion in software size, the complicated execution environment and various software functionalities, how to guarantee the software security has increasingly become the focus of the industry. Software vulnerability is one important role in software security. Once exploited by attackers, software vulnerability can cause severe damages especially in security-related fields, such as national defense, economy, energy resource and transportation system. Hence, how to detect and eliminate software vulnerabilities has been the key research area.As an elementary data type in C/C++programming languages, integer type is widely used in integer value representation, arithmetic operation, array indexing, etc. Considering various computation needs, integer types are designed with different signs and widths. However, limited ranges represented by integer types and castings between different signs or widths might cause incorrect computation results or misinterpreted values, leading to integer-based vulnerability, including integer overflow, integer underflow, signedness error and truncation error. Attackers usually exploit them indirectly to commit damaging acts such as arbitrary code execution and denial of service (DoS). A study in 2007 about the Common Vulnerabilities and Exposures (CVE) reports suggests that handling integer errors is the number 2 for OS vendor advisories, whereas buffer overflows rank number one. As a result, how to detect the potential integer-based vulnerabilities in an effective and efficient way is being studied intensively.This dissertation focuses on key issues in integer-based vulnerability security. A deep understanding on the security model and characteristics of integer-based vulnerabilities is conducted, and an approach to detecting integer-based vulnerabilities based on information-flow analysis is proposed. Techniques to detect benign integer overflows, integer-overflow-to-buffer-overflow (IO2BO) vulnerabilities and signedness errors are studied emphatically. The contributions of this dissertation can be summa-rized as follows:1. A survey on integer-based vulnerabilities is presented. A novel security model is proposed in view of behaviors resulting from the weakness occurrence, and the sufficient conditions in determining integer-based vulnerabilities are also p-resented. A thorough comparison among detecting methods is further conducted in consideration of covering sufficient conditions. Through an empirical study on real-world integer bug cases, the characteristics and distributions are discussed.2. An approach to detecting integer-based vulnerabilities is proposed based on information-flow analysis. Information-flow includes data flow and control flow, reflecting the program semantics. Information-flow analysis has been widely used in static or dynamic techniques for software vulnerability detection or security protection. Considering the characteristics of integer-based vul-nerabilities, this dissertation employs information-flow analysis, taint analysis and code instrumentation to statically detect and run-time check integer-based vulnerabilities. In this approach, only the unsafe integer operations on tainted information flow paths, which can be controlled by users and involved in security-related program points, need to be instrumented with run-time check code, so that both the density of static instrumentation and performance overhead are reduced. A prototype system called DRIVER is implemented as an extension to the GCC compiler.3. An approach to recognizing benign integer overflows via equivalence checking across multiple precisions is proposed. In real-world applications, programmers might use integer overflows intentionally for special functionalities or code conciseness, however, existing techniques can hardly recognize these benign integer overflows. Hence, this dissertation presents a novel technique to rec-ognize benign integer overflows. Given an integer overflow bug report, the data flow path from the overflowed integer arithmetic operation to a security-related program point is extracted and a new version of the path is created using more precise types with sufficient bits to represent integers so that the integer overflow can be avoided. Using theorem proving, the equivalence of these two versions is checked, that is, if they yield the same values at the security-related program point under all possible inputs. If so, this integer overflow is benign. The experimental results show that this approach can effectively recognize benign integer overflows.4. An efficient dynamic tracking technique for detecting IO2BO vulnerabilities is presented. IO2BO vulnerabilities are a dominant kind of integer overflow in practice. They are usually easily exploitable for security attacks and can cause severe damages to computer systems, since the overflowed values are finally used in memory-related operations. Experienced programmers often anticipate the possibility of integer overflows and insert sanitization routines after potential overflow sites to prevent overflowed values from affecting further program execution. However, existing techniques cannot exclude the report for such filtered IO2BO. This dissertation presents an efficient dynamic tracking technique, which replaces the overflowed value with a very large and rarely used integer value (dirty value), and treats such the value as an overflow tag. Tag propagation is performed by the existing program operations without any instrumentation as operations on dirty values often produce dirty values. Propagation can be automatically cut off by sanitization routines as they could prevent dirty values from affecting further program execution. An IO2BO vulnerability can be reported if any dirty value is used at security-related program points.5. An approach to detecting integer signedness errors based on data flow pattern is presented. From the perspective of whether the source operands originate and whether the conversion results can propagate to security-related program points, four data flow patterns for unharmful integer sign conversion are defined. Using data flow analysis, unharmful sign conversions are statically identified as safe operations, and free of further instrumentation. Hence, the accuracy of signedness error detection is improved greatly.