11-05-2012, 12:59 PM
Identifying Buffer Overflow Vulnerabilities based on Binary Code
Identifying Buffer Overflow Vulnerabilities based on Binary Code.pdf (Size: 76.46 KB / Downloads: 25)
INTRODUCTION
At present network security has become a serious
problem. The buffer overflow vulnerability is one of the
most dangerous and widely distributed software vulnerability.
Therefore, it is important to find buffer overflow, especially
those that are not discovered or not reported or reported but
not receive much attention. Many techniques have been
developed to prevent attacks due to buffer overflows [1-3].
There are two ways to find buffer overflow exploitation
traditionally. One is to analysis source code of program,
which is called static analysis, like literature [4]. And the
other is to test a program while it is running, which is called
dynamic test, like literature [5]. However, in fact, except for
some open source code programs, most source codes are
hardly to be obtained. Dynamic test does not require source
code, but it is inefficient for no having any knowledge about
the program’s internal structure.
Determining the overflow functions
The main work of the phase is to identify and test
potential overflow functions in order to exclude unable
overflow functions. As in the preceding stage we just
roughly found some possible overflow functions, it needs
still to determine what functions will or not overflow as
being attacked. But it is very difficult to use a program to
judge the correctness of another program, so it is necessary
to use special test to exclude unable overflow functions.
The test procedure is similar to software robustness
testing. We run target program with elaborate structured data
to discover vulnerabilities within the program. But we only
test functions marked as possible overflow in the previous
step and not all function. This can save a lot of time.
Moreover test data are based on previous found information
in the program, instead of the parameter scope. This will also
improve the efficiency of the test.
STATIC ANALYSIS
Static Analysis Tool
The paper chooses the IDA Pro as the disassembled tool.
IDA Pro is a Windows or Linux hosted multi-processor
disassembler and debugger[6]. IDA Pro is a professional
disassembly tools and has the strongest ability to disassemble.
Because common buffer overflow vulnerabilities are
caused by lack of verification on memory replication
operation etc, they have some regularity. We do disassembly
process for the target code using IDA Pro and search the
disassembling results to get potential system overflow risks,
and then do analysis and discrimination to realize effective
mining for system-level security vulnerabilities.
Script Controller
In addition to the extremely powerful disassembly
functions and UI interactive interface, IDA Pro also provides
IDC automatic scripting capabilities. Users can deal with
disassembly database by writing automated scripts with
specific purposes. IDC is an embedded Language. Its
emergence greatly enhances the expansion of IDA so that
many complex tasks may be completed by IDC.
Generating function call diagram
The function dependencies in executable binary file are
firstly extracted by written IDC script. Then focus on
analyzing on the calls that may cause buffer overflow and
library functions of format string to determine if exist the
security vulnerabilities in the program. Thus reduced
vulnerability false alarms and improved the quality of
vulnerability report. IDC script traverses functions in depthfirst
beginning from the program entrance, main function, of
the target binary file. Simulate stack's FILO character and
extract all functions in the program, where the called library
functions in the program are not traversed to removal a lot of
interference information and improve efficiency of analysis.