Static Vulnerability Pattern Detection in Low Level Programming Language
Mansour Al-Qattan
Software Technology Research Laboratory, De Montfort University, Leicester - UK
Feng Chen
Software Technology Research Laboratory, De Montfort University, Leicester - UK
29-40
Vol: 6, Issue: 4, 2016
Receiving Date:
2016-07-14
Acceptance Date:
2016-09-30
Publication Date:
2016-10-11
Download PDF
Abstract
Vulnerability checking tools in the software industry mostly focus on high-level programming languages, and vulnerability detection in low-level languages, unfortunately, has been largely sidelined in the case of legacy systems. This research proposes a method for finding vulnerabilities in an assembly language through wide-spectrum language (WSL) with FermaT using the static tainted vulnerability analysis technique with the slicing transformation FermaT engine. Our method decompiles the binary executable file to assembly and translates the assembly to WSL, and then detects vulnerabilities by combining the FermaT slicing transformation with taint analysis. The results show that WSL FermaT can detect vulnerability in a binary executable file easily as FermaT contains multiple transformations that enable developers to meet their requirements.
Keywords:
vulnerabilities; vulnerability detection; static analysis; program transformation; FermaT; wide-spectrum language.
References
- M. Akbari, S. Berenji and R. Azmi , 'Vulnerability detector using parse tree annotation,' In Education technology and computer (ICETC), 2010 2nd international conference on, 2010, pp. V4-257-V4-261
- A. Atkins, N. Reznikov, L. Ofer, A. Masic, S. Weiner and R. Shahar, 'The three-dimensional structure of anosteocytic lamellated bone of fish,' Acta biomaterialia, vol 13, pp. 311–323, 2015.
- B. Chess and G. McGraw, 'Static analysis for security,' IEEE security & privacy, no 6, pp. 76–79, 2004.
- M. Cova, V. Felmetsger, G. Banks and G. Vigna, , 'Static detection of vulnerabilities in x86 executables,' In 2006, pp. 269–278.
- C. Dahn and S. Mancoridis, 'Using program transformation to secure C programs against buffer overflows,' In 2003, pp. 323
- J. Dehlinger, Q. Feng and L. Hu, 'Ssvchecker: Unifying static security vulnerability detection tools in an eclipse plug-in,' In Proceedings of the 2006 OOPSLA workshop on eclipse technology eXchange, 2006, pp. 30–34.
- N. Dor, M. Rodeh and M. Sagiv, 'CSSV: Towards a realistic tool for statically detecting all buffer overflows in C,' In ACM sigplan notices, 2003, pp. 155–167.
- D. Evans, 'Splint home page ', [Online] [Accessed 6/9/2016].
- D. Evans and D. Larochelle, 'Improving security using extensible lightweight static analysis,' Software, IEEE, vol 19, no 1, pp. 42–51, 2002
- B. Hackett, M. Das, D. Wang and Z. Yang, , 'Modular checking for buffer overflows in the large,' In Proceedings of the 28th international conference on software engineering, 2006, pp. 232–241.
- S. Horwitz, T. Reps and D. Binkley, 'Interprocedural slicing using dependence graphs,' ACM transactions on programming languages and systems (TOPLAS), vol 12, no 1, pp. 26–60, 1990.
- R.W. Jones and P.H. Kelly, 'Backwards-compatible bounds checking for arrays and pointers in C programs.' In Aadebug, 1997, pp. 13–26
- S. Neuhaus, T. Zimmermann, C. Holler and A. Zeller, , 'Predicting vulnerable software components,' In Proceedings of the 14th ACM conference on computer and communications security, 2007, pp. 529–540.
- A. One, 'Smashing the stack for fun and profit,' Phrack magazine, vol 7, no 49, pp. 14–16, 1996.
- G. Paul, '7. memory : Stack vs heap ', [Online] [Accessed 6/9/2016].
- D. Pozza, R. Sisto, L. Durante and A. Valenzano, 'Comparing lexical analysis tools for buffer overflow detection in network software,' In Communication system software and middleware, 2006. comsware 2006. first international conference on, 2006, pp. 1–7.
- L. V. SATYANARAYANA and M. C. SEKHAR, 'Static analysis tool for detecting web application vulnerabilities,' .
- H. Shahriar and M. Zulkernine, , 'Classification of static analysis-based buffer overflow detectors,' In 2010 fourth international conference on secure software integration and reliability improvement companion, 2010, pp. 94–101
- A. Smirnov and T. Chiueh, 'Automatic patch generation for buffer overflow attacks,' In Information assurance and security, 2007. IAS 2007. third international symposium on, 2007, pp. 165–170.
- J. Viega, J. Bloch, T. Kohno and G. McGraw, 'Token-based scanning of source code for security problems,' ACM transactions on information and system security (TISSEC), vol 5, no 3, pp. 238–261, 2002.
- C. Vulnerabilities, Common vulnerabilities and exposures, 2005
- D.B. Wagner, 'Buffer overrun detection', [Online] [Accessed 6/9/2016].
- D.A. Wheeler, 'Flawfinder home page ', [Online] [Accessed 6/9/2016].
- J. Wilander, 'Contributions to specification, implementation, and execution of secure software,' 2013.
- Y. Xie, A. Chou and D. Engler, 'Archer: Using symbolic, path-sensitive analysis to detect memory access errors,' ACM SIGSOFT software engineering notes, vol 28, no 5, pp. 327–336, 2003.
- R. Xu, P. Godefroid and R. Majumdar, , 'Testing for buffer overflows with length abstraction,' In Proceedings of the 2008 international symposium on software testing and analysis, 2008, pp. 27–38.
- F. Yamaguchi, N. Golde, D. Arp and K. Rieck, 'Modeling and discovering vulnerabilities with code property graphs,' In Security and privacy (SP), 2014 IEEE symposium on, 2014, pp. 590–604.
- M. Zhang, Y. Duan, H. Yin and Z. Zhao, , 'Semantics-aware android malware classification using weighted contextual API dependency graphs,' In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, 2014, pp. 1105–1116.
- M. Zhang and H. Yin, , 'AppSealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications.' In Ndss, 2014, .
- Y. Zhang, W. Fu, X. Qian and W. Chen, 'Program slicing based buffer overflow detection,' Journal of software engineering and applications, vol 3, no 10, pp. 965, 2010.
- M. Zitser, R. Lippmann and T. Leek, , 'Testing static analysis tools using exploitable buffer overflows from open source code,' In ACM SIGSOFT software engineering notes, 2004, pp. 97–106.
- D. Wagner, J.S. Foster, E.A. Brewer and A. Aiken, , 'A first step towards automated detection of buffer overrun vulnerabilities.' In Ndss, 2000, pp. 2000–2002.
- U. Shankar, K. Talwar, J.S. Foster and D. Wagner, 'Detecting format string vulnerabilities with type qualifiers.' In USENIX security symposium, 2001, pp. 201–220.
- J.J. Tevis and J.A. Hamilton Jr, , 'Static analysis of anomalies and security vulnerabilities in executable files,' In Proceedings of the 44th annual southeast regional conference, 2006, pp. 560–565.
Back