Saluki: Finding Taint-style Vulnerabilities with Static Property Checking

Gotovchits, Ivan; Tonder, Rijnard van; Brumley, David

doi:10.14722/bar.2018.23019

Cited by 22 publications

(15 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As mentioned in [11], the main limitation of an emulatorbased approach is that it is difficult to emulate all values in real-word binaries for the kernel and library files. There are no initialization inputs for the kernel and library function analysis; therefore, the emulator usually generates a random input for emulation.…”

Section: A Vulnerability Detection In Binarymentioning

confidence: 99%

“…To the best of our knowledge, cwe_checker [8] and baptoolkit [9] are the state-of-the-art binary vulnerability detection tools. Similarly, Dtaint [10] (only supports ARM32 architecture) and Saluki [11] proposed a generic approach for taint-style vulnerability detection. Unfortunately, both Dtaint [10] and Saluki [10] are not specific to NPD detection and cannot be used to detect an NPD vulnerability directly.…”

Section: Introductionmentioning

confidence: 99%

“…In contrast, benefited by the microexecution [12]-based analysis engine, Saluki [11] and bap-toolkit [9] not only can emulate the runtime behavior to obtain a concrete value of a register or memory space, but can also cover multiple execution paths depending on the CFG. However, the emulator-style approach also has limitations for unknown values (parameter, global variable) and unknown functions, such as the library function, which the emulator cannot emulate.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

et al. 2021

View full text Add to dashboard Cite

Null pointer dereference (NPD) is a widespread vulnerability that occurs whenever an executing program attempts to dereference a null pointer. NPD vulnerability can be exploited by hackers to maliciously crash a process to cause a denial of service or execute an arbitrary code under specific conditions. This typical taintstyle vulnerability requires an accurate data dependency analysis to trace whether a source is propagated to a sensitive sink without proper sanitization. The primary challenge in data dependency analysis is pointer aliasing, which may significantly affect the vulnerability detection accuracy. Although there have been many studies and open-source tools, they still have limitations when detecting a real-world binary. In this paper, we propose a static binary analysis approach to detect an NPD vulnerability. To improve detection accuracy and practicality, we first identify two challenges that affect the accuracy of binary NPD detection: (i) pointer aliasing, and (ii) untrusted source identification. Then we implement a prototype of the proposed approach, NPDHunter, and evaluate it against 318 test cases provided by Juliet Test Suite v1.3. For the Juliet dataset, NPDHunter is accurate in detecting NPDs and generates 0% false negatives; as compared to bap-toolkit and cwe_checker, which have false-negative rates of 70.89% and 89.81%, respectively. We also evaluate NPDHunter for real-world binaries which recently reported NPD vulnerability. We have analyzed XNU kernel (large-scale), Redis, Bitlbee, libredwg, and libvncserver binaries and NPDHunter can detect all NPD cases, which justifies its usefulness for real-world binaries; compiled for x86_64 architecture.

show abstract

Section: A Vulnerability Detection In Binarymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

et al. 2021

View full text Add to dashboard Cite

show abstract

“…In contrast, other researchers study the security of source code, and many static [6], [8], [10], [11] and dynamic [9] techniques have been proposed to detect vulnerabilities automatically. Gotovchits et al [6] detect the vulnerability in binary-level. They develop a domain-specific language to express security properties and first use µflux technique to generate data dependence facts.…”

Section: A Detecting Taint-style Vulnerabilitymentioning

confidence: 99%

“…Researchers have proposed a variety of static(e.g., [6], [8], [10], [11]), and dynamic [9] techniques to detect taint-style vulnerabilities. For example, Gotovchits et al [6] apply the novel technique named µflux to check the taint-style security properties in binary code, and finds 0-day vulnerabilities in COTS x86, x86-64, and ARM software. More recently, pattern-based methods ( [2], [3], [7]) have been provided to…”

Section: Introductionmentioning

confidence: 99%

Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Song

Feng

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Taint-style vulnerabilities can damage the service provided by mobile seriously. The patternbased method is a practical way to detect taint-style vulnerabilities. Most of the methods extract the vulnerability patterns from the code base, however, sometimes missing the vulnerability patterns and resulting in some vulnerabilities undiscovered. The security patches contain valuable information about the vulnerabilities. To compensate for the inherent incompleteness of pattern matching, in this paper, we propose an approach to infer patterns with the security information carried on the security patches. The taint-style vulnerability is described as a 3-tuples (S src , S san , S sink ) here, which consist of sources(S src ), sanitization (S san ), and sinks(S sink ). For each pair of vulnerable and patched programs, we extract the sanitizations from the changes between the vulnerable code and corresponding patches, infer the sinks with the impact analysis, and determine the sources through the backward traversal on the control flow graph. Finally, the completelinkage clustering method is applied to the extracted triples to summary the patterns. We evaluate our method with open source projects. The results show our method is effective: 1) our method infers vulnerability patterns for taint-style vulnerabilities; 2) compared with the method inferring patterns from the code base, new patterns are discovered; and 3) the inferred patterns are applied to search the similar vulnerabilities successfully.INDEX TERMS Code change, static analysis, vulnerability detection.

show abstract

Cross-Architecture Lifter Synthesis

Tonder

Goues

2018

Software Engineering and Formal Methods

View full text Add to dashboard Cite

Saluki: Finding Taint-style Vulnerabilities with Static Property Checking

Cited by 22 publications

References 30 publications

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

NPDHunter: Efficient Null Pointer Dereference Vulnerability Detection in Binary

Inferring Patterns for Taint-Style Vulnerabilities With Security Patches

Cross-Architecture Lifter Synthesis

Contact Info

Product

Resources

About