The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March-April (2012 vol.38)
pp: 293-313
Taeho Kwon , University of California, Davis, Davis
Zhendong Su , University of California, Davis, Davis
ABSTRACT
Dynamic loading of software components (e.g., libraries or modules) is a widely used mechanism for an improved system modularity and flexibility. Correct component resolution is critical for reliable and secure software execution. However, programming mistakes may lead to unintended or even malicious components being resolved and loaded. In particular, dynamic loading can be hijacked by placing an arbitrary file with the specified name in a directory searched before resolving the target component. Although this issue has been known for quite some time, it was not considered serious because exploiting it requires access to the local file system on the vulnerable host. Recently, such vulnerabilities have started to receive considerable attention as their remote exploitation became realistic. It is now important to detect and fix these vulnerabilities. In this paper, we present the first automated technique to detect vulnerable and unsafe dynamic component loadings. Our analysis has two phases: 1) apply dynamic binary instrumentation to collect runtime information on component loading (online phase), and 2) analyze the collected information to detect vulnerable component loadings (offline phase). For evaluation, we implemented our technique to detect vulnerable and unsafe component loadings in popular software on Microsoft Windows and Linux. Our evaluation results show that unsafe component loading is prevalent in software on both OS platforms, and it is more severe on Microsoft Windows. In particular, our tool detected more than 4,000 unsafe component loadings in our evaluation, and some can lead to remote code execution on Microsoft Windows.
INDEX TERMS
Unsafe component loading, dynamic analysis.
CITATION
Taeho Kwon, Zhendong Su, "Automatic Detection of Unsafe Dynamic Component Loadings", IEEE Transactions on Software Engineering, vol.38, no. 2, pp. 293-313, March-April 2012, doi:10.1109/TSE.2011.108
REFERENCES
[1] "About Windows Resource Protection," http://msdn.microsoft. com/en-us/library aa382503(VS.85).aspx, 2011.
[2] "Windows DLL Exploits Boom; Hackers Post Attacks for 40-Plus Apps," http://www.computerworld.com/s/article/9181918 Windows_DLL_exploits_boom_hackers_post_attacks_for_40_ plus_apps , 2011.
[3] "Hacking Toolkit Publishes DLL Hijacking Exploit," http://www.computerworld.com/s/article/9181513 Hacking_toolkit_ publishes_DLL_hijacking_exploit , 2011.
[4] T. Kwon and Z. Su, "Automatic Detection of Unsafe Component Loadings," Proc. 19th Int'l Symp. Software Testing and Analysis, pp. 107-118, 2010.
[5] "Zero-Day Windows Bug Problem Worse than First Thought, Says Expert," http://www.computerworld.com/s/article/9180978 Zero_day_Windows_bug_pro blem_worse_than_first_thought_ says_expert , 2011.
[6] "Update: 40 Windows Apps Contain Critical Bug, Says Researcher," http://www.computerworld.com/s/article/9180901 Update_40_Windows_apps_contain_critical_bug_says_ researcher , 2011.
[7] "Researcher Told Microsoft of Windows Apps Zero-Day Bugs 6 Months Ago," http://www.computerworld.com/s/article/print/ 9181358Researcher_told_Mi crosoft_of_Windows_apps_ zero_ day_bugs_6_months_ago , 2011.
[8] "Exploiting DLL Hijacking Flaws," http://blog.metasploit.com/2010/08exploiting-dll-hijacking-flaws.html , 2011.
[9] "Microsoft Releases Tool to Block DLL Load Hijacking Attacks," http://www.computerworld.com/s/article/print/ 9181518 Microsoft_releases_tool_to_block_DLL_load_hijacking_attacks , 2011.
[10] "About the Security Content of Safari 3.1.2 for Windows," http://support.apple.com/kbHT2092, 2011.
[11] "IE's Unsafe DLL Loading," http://www.milw0rm.com/ exploits2929 , 2011.
[12] "Microsoft Security Bull. MS09-014," http://www.microsoft. com/technet/security/ BulletinMS09-014.mspx, 2011.
[13] "Microsoft Security Bull. MS09-015," http://www.microsoft. com/technet/security/ BulletinMS09-015.mspx, 2011.
[14] B. Cornelissen, A. Zaidman, A. van Deursen, L. Moonen, and R. Koschke, "A Systematic Survey of Program Comprehension through Dynamic Analysis," IEEE Trans. Software Eng., vol. 35, no. 5, pp. 684-702, Sept./Oct. 2009.
[15] C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V.J. Reddi, and K. Hazelwood, "Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, pp. 190-200, 2005.
[16] "Side-by-Side Assemblies," http://msdn.microsoft.com/en-us/ library aa376307(VS.85).aspx, 2011.
[17] "The End of DLL Hell," http://msdn.microsoft.com/en-us/libraryms811694.aspx , 2011.
[18] "Dynamic-Link Library Search Order," http://msdn.microsoft. com/en-us/library ms682586(VS.85).aspx, 2011.
[19] "LoadLibraryEx Function," http://msdn.microsoft.com/en-us/ library ms684179(v=vs.85).aspx, 2011.
[20] "About Windows Resource Protection," http://www. dependencywalker.com/ help/htmldependency_types.htm, 2011.
[21] "Microsoft Portable Executable and Common Object File Format Specification," http://www.microsoft.com/whdc/system/ platform/ firmwarePECOFF.mspx, 2011.
[22] "IDA Pro Disassembler," http://www.hex-rays.comidapro/, 2011.
[23] "What Goes On Inside Windows 2000: Solving the Mysteries of the Loader," http://msdn.microsoft.com/en-us/magazine cc301727.aspx, 2011.
[24] O. Whitehouse, "GS and ASLR in Windows Vista," Proc. Black Hat DC, Conf. 2007.
[25] ld-linux Man Page, http://linux.die.net/man/8ld-linux, 2011.
[26] GNU C Library, http://www.gnu.org/softwarelibc, 2011.
[27] Executable and Linkable Format, http://refspecs.freestandards. org/elfelf.pdf , 2011.
[28] "The Long-Term Impact of User Account Control," http://technet. microsoft.com/en-us/magazine 2007.09.securitywatch. aspx, 2011.
[29] libdvdcss, http://en.wikipedia.org/wikiLibdvdcss, 2011.
[30] "MS09-014: Addressing the Safari Carpet Bomb Vulnerability," http://blogs.technet.com/srd/archive/2009/ 04/14ms09-014-addressing-the -safari-carpet-bomb-vulnerability.aspx , 2011.
[31] User Account Control, http://en.wikipedia.org/wikiUser_ Account_Control , 2011.
[32] "UAC Designed to Annoy Users," http://www.crn.com/news/applications-os/ 207100934microsoft-exec-uac-designed-to-annoy-users.htm , 2011.
[33] S. Chari, S. Halevi, and W. Venema, "Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation," Proc. Network and Distributed System Security Symp., Mar. 2010.
[34] C. Grier, S. Tang, and S.T. King, "Secure Web Browsing with the OP Web Browser," Proc. IEEE Symp. Security and Privacy, pp. 402-416, 2008.
[35] H.J. Wang, C. Grier, A. Moshchuk, S.T. King, P. Choudhury, and H. Venter, "The Multi-Principal OS Construction of the Gazelle Web Browser," Proc. 18th Conf. USENIX Security Symp., pp. 417-432, 2009.
[36] I. Goldberg, D. Wagner, R. Thomas, and E.A. Brewer, "A Secure Environment for Untrusted Helper Applications Confining the Wily Hacker," Proc. Sixth Conf. USENIX Security Symp. Focusing on Applications of Cryptography, 1996.
[37] C. Grier, S.T. King, and D.S. Wallach, "How I Learned to Stop Worrying and Love Plugins," Proc. Workshop Web 2.0 Security and Privacy, May 2009.
[38] Killbit, http://support.microsoft.com/kb240797, 2011.
[39] D. Dhurjati and V. Adve, "Backwards-Compatible Array Bounds Checking for C with Very Low Overhead," Proc. 28th Int'l Conf. Software Eng., pp. 162-171, 2006.
[40] O. Ruwase and M.S. Lam, "A Practical Dynamic Buffer Overflow Detector," Proc. Network and Distributed System Security Symp., Feb. 2004.
[41] C. Cadar, V. Ganesh, P.M. Pawlowski, D.L. Dill, and D.R. Engler, "Exe: Automatically Generating Inputs of Death," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 322-335, 2006.
[42] C. Cadar, D. Dunbar, and D. Engler, "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs," Proc. Eighth USENIX Conf. Operating Systems Design and Implementation, pp. 209-224, 2008.
[43] P. Saxena, P. Poosankam, S. McCamant, and D. Song, "Loop-Extended Symbolic Execution on Binary Programs," Proc. 18th Int'l Symp. Software Testing and Analysis, pp. 225-236, 2009.
[44] P. Godefroid, M.Y. Levin, and D.A. Molnar, "Automated Whitebox Fuzz Testing," Proc. Network and Distributed System Security Symp., Mar. 2008.
[45] R.-G. Xu, P. Godefroid, and R. Majumdar, "Testing for Buffer Overflows with Length Abstraction," Proc. Int'l Symp. Software Testing and Analysis, pp. 27-38, 2008.
[46] D. Larochelle and D. Evans, "Statically Detecting Likely Buffer Overflow Vulnerabilities," Proc. 10th Conf. USENIX Security Symp., 2001.
[47] T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically Detecting Integer Overflow Vulnerability in x86 Binary Using Symbolic Execution," Proc. Network and Distributed System Security Symp., Mar. 2009.
[48] D. Brumley, D.X. Song, T. Chiueh, R. Johnson, and H. Lin, "RICH: Automatically Protecting against Integer-Based Vulnerabilities," Proc. Network and Distributed System Security Symp., Mar. 2007.
[49] D. Molnar, X.C. Li, and D.A. Wagner, "Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs," Proc. 18th Conf. USENIX Security Symp., pp. 67-82, 2009.
[50] S. Chen, J. Xu, E.C. Sezer, P. Gauriar, and R.K. Iyer, "Non-Control-Data Attacks Are Realistic Threats," Proc. 14th Conf. USENIX Security Symp., 2005.
49 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool