Static Detection of Uninitialized Stack Variables in Binary Code

Abstract

More than two deca­des after the first stack sma­shing at­tacks, me­mo­ry cor­rup­ti­on vul­nerabi­li­ties uti­li­zing stack ano­ma­li­es are still pre­va­lent and play an im­portant role in prac­tice. Among such vul­nerabi­li­ties, un­in­itia­li­zed va­ria­bles play an ex­cep­tio­nal role due to their un­plea­s­ant pro­per­ty of un­pre­dic­ta­bi­li­ty: as com­pi­lers are tailo­red to ope­ra­te fast, cost­ly in­ter­pro­ce­du­ral ana­ly­sis pro­ce­du­res are not used in prac­tice to de­tect such vul­nerabi­li­ties. As a re­sult, com­plex re­la­ti­ons­hips that ex­po­se un­in­itia­li­zed me­mo­ry reads re­main un­dis­co­ver­ed in bi­na­ry code. Re­cent vul­nerabi­li­ty re­ports show the ver­sa­ti­li­ty on how un­in­itia­li­zed me­mo­ry reads are uti­li­zed in prac­tice, es­pe­ci­al­ly for me­mo­ry dis­clo­su­re and code exe­cu­ti­on. Re­se­arch in re­cent years pro­po­sed de­tec­tion and preven­ti­on tech­ni­ques tailo­red to sour­ce code. To date, howe­ver, there has not been much at­ten­ti­on for these types of soft­ware bugs wi­t­hin bi­na­ry exe­cu­ta­bles.

In this paper, we pre­sent a sta­tic ana­ly­sis frame­work to find un­in­itia­li­zed va­ria­bles in bi­na­ry exe­cu­ta­bles. We de­ve­lo­ped me­thods to lift the bi­na­ries into a know­ledge re­pre­sen­ta­ti­on which builds the base for spe­ci­fi­cal­ly craf­ted al­go­rith­ms to de­tect un­in­itia­li­zed reads. Our pro­to­ty­pe im­ple­men­ta­ti­on is ca­pa­ble of de­tec­ting un­in­itia­li­zed me­mo­ry er­rors in com­plex bi­na­ries such as web brow­sers and OS ker­nels, and we de­tec­ted 7 novel bugs.