Christian Wressnegger, Fabian Yamaguchi, Alwin Maier, Konrad Rieck
{"title":"Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms","authors":"Christian Wressnegger, Fabian Yamaguchi, Alwin Maier, Konrad Rieck","doi":"10.1145/2976749.2978403","DOIUrl":null,"url":null,"abstract":"Subtle flaws in integer computations are a prime source for exploitable vulnerabilities in system code. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, making the migration of code a notable security challenge. In this paper, we provide the first study on how code that works as expected on 32-bit platforms can become vulnerable on 64-bit platforms. To this end, we systematically review the effects of data model changes between platforms. We find that the larger width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in program code. We empirically evaluate the prevalence of these flaws on the source code of Debian stable (\"Jessie\") and 200 popular open-source projects hosted on GitHub. Moreover, we discuss 64-bit migration vulnerabilities that have been discovered as part of our study, including vulnerabilities in Chromium, the Boost C++ Libraries, libarchive, the Linux Kernel, and zlib.","PeriodicalId":432261,"journal":{"name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","volume":"48 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2976749.2978403","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
Subtle flaws in integer computations are a prime source for exploitable vulnerabilities in system code. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, making the migration of code a notable security challenge. In this paper, we provide the first study on how code that works as expected on 32-bit platforms can become vulnerable on 64-bit platforms. To this end, we systematically review the effects of data model changes between platforms. We find that the larger width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in program code. We empirically evaluate the prevalence of these flaws on the source code of Debian stable ("Jessie") and 200 popular open-source projects hosted on GitHub. Moreover, we discuss 64-bit migration vulnerabilities that have been discovered as part of our study, including vulnerabilities in Chromium, the Boost C++ Libraries, libarchive, the Linux Kernel, and zlib.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
