Static Detection of Uninitialized Stack Variables in Binary Code

TL;DR

This paper introduces a static analysis framework that detects uninitialized stack variables directly in binary code, uncovering previously unknown bugs in complex software like browsers and kernels.

Contribution

It presents a novel static analysis method for binary code to identify uninitialized variables, filling a gap in binary vulnerability detection.

Findings

Detected 7 new uninitialized memory bugs in real-world binaries

Successfully applied to complex binaries like web browsers and OS kernels

Developed a binary lifting and knowledge representation approach

Abstract

More than two decades after the first stack smashing attacks, memory corruption vulnerabilities utilizing stack anomalies are still prevalent and play an important role in practice. Among such vulnerabilities, uninitialized variables play an exceptional role due to their unpleasant property of unpredictability: as compilers are tailored to operate fast, costly interprocedural analysis procedures are not used in practice to detect such vulnerabilities. As a result, complex relationships that expose uninitialized memory reads remain undiscovered in binary code. Recent vulnerability reports show the versatility on how uninitialized memory reads are utilized in practice, especially for memory disclosure and code execution. Research in recent years proposed detection and prevention techniques tailored to source code. To date, however, there has not been much attention for these types of software bugs within binary executables. In this paper, we present a static analysis framework to find uninitialized variables in binary executables. We developed methods to lift the binaries into a knowledge representation which builds the base for specifically crafted algorithms to detect uninitialized reads. Our prototype implementation is capable of detecting uninitialized memory errors in complex binaries such as web browsers and OS kernels, and we detected 7 novel bugs.