BASICS: Binary Analysis and Stack Integrity Checker System for Buffer Overflow Mitigation

TL;DR

BASICS is a system that automatically detects and repairs buffer overflow vulnerabilities in binary C programs using model checking, concolic execution, and trampoline-based patching, achieving high accuracy and outperforming existing tools.

Contribution

This work introduces a novel binary analysis approach combining model checking, concolic execution, and automated patching to improve buffer overflow mitigation in C programs.

Findings

Achieved over 87% accuracy and precision in vulnerability detection and correction.

Outperformed CWE Checker in evaluations.

Successfully repaired vulnerabilities in real applications and datasets.

Abstract

Cyber-Physical Systems have played an essential role in our daily lives, providing critical services such as power and water, whose operability, availability, and reliability must be ensured. The C programming language, prevalent in CPS development, is crucial for system control where reliability is critical. However, it is also commonly susceptible to vulnerabilities, particularly buffer overflows. Traditional vulnerability discovery techniques often struggle with scalability and precision when applied directly to the binary code of C programs, which can thereby keep programs vulnerable. This work introduces a novel approach designed to overcome these limitations by leveraging model checking and concolic execution techniques to automatically verify security properties of a program's stack memory in binary code, trampoline techniques to perform automated repair of the issues, and crash-inducing inputs to verify if they were successfully removed. The approach constructs a Memory State Space -- MemStaCe -- from the binary program's control flow graph and simulations, provided by concolic execution, of C function calls and loop constructs. The security properties, defined in LTL, model the correct behaviour of functions associated with vulnerabilities and allow the approach to identify vulnerabilities in MemStaCe by analysing counterexample traces that are generated when a security property is violated. These vulnerabilities are then addressed with a trampoline-based binary patching method, and the effectiveness of the patches is checked with crash-inducing inputs extracted during concolic execution. We implemented the approach in the BASICS tool for BO mitigation and evaluated using the Juliet C/C++ and SARD datasets and real applications, achieving an accuracy and precision above 87%, both in detection and correction. Also, we compared it with CWE Checker, outperforming it.