Jump to content

Search the Community

Showing results for tags 'overflows'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. tudents from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school’s Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes. Integer overflows result when computers can’t store numbers – usually because they haven’t been sanity checked – in the memory that’s been allocated for them. Sanity checks are simple queries to test functionality. The seven researchers behind DIODE – Stelios Sidiroglou-Douskos, Eric Lahtinen, Nathan Rittenhouse, Paolo Piselli, Fan Long, Deokhwan Kim, and Martin Rinard – presented the system last week at the 20th ASPLOS (Architectural Support for Programming Languages and Operating Systems) conference in Istanbul. The tool works by automatically generating inputs that trigger overflow errors at critical sites. DIODE, which is compatible with off-the-shelf x86 binaries, gets right to work and extracts target expressions and branch conditions for each memory allocation site. As Stelios Sidiroglou-Douskos, a research scientist at CSAIL and the lead author of the paper writes, whenever DIODE stumbles upon an integer that may be used in a dangerous operation, the system records the current state of the symbolic expression. The system doesn’t trigger an overflow right off the bat, but characterizes the values around it to better inform the programmer. If DIODE finds a trigger value, it marks it down to help in any future debugging. DIODE’s inputs should identify, then satisfy the requisite sanity checks and “generate an overflow in the target expression, and impose no other constraints on the specific path that the input takes to trigger the overflow,” according to Sidiroglou-Douskos. DIODE, which was supported on behalf of a DARPA grant, isn’t the first debugging tool developed to dig up integer overflows. Researchers with CSAIL previously developed static analysis tools that, like SIFT (.PDF) which points out inputs that can lead to overflow errors and KINT, (.PDF) a PHP tool. As the team’s academic paper points out however, unlike SIFT, which requires direct access to source code, DIODE works directly with stripped x86 code. The tool also bests KINT, which often generates a large number of false positives, by omitting false positives. M.I.T. hopes to release DIODE to the public as open source after the program it’s being developed under, DARPA’s Mission-oriented Resilient Clouds (MRC) program, concludes in October 2015. Source
×
×
  • Create New...