Static Detection of File Access Control Vulnerabilities on Windows System. (22nd September 2020)
- Record Type:
- Journal Article
- Title:
- Static Detection of File Access Control Vulnerabilities on Windows System. (22nd September 2020)
- Main Title:
- Static Detection of File Access Control Vulnerabilities on Windows System
- Authors:
- Lu, Jiadong
Gu, Fangming
Wang, Yiqi
Chen, Jiahui
Peng, Zhiniang
Wen, Sheng - Abstract:
- Summary: Traditional applications have been developed for decades. Most of the security research around them have focused on the detection of memory corruption vulnerabilities, such as buffer overflow, double fetch, and integer overflow. On the contrary, logic bugs, a kind of flaws caused by unreasonable application logic, attract much less attention. Files are the most common media for programs to persist their data in the system. As the file owners, programs are responsible for protecting their files from malicious users' tampering by leveraging access control mechanisms. However, if a program configures their access control mechanisms in wrong ways and causes evil users to bypass security checks to access files, there exists a file access control vulnerability. As a branch of logic flaws, file access control vulnerabilities are less popular with researchers. Thus, to mitigate the harm of the file access control vulnerabilities on Windows system, our team conducted first‐step research on them. We first classified file access control bugs into two types and codified some bug patterns. Then we formalized file access control vulnerabilities to propose a scalable detection method and implemented a lightweight analysis system StaticFAC. After evaluating StaticFAC in real‐world Windows software, we discovered 15 0‐day bugs.
- Is Part Of:
- Concurrency and computation. Volume 34:Number 16(2022)
- Journal:
- Concurrency and computation
- Issue:
- Volume 34:Number 16(2022)
- Issue Display:
- Volume 34, Issue 16 (2022)
- Year:
- 2022
- Volume:
- 34
- Issue:
- 16
- Issue Sort Value:
- 2022-0034-0016-0000
- Page Start:
- n/a
- Page End:
- n/a
- Publication Date:
- 2020-09-22
- Subjects:
- logical vulnerability -- static analysis -- vulnerability detection
Parallel processing (Electronic computers) -- Periodicals
Parallel computers -- Periodicals
004.35 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/cpe.6004 ↗
- Languages:
- English
- ISSNs:
- 1532-0626
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3405.622000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 22137.xml