Automatic Detection of Vulnerable Dynamic Component Loadings

Dynamic loading of software components (e.g., libraries or modules) is a widely used mechanism for improved system modularity and flexibility. In general, an operating system or a runtime environment resolves the loading of a specifically named component by searching for its first occurrence in a sequence of directories determined at runtime. Correct component resolution is critical for reliable and secure software execution, however, programming mistakes may lead to unintended or even malicious components to be resolved and loaded. In particular, dynamic loading can be hijacked by placing an arbitrary file with the specified name in a directory searched before resolving the target component. Although this issue has been known for quite some time, it was not considered serious because exploiting it requires access to the local file system on the vulnerable host. Recently such vulnerabilities started to receive considerable attention as their remote exploitation became realistic; it is now important to detect and fix these vulnerabilities. In this paper, we present the first automated technique to detect vulnerable and unsafe dynamic component loadings. We classify two types of unsafe dynamic loadings—resolution failure and resolution hijacking—and develop an effective dynamic program analysis to detect both types. A resolution failure happens when the target component cannot be located in any of the searched directories, while a resolution hijacking happens when there exist other directories searched before the directory containing the target component. Our analysis has two phases: 1) apply dynamic binary instrumentation to collect runtime information on component loading (online phase); and 2) analyze the collected information to detect vulnerable component loadings (offline phase). For evaluation, we implemented our technique to detect vulnerable and unsafe DLL loadings in popular Microsoft Windows software. Our results show that unsafe DLL loading is prevalent and can lead to serious security threats. Our tool detected more than 1,700 unsafe DLL loadings in 28 widely used software and discovered serious attack vectors for remote code execution. Microsoft has opened a Microsoft Security Response Center (MSRC) case on our reported issues and is working with us to develop necessary patches.