Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg February 13, 2017

64-Bit Migration Vulnerabilities

  • Christian Wressnegger

    Christian Wressnegger is a research associate and PhD candidate at the Institute of System Security at the Technische Universität Braunschweig. Prior to taking this position, he has been working for several institutions both in academia and industry in various fields of computer security and machine learning. He graduated with a Masters degree in Computer Science from Technische Universität Graz in 2008. His research interests revolve around the detection and prevention of malware, vulnerability discovery, and applied machine learning.

    TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

    EMAIL logo
    , Fabian Yamaguchi

    Fabian Yamaguchi is a post-doctoral researcher at the Institute of System Security of the Technische Universität Braunschweig. He received his Diploma in Computer Engineering from Technische Universität Berlin in 2011 and his Doctorate in Computer Science from the University of Göttingen in 2015. He was awarded the CAST/GI Dissertation prize for his thesis entitled Pattern-based Vulnerability Discovery and received the German Prize for IT-Security in 2016. In his research, he focuses on program analysis, vulnerability discovery, machine learning, and de-anonymization.

    TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

    , Alwin Maier

    Alwin Maier is a research associate and PhD candidate at the Institute of System Security of the Technische Universität Braunschweig. Prior to that position, he worked at the University of Göttingen where he also graduate with a Masters Degree in Applied Computer Science in 2015. His research interests include various aspects of computer security and machine learning with a focus on program analysis and its applications in computer security.

    TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

    and Konrad Rieck

    Konrad Rieck is a Professor at Technische Universität Braunschweig, where he leads the Institute of System Security. Prior to this, he has been working at the University of Göttingen, Technische Universität Berlin and Fraunhofer Institute FIRST. He graduated in 2004 and received a Doctorate from Technische Universität Berlin in 2009. Konrad Rieck is a recipient of the CAST/GI Dissertation Award, the Google Faculty Research Award and the German Prize for IT-Security. His interests revolve around computer security and machine learning, including the detection of computer attacks, the analysis of malicious code, and the discovery of vulnerabilities.

    TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Abstract

The subtleties of correctly processing integers confronts developers with a multitude of pitfalls that frequently result in severe software vulnerabilities. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, such that also the migration of code itself is a notable security challenge.

In this paper, we provide a high-level overview of integer-based vulnerabilities that originate in code which works as expected on 32-bit platforms but not on 64-bit platforms. The changed width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in existing software. To emphasize the lasting acuteness of this issue, we empirically evaluate the prevalence of these flaws in the scope of Debian stable (“Jessie”) and 200 popular open-source projects hosted on GitHub.

About the authors

Christian Wressnegger

Christian Wressnegger is a research associate and PhD candidate at the Institute of System Security at the Technische Universität Braunschweig. Prior to taking this position, he has been working for several institutions both in academia and industry in various fields of computer security and machine learning. He graduated with a Masters degree in Computer Science from Technische Universität Graz in 2008. His research interests revolve around the detection and prevention of malware, vulnerability discovery, and applied machine learning.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Fabian Yamaguchi

Fabian Yamaguchi is a post-doctoral researcher at the Institute of System Security of the Technische Universität Braunschweig. He received his Diploma in Computer Engineering from Technische Universität Berlin in 2011 and his Doctorate in Computer Science from the University of Göttingen in 2015. He was awarded the CAST/GI Dissertation prize for his thesis entitled Pattern-based Vulnerability Discovery and received the German Prize for IT-Security in 2016. In his research, he focuses on program analysis, vulnerability discovery, machine learning, and de-anonymization.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Alwin Maier

Alwin Maier is a research associate and PhD candidate at the Institute of System Security of the Technische Universität Braunschweig. Prior to that position, he worked at the University of Göttingen where he also graduate with a Masters Degree in Applied Computer Science in 2015. His research interests include various aspects of computer security and machine learning with a focus on program analysis and its applications in computer security.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Konrad Rieck

Konrad Rieck is a Professor at Technische Universität Braunschweig, where he leads the Institute of System Security. Prior to this, he has been working at the University of Göttingen, Technische Universität Berlin and Fraunhofer Institute FIRST. He graduated in 2004 and received a Doctorate from Technische Universität Berlin in 2009. Konrad Rieck is a recipient of the CAST/GI Dissertation Award, the Google Faculty Research Award and the German Prize for IT-Security. His interests revolve around computer security and machine learning, including the detection of computer attacks, the analysis of malicious code, and the discovery of vulnerabilities.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Acknowledgement

The authors gratefully acknowledge funding from the German Federal Ministry of Education and Research (BMBF) under the projects APT-Sweeper (FKZ 16KIS0307) and INDI (FKZ 16KIS0154K).

Received: 2016-8-19
Accepted: 2017-1-17
Published Online: 2017-2-13
Published in Print: 2017-4-20

©2017 Walter de Gruyter Berlin/Boston

Downloaded on 29.3.2024 from https://www.degruyter.com/document/doi/10.1515/itit-2016-0041/html
Scroll to top button