Jump to ContentJump to Main Navigation
Show Summary Details
More options …

it - Information Technology

Methods and Applications of Informatics and Information Technology

Editor-in-Chief: Molitor, Paul

6 Issues per year

Online
ISSN
2196-7032
See all formats and pricing
More options …
Volume 59, Issue 2 (Apr 2017)

Issues

64-Bit Migration Vulnerabilities

Christian Wressnegger / Fabian Yamaguchi / Alwin Maier / Konrad Rieck
Published Online: 2017-02-13 | DOI: https://doi.org/10.1515/itit-2016-0041

Abstract

The subtleties of correctly processing integers confronts developers with a multitude of pitfalls that frequently result in severe software vulnerabilities. Unfortunately, even code shown to be secure on one platform can be vulnerable on another, such that also the migration of code itself is a notable security challenge.

In this paper, we provide a high-level overview of integer-based vulnerabilities that originate in code which works as expected on 32-bit platforms but not on 64-bit platforms. The changed width of integer types and the increased amount of addressable memory introduce previously non-existent vulnerabilities that often lie dormant in existing software. To emphasize the lasting acuteness of this issue, we empirically evaluate the prevalence of these flaws in the scope of Debian stable (“Jessie”) and 200 popular open-source projects hosted on GitHub.

Keywords: Software security; Data models; Integer-based vulnerabilities

ACM CCS: Security and Privacy→Software and application security

About the article

Christian Wressnegger

Christian Wressnegger is a research associate and PhD candidate at the Institute of System Security at the Technische Universität Braunschweig. Prior to taking this position, he has been working for several institutions both in academia and industry in various fields of computer security and machine learning. He graduated with a Masters degree in Computer Science from Technische Universität Graz in 2008. His research interests revolve around the detection and prevention of malware, vulnerability discovery, and applied machine learning.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Fabian Yamaguchi

Fabian Yamaguchi is a post-doctoral researcher at the Institute of System Security of the Technische Universität Braunschweig. He received his Diploma in Computer Engineering from Technische Universität Berlin in 2011 and his Doctorate in Computer Science from the University of Göttingen in 2015. He was awarded the CAST/GI Dissertation prize for his thesis entitled Pattern-based Vulnerability Discovery and received the German Prize for IT-Security in 2016. In his research, he focuses on program analysis, vulnerability discovery, machine learning, and de-anonymization.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Alwin Maier

Alwin Maier is a research associate and PhD candidate at the Institute of System Security of the Technische Universität Braunschweig. Prior to that position, he worked at the University of Göttingen where he also graduate with a Masters Degree in Applied Computer Science in 2015. His research interests include various aspects of computer security and machine learning with a focus on program analysis and its applications in computer security.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany

Konrad Rieck

Konrad Rieck is a Professor at Technische Universität Braunschweig, where he leads the Institute of System Security. Prior to this, he has been working at the University of Göttingen, Technische Universität Berlin and Fraunhofer Institute FIRST. He graduated in 2004 and received a Doctorate from Technische Universität Berlin in 2009. Konrad Rieck is a recipient of the CAST/GI Dissertation Award, the Google Faculty Research Award and the German Prize for IT-Security. His interests revolve around computer security and machine learning, including the detection of computer attacks, the analysis of malicious code, and the discovery of vulnerabilities.

TU Braunschweig, Institute of System Security, D-38106 Braunschweig, Germany


Accepted: 2017-01-17

Received: 2016-08-19

Published Online: 2017-02-13

Published in Print: 2017-04-20


Citation Information: it - Information Technology, ISSN (Online) 2196-7032, ISSN (Print) 1611-2776, DOI: https://doi.org/10.1515/itit-2016-0041.

Export Citation

©2017 Walter de Gruyter Berlin/Boston. Copyright Clearance Center

Comments (0)

Please log in or register to comment.
Log in