Software Engineering Institute

It is well established that out-of-bounds buffer reads and writes pose a major threat to an application’s security. Less appreciated is that even in-bound reads have the potential to lead to a violation of a security property of the application, especially confidentiality-based requirements. For example, an uninitialized or stale portion of a buffer might contain sensitive information and generally should not be read.

This paper introduces a heuristic-driven dynamic analysis that aims to detect reads that may be accessing stale sensitive data. We apply this analysis to two real-world programs where in-bounds stale reads led to leakage of sensitive data: the Jetty web server (with the JetLeak vulnerability) and OpenSSL (with the Heartbleed vulnerability). Our approach was able to detect JetLeak, and with some modifications was also able to detect Heartbleed. We furthermore applied our analysis to the GNU Coreutils, and report results from that experiment. We suggest a number of directions for future work to refine and extend our approach.