Results

The results of running the analysis tool against the test binary produced the expected behavior. To illustrate this, it is helpful to consider a sampling of the functions that were analyzed. The following functions have a form that is similar to the ANI vulnerability. These functions also match the criteria described in the previous subsection. Specifically, these functions do not make use of GS and pass a pointer to a stack-allocated local variable (var) to a child function:

int tc_df_pass_local_ptr_to_callee() {
  int var;
  tc_df_pass_local_ptr_to_callee_func(&var);
  return 0;
}
int tc_df_pass_local_ptr_to_callee_alias() {
  int var;
  int *p = &var;
  tc_df_pass_local_ptr_to_callee_func(p);
  return 0;
}
int tc_df_pass_local_ptr_to_callee_alias_struct(
    struct _foo *foo) {
  int var;
  foo->ptr = &var;
  return tc_df_pass_local_ptr_to_callee_func(
    foo->ptr);
  return 0;
}

Additionally, a handful of different test functions were also included in the target binary in an effort to ensure that other scenarios were not improperly detected as matching the criteria. Some examples of these functions include:

int tc_df_pass_local_to_callee_alias() {
  int var = 2;
  int p = var;
  tc_df_pass_local_to_callee_func(p);
  return 0;
}
int tc_df_pass_local_to_callee_deref() {
  int var = 2;
  int *p = &var;
  tc_df_pass_local_to_callee_func(*p);
  return 0;
}
int tc_df_pass_heap_ptr_to_callee(struct _foo *foo) {
  tc_df_pass_local_ptr_to_callee_func(&foo->val);
  return 0;
}

When running the analysis tool against the target binary, the following output is shown:

>PhaseRunner.exe detectani.xml dfa.exe
Running phase: ANI Detection ... 1 target(s)

Displaying 3 normalizables at the
  ProgramElement.Method granularity...

00001: dfa!tc_df_pass_local_ptr_to_callee_alias
00002: dfa!tc_df_pass_local_ptr_to_callee
00003: dfa!tc_df_pass_local_ptr_to_callee_alias_struct

While this unfortunately does not prove that these techniques could be used to identify the function containing the ANI vulnerability, it does nevertheless hint at the potential for detecting the function containing the ANI vulnerability using its suggested exploitation and vulnerability properties. As an side, another interesting way in which this type of detection can be accomplished is through the use of Language Integrated Queries (LINQ) which are now supported in Visual Studio 2008[11]. For instance, a simple LINQ expression for the above narrowing operation can be expressed as:

var matches =
 from 
   Method method in engine.GetScopeMethods()
 where 
   !method.IsGuardStackEnabled() && 
   method.IsPassingStackLocalPtrToChild()
 select method;

foreach (var method in matches)
   Console.WriteLine("{0} matches", method);