Matthias Neugschwandtner
ABSTRACT
Automated program testing tools typically try to explore, and cover, as much of a tested program as possible, while attempting to trigger and detect bugs. An alternative and complementary approach can be to first select a specific part of a program that may be subject to a specific class of bug, and then narrowly focus exploration towards program paths that could trigger such a bug.
In this work, we introduce the BORG (Buffer Over-Read Guard), a testing tool that uses static and dynamic program analysis, taint propagation and symbolic execution to detect buffer overread bugs in real-world programs. BORG works by first selecting buffer accesses that could lead to an overread and then guiding symbolic execution towards those accesses along program paths that could actually lead to an overread. BORG operates on binaries and does not require source code. To demonstrate BORG's effectiveness, we use it to detect overreads in six complex server applications and libraries, including lighttpd, FFmpeg and ClamAV.
- T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic Exploit Generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2011.Google Scholar
- D. Babić, L. Martignoni, S. McCamant, and D. Song. Statically-directed dynamic automated test generation. In Proceedings of the Symposium on Software Testing and Analysis (ISTA), 2011. Google ScholarDigital Library
- F. Bellard. Qemu, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC), 2005. Google ScholarDigital Library
- E. Bosman, A. Slowinska, and H. Bos. Minemu: The World's Fastest Taint Tracker. In Proceedings of the Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2011. Google ScholarDigital Library
- S. Bucur, V. Ureche, C. Zamfir, and G. Candea. Parallel symbolic execution for automated real-world software testing. In Proceedings of the European conference on Computer systems (EuroSys), 2011. Google ScholarDigital Library
- S. Bugrara and D. Engler. Redundant State Detection for Dynamic Symbolic Execution. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC), 2013. Google ScholarDigital Library
- J. Burnim and K. Sen. Heuristics for scalable dynamic test generation. In Proceedings of the IEEE/ACM Conference on Automated Software Engineering (ASE), 2008. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. Engler. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the USENIX Conference on Operating Systems Design and Implementation (OSDI), 2008. Google ScholarDigital Library
- C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2006. Google ScholarDigital Library
- S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), Washington, DC, USA, 2012. Google ScholarDigital Library
- X. Chen, A. Slowinska, and H. Bos. Who allocated my memory? Detecting custom memory allocators in C binaries. In Proceedings of the Working Conference on Reverse Engineering (WCRE), Koblenz, Germany, 2013.Google ScholarCross Ref
- V. Chipounov, V. Kuznetsov, and G. Candea. S2e: a platform for in-vivo multi-path analysis of software systems. In Proceedings of the Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2011. Google ScholarDigital Library
- C. Y. Cho, D. Babić, P. Poosankam, K. Z. Chen, E. X. Wu, and D. Song. MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery. In Proceedings of the USENIX Security Symposium (USENIX SEC), 2011. Google ScholarDigital Library
- Codenomicon. The Heartbleed Bug. heartbleed.com.Google Scholar
- H. Cui, G. Hu, J. Wu, and J. Yang. Verifying systems rules using rule-directed symbolic execution. In Proceedings of the Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2013. Google ScholarDigital Library
- E. W. Dijkstra. A note on two problems in connexion with graphs. Numerische Mathematik, 1959. Google ScholarDigital Library
- C. Eagle. The IDA Pro Book. William Polloc, 2011.Google Scholar
- V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In Proceedings of the Conference on Computer Aided Verification (CAV), 2007. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), 2005. Google ScholarDigital Library
- P. Godefroid, M. Levin, and D. Molnar. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Conference (NDSS), 2008.Google Scholar
- P. Godefroid and D. Luchaup. Automatic partial loop summarization in dynamic test generation. In Proceedings of the Symposium on Software Testing and Analysis (ISTA), 2011. Google ScholarDigital Library
- I. Haller, A. Slowinska, and H. Bos. Dowser: a guided fuzzer to find buffer overflow vulnerabilities. In Proceedings of the European Workshop on System Security (Eurosec), 2013.Google Scholar
- I. Haller, A. Slowinska, M. Neugschwandtner, and H. Bos. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the USENIX Security Symposium (USENIX SEC), 2013. Google ScholarDigital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2011.Google Scholar
- V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea. Efficient state merging in symbolic execution. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), 2012. Google ScholarDigital Library
- K.-K. Ma, K. Y. Phang, J. S. Foster, and M. Hicks. Directed symbolic execution. In Proceedings of the Conference on Static Analysis, 2011. Google ScholarDigital Library
- P. D. Marinescu and C. Cadar. make test-zesti: a symbolic execution solution for improving regression testing. In Proceedings of the International Conference on Software Engineering (ICSE), 2012. Google ScholarDigital Library
- NIST. National Vulnerability Database. web.nvd.nist.gov.Google Scholar
- S. Person, G. Yang, N. Rungta, and S. Khurshid. Directed Incremental Symbolic Execution. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), 2011. Google ScholarDigital Library
- N. Rungta, E. Mercer, and W. Visser. Efficient testing of concurrent programs with abstraction-guided symbolic execution. In Model Checking Software, LNCS. 2009. Google ScholarDigital Library
- P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In Proceedings of the Symposium on Software Testing and Analysis (ISTA), 2009. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Proceedings of the European Software Engineering Conference, 2005. Google ScholarDigital Library
- K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In Proceedings of the USENIX Annual Technical Conference (USENIX ATC), 2012. Google ScholarDigital Library
- M. Sharir. A strong connectivity algorithm and its applications to data flow analysis. In Computers and Mathematics with Applications, 1981.Google ScholarCross Ref
- A. Slowinska, T. Stancescu, and H. Bos. Howard: a dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2011.Google Scholar
- K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2013. Google ScholarDigital Library
- A. Sotirov and M. Dowd. Bypassing Browser Memory Protections: Setting back browser security by 10 years. In Blackhat, 2008.Google Scholar
- T. Xie, N. Tillmann, P. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In Proceedings of the Conference on Dependable Systems and Networks (DSN), 2009.Google ScholarCross Ref
- C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In Proceedings of the European conference on Computer systems (EuroSys), 2010. Google ScholarDigital Library
Index Terms
- The BORG: Nanoprobing Binaries for Buffer Overreads
Recommendations
Experience report: how is dynamic symbolic execution different from manual testing? a study on KLEE
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and AnalysisSoftware testing has been the major approach to software quality assurance for decades, but it typically involves intensive manual efforts. To reduce manual efforts, researchers have proposed numerous approaches to automate test-case generation, which ...
DyGen: automatic generation of high-coverage tests via mining gigabytes of dynamic traces
TAP'10: Proceedings of the 4th international conference on Tests and proofsUnit tests of object-oriented code exercise particular sequences of method calls. A key problem when automatically generating unit tests that achieve high structural code coverage is the selection of relevant method-call sequences, since the number of ...
Generating Test Cases for Programs that Are Coded against Interfaces and Annotations
Automatic test case generation for software programs is very powerful but suffers from a key limitation. That is, most current test case generation techniques fail to cover testee code when covering that code requires additional pieces of code not yet ...
Comments