ISSN 0253-2778

CN 34-1054/N

open
Free to Publish. Free to Read.
Open AccessOpen Access JUSTC Original Paper

A research on control-flow taint information directed symbolic execution

  • Electronic Engineering Institution of PLA,AnHui 230037, China

Cite this:
https://doi.org/10.3969/j.issn.0253-2778.2016.01.004
  • Received Date: 29 March 2015
  • Accepted Date: 22 April 2015
  • Rev Recd Date: 22 April 2015
  • Publish Date: 30 January 2016
    Abstract

  • Abstract

    Aiming at generation of test cases covering the potential vulnerable program points and combining generation base Fuzzing, static control flow analysis and static taint analysis, this paper proposes a directed dynamic symbolic execution method. By Fuzzing the test cases which could reach the function containing the vulnerable program points are generated, leading the symbolic execution fast towards the vulnerable functions along the denoted single path; By making a static control-flow analysis and a static taint analyses in the vulnerable functions, the control flow taint eachable slices are calculated directing the multi-path dynamic symbolic execution towards the desired vulnerable program points. Experiments prove effectiveness of the method in mitigating the path explosion problem common in symbolic execution applications and in generating test cases that trigger target vulnerability.

    Abstract

    Aiming at generation of test cases covering the potential vulnerable program points and combining generation base Fuzzing, static control flow analysis and static taint analysis, this paper proposes a directed dynamic symbolic execution method. By Fuzzing the test cases which could reach the function containing the vulnerable program points are generated, leading the symbolic execution fast towards the vulnerable functions along the denoted single path; By making a static control-flow analysis and a static taint analyses in the vulnerable functions, the control flow taint eachable slices are calculated directing the multi-path dynamic symbolic execution towards the desired vulnerable program points. Experiments prove effectiveness of the method in mitigating the path explosion problem common in symbolic execution applications and in generating test cases that trigger target vulnerability.
    • FullText(HTML)
  • loading
    • References(15)
  • [1]
    Goldfroid P, Klarund N. Sen K. DART: Directed automated random testing[C]// SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM Press, 2005: 213-223.
    [2]
    Godefroid P, Levin M Y, Molnar D. Automated whitebox fuzz testing[C]// Proceedings of Network Distributed Security Symposium. San Diego, USA: The Internet Society, 2008: 151-166.
    [3]
    Brumley D, Hartwig C, Kang M G, et al. BitScope: Automatically dissecting malicious binaries[R] Technical report CMU-CS-07-133, Carnegie Mellon University, 2007.
    [4]
    Pǎsǎreanu C S, Mehlitz P C, Bushnell D H, et al. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software[C]// Proceedings of the 2008 International Symposium on Software Testing and Analysis. Seattle, USA: ACM Press, 2008: 15-26.
    [5]
    Hu C J, Li Z J , Ma J X, et al. File parsing vulnerability detection with symbolic execution[C]// Sixth International Symposium on Theoretical Aspects of Software Engineering. Beijing, China: IEEE Press, 2012: 135-142.
    [6]
    Wang X, Chen H G, Jia Z H, et al. Improving integer security for systems with KINT[C]// Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation. Berkeley, USA: USENIX-Association, 2012: 163-177.
    [7]
    Chipounov V, GeorgescuV, Zamfir C, et al. Selective symbolic execution[C]// Proceedings of the 5th Workshop on Hot Topics in System Dependability. Lisbon, Portugal: ACM Press, 2009: 1-6.
    [8]
    Siddiqui J H, Khurshid S. ParSym: Parallel symbolic execution[C]// 2nd International Conference on Software Technology and Engineering. San Juan, Puerto Rico: IEEE Press, 2010: 405-409.
    [9]
    autodafe-fuzzer framework [EB/OL]. http://sourceforge.net/projects/autodafe/?source=directory[2015-1-31].
    [10]
    BinNavi[EB/OL]. www.zynamics.com/binnavi.html, 2013.
    [11]
    王金锭, 王嘉捷, 程绍银, 等. 基于统一中间表示的软件漏洞挖掘系统[C]// 第三届信息安全漏洞分析与风险评估大会. 合肥, 2010: 42-52.
    [12]
    Alfred V A, Monica S L, Ravi S. 编译原理[M]. 第2版, 赵建华, 郑滔, 戴新宇译, 北京: 机械工业出版社, 2009.
    [13]
    崔宝江, 梁晓兵, 王禹, 等. 基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J]. 电子与信息学报, 2012, 34(1): 108-114.
    Cui B J, Liang X B, Wang Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics &Information Technology, 2012, 34(1): 108-114.
    [14]
    PEACH FUZZE[EB/OL]. http://peachfuzzer.com/, 2012.
    [15]
    Chipounov V, Kuznetsov V, Candea G. S2E: A platform for in-vivo multi-path analysis of software systems[J]. ACM SIGARCH Computer Architecture News, 2011, 39(1): 265-278.)
    • Supplements(0)
    • Related Articles
    • Track Citations
  • 加载中

Catalog

    |
    Get Citation
    PDF
    XML
    [1]
    Goldfroid P, Klarund N. Sen K. DART: Directed automated random testing[C]// SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM Press, 2005: 213-223.
    [2]
    Godefroid P, Levin M Y, Molnar D. Automated whitebox fuzz testing[C]// Proceedings of Network Distributed Security Symposium. San Diego, USA: The Internet Society, 2008: 151-166.
    [3]
    Brumley D, Hartwig C, Kang M G, et al. BitScope: Automatically dissecting malicious binaries[R] Technical report CMU-CS-07-133, Carnegie Mellon University, 2007.
    [4]
    Pǎsǎreanu C S, Mehlitz P C, Bushnell D H, et al. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software[C]// Proceedings of the 2008 International Symposium on Software Testing and Analysis. Seattle, USA: ACM Press, 2008: 15-26.
    [5]
    Hu C J, Li Z J , Ma J X, et al. File parsing vulnerability detection with symbolic execution[C]// Sixth International Symposium on Theoretical Aspects of Software Engineering. Beijing, China: IEEE Press, 2012: 135-142.
    [6]
    Wang X, Chen H G, Jia Z H, et al. Improving integer security for systems with KINT[C]// Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation. Berkeley, USA: USENIX-Association, 2012: 163-177.
    [7]
    Chipounov V, GeorgescuV, Zamfir C, et al. Selective symbolic execution[C]// Proceedings of the 5th Workshop on Hot Topics in System Dependability. Lisbon, Portugal: ACM Press, 2009: 1-6.
    [8]
    Siddiqui J H, Khurshid S. ParSym: Parallel symbolic execution[C]// 2nd International Conference on Software Technology and Engineering. San Juan, Puerto Rico: IEEE Press, 2010: 405-409.
    [9]
    autodafe-fuzzer framework [EB/OL]. http://sourceforge.net/projects/autodafe/?source=directory[2015-1-31].
    [10]
    BinNavi[EB/OL]. www.zynamics.com/binnavi.html, 2013.
    [11]
    王金锭, 王嘉捷, 程绍银, 等. 基于统一中间表示的软件漏洞挖掘系统[C]// 第三届信息安全漏洞分析与风险评估大会. 合肥, 2010: 42-52.
    [12]
    Alfred V A, Monica S L, Ravi S. 编译原理[M]. 第2版, 赵建华, 郑滔, 戴新宇译, 北京: 机械工业出版社, 2009.
    [13]
    崔宝江, 梁晓兵, 王禹, 等. 基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J]. 电子与信息学报, 2012, 34(1): 108-114.
    Cui B J, Liang X B, Wang Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics &Information Technology, 2012, 34(1): 108-114.
    [14]
    PEACH FUZZE[EB/OL]. http://peachfuzzer.com/, 2012.
    [15]
    Chipounov V, Kuznetsov V, Candea G. S2E: A platform for in-vivo multi-path analysis of software systems[J]. ACM SIGARCH Computer Architecture News, 2011, 39(1): 265-278.)
    Recommended articles
    TrendMD
    Volume 46 Issue 1 page: 21-27
    Cover

    Article Metrics

    Article views (21) PDF downloads(82)
    Proportional views

    Copyright © Editorial Office of JUSTC, All Rights Reserved. 皖ICP备05002528号

    Supported by: Beijing Renhe Information Technology Co. Ltd  

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return