Symbolic Execution for Bug Detection and Automated Exploit Generation
|
|
- Camron Doyle
- 5 years ago
- Views:
Transcription
1 Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
2 Why symbolic execution? Real-world applications of this methodology: (Testing) bug detection e.g., inputs that crash an application (Security) exploit and backdoor identification e.g., inputs to bypass authentication code (Security) malware analysis e.g., generate vulnerability-based signatures (Security) reverse engineering of crypto code e.g., obtain an input that have generated an output 2 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
3 What is symbolic execution? Introduced by James C. King in a 76 paper as a static analysis technique for executing a program symbolically. Main idea: program variables are associated with symbols a symbol represents a set of possible input values execution adds constraints on symbols, restricting the input space conditional branches cause execution to fork into multiple execution paths 3 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
4 [Example] Find inputs that cause an unsafe division 1. int foobar ( int a, int b, int c) { 2. int x = 0, y = 0, z = 0; 3. if (a!= 0) 4. x = -2; 5. if (b < 5) { 6. z = 2; 7. if ( a == 0 && c!= 0) 8. y = 1; 9. } 10. return a / ( x + y + z - 3); // critical stmt 11. } Symbolic execution can find all inputs that lead to a division by zero at line 10 4 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
5 [Example] Step-by-step symbolic execution A minimal execution state can be represented with a pair (s, pc), where pc is the set of constraints on the symbols that have been added so far to reach the statement s to evaluate next. After evaluating: 1. int foobar ( int a, int b, int c) { The execution state is thus: A mapping between symbols and variables is maintained as well. 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
6 [Example] Step-by-step symbolic execution After evaluating: 2. int x = 0, y = 0, z = 0; Execution tree: 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
7 [Example] Step-by-step symbolic execution After evaluating: 3. if (a!= 0) 4. x = -2; Execution tree: 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
8 [Example] Step-by-step symbolic execution After evaluating: 5. if (b < 5) { 6. z = 2; 7. if ( a == 0 && c!= 0) 8. y = 1; 9. } 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
9 [Example] Step-by-step symbolic execution Check for divisor equal to zero at line: 10. return a / ( x + y + z - 3); Unsafe inputs follow from path constraints of state N: α a = 0 α b < 5 α c 0 5 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
10 [Example] Discussion Given a program, can we prove that no crash is possible? 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
11 [Example] Discussion Given a program, can we prove that no crash is possible? In theory, yes! Symbolic execution is sound and complete. However: 1 constraints can be hard to solve 2 execution states to analyze can be many 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
12 [Example] Discussion Given a program, can we prove that no crash is possible? In theory, yes! Symbolic execution is sound and complete. However: 1 constraints can be hard to solve 2 execution states to analyze can be many Does symbolic execution scale to complex programs? 6 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
13 Scalability issues? From a paper on symbolic execution: For example, KLEE is a state-of-the-art forward symbolic execution engine, but in practice is limited to small programs such as /bin/ls. 7 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
14 Scalability issues? From a paper on symbolic execution: For example, KLEE is a state-of-the-art forward symbolic execution engine, but in practice is limited to small programs such as /bin/ls. Pure static symbolic execution hardly scales 7 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
15 SAGE [NDSS 08] Impact of imperfect symbolic execution: 8 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
16 SAGE [NDSS 08] (cont d) 9 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
17 Many problems to address A symbolic execution engine deals with a number of aspects: 1 memory model 2 path explosion 3 state scheduling 4 symbolic execution strategy 5 interaction with environment 6 constraint solving Each solution chooses a set of techniques and tools many trade-offs to consider (e.g., completeness vs. efficiency) different choices for different goals 10 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
18 Memory model Variables and more complex non-scalar memory objects can be represented using: index-based memory (e.g., [MAYHEM-SP12]): memory modeled as a flat memory object-based memory (e.g., [EXE-CCS06, STP-TR07]): memory as a set of distinct objects (arrays with a size) The memory model has a huge impact on symbolic constraints (what can be expressed, how solver-friendly they are, etc.) 11 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
19 Index-based memory Index-based memory: memory is a map µ : I E from 32-bit indices (i I ) to expressions (e E) load expressions e = load(µ, i): i indexes µ and the loaded value e represents the contents of the i-th memory cell store expressions store(µ, i, e): a new memory µ where i is mapped to e, i.e., µ = µ[i e] Akin to a concrete execution memory model Problem: i may reference any cell in memory Solution: try to find upper & lower bounds 12 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
20 Path explosion Each undecidable branch forks execution: exponential explosion of paths. Preconditioned symbolic execution [AEG-NDSS11] deals with this aspect by imposing preconditions on the input space: None Known Length: e.g., interesting inputs have a minimum length Known Prefix: e.g., interesting inputs have a known prefix Concolic Execution: consider only a single (concrete) value for an input By limiting the size of input space, symbolic execution can explore the target program more efficiently. However, if a precondition is too specific, no bugs or exploits will be found. 13 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
21 [Example] Preconditions // N symbolic branches if ( input [0] < 42) [...] [...] if ( input [N - 1] < 42) [...] // symbolic loop strcpy ( dest, input ); // a loop Impact of preconditions on state space: None: 2 N S Known Length: constraint that (S 1) bytes of input are not equal to \0. Loop length is known: 2 N Known Prefix: first P bytes of input are known (P < N < S; e.g., fixed string in header). 2 N P S Concolic Execution: single path 14 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
22 Concolic execution Concolic execution: mixed static/dynamic technique. Concrete values of some symbols are taken from a concrete (dynamic) execution and used in the symbolic (static) execution. Examples: use faster dynamic techniques to test code, switch temporarily to symbolic execution to make progress use concrete values when reasoning on some constraints is too hard: something is still better than nothing! (i) test program on a concrete input, (ii) track branches (taken flag + constraints), and (iii) generate a new random input test that is compliant with constraints and explores new code 15 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
23 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
24 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } A purely symbolic approach may be unable to explore error path! 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
25 [Example] Concolic execution void bar ( int a, int b) { int x = foo (b); if (a == x) { // some critical error } } int foo ( int v) { return ( v * v) % 50; // complex constraint } A purely symbolic approach may be unable to explore error path! Concolic approach Generate random values for a and b: execute on these inputs and track path constraints. Negate constraints on the branch in order to generate new inputs that will explore the error path. 16 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
26 Path explosion (2) Static and dynamic program analysis techniques can be used to narrow the space of states. E.g.,: program slicing: identify set of programs statements that may affect the values at a given program point taint-analysis: identify variables affected (e.g., modified) by the user input 17 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
27 Symbolic executors Keeping in memory all the execution states is expensive Execution strategies: offline executors: one path at time, every run independent from the others, exploits concrete execution (e.g., [SAGE-NDSS08]) online executors: at each fork, execution state is cloned (copy-on-write); all active execution states are kept in memory, isolation is guaranteed (e.g., [KLEE-OSDI08, AEG-NDSS11]) hybrid executors: mixed approach, use of checkpoints (e.g., [MAYHEM-SP12]) Critical aspect w.r.t. scalability! 18 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
28 State scheduling Too many paths to explore: need to prioritize some over others! Several heuristics, e.g.: depth first search: popular, minimizes memory overhead random path selection: popular, avoids starvation coverage optimize search: e.g., [KLEE-OSDI08] buggy path-first: e.g., [AEG-NDSS11] loop exhaustion: e.g., [AEG-NDSS11] function pointer detection: e.g., [MAYHEM-SP12] Papers adopt different mixes of heuristics in order to reach different goals 19 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
29 Interaction with environment Environment is an input source (e.g., syscalls). Hard to consider all possible outcomes of an interaction. Environment is emulated through models, e.g.: symbolic file system: e.g., [KLEE-OSDI08] symbolic sockets: e.g., [AEG-NDSS11] libraries: e.g., [AEG-NDSS11] Side-effects are approximated (this can significantly affect completeness) 20 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
30 Symbolic file system [KLEE-OSDI08] Operations on: concrete files: actually performed symbolic files: emulated using a simple symbolic file system private to each state. User decides files number and size. N+1 branches for unconstrained symbolic file: N: one for each symbolic file 1: error scenario 21 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
31 Constraint solvers Some expressions are hard to solve (e.g., non-linear constraints) A number for popular constraint solvers: STP [STP-TR07]: used by [EXE-CCS06, KLEE-OSDI08, MineSweeper-BOTNET08] Z3 [Z3-TACAS08]: used by [FIRMALICE-NDSS15, MAYHEM-SP12] Dissolver [DISSOLVER-TR03]: initially used by [SAGE-NDSS08] Parma Polyhedra Library [PPL-SCP08]: used by [AEG-NDSS11] 22 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
32 Source code vs. binary code Some papers target source code, others binary code source code compilation decompilation IR lowering lifiting binary code Static analysis of source code can provide useful hints about input and code properties. These are often exploited by symbolic execution to explore a smaller number of paths. What are the benefits of having the source code? Which are the techniques used when evaluating binaries? 23 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
33 Source code vs. binary code (cont d) source code compilation decompilation IR lowering lifiting binary code Examples: [KLEE-OSDI08] works on LLVM bytecode (source code to IR) [FIRMALICE-NDSS15] works on VEX IR (binary code to IR) Can we convert LLVM bytecode to VEX IR and viceversa? Can we lift IA32 and x86-64 to LLVM IR? :-) 24 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
34 A few security-related examples Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware (NDSS 2015) Symbolic execution is used to find inputs that bypass authentication code Exploring Multiple Execution Paths for Malware Analysis (SSP 2007) Symbolic execution is used to find events that force malwares to show malicious behaviors 25 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
35 A few security-related examples (cont d) AEG: automatic exploit generation (NDSS 2011) Symbolic execution is used to automatically generate an exploit (e.g., find the string input that will be executed as a shell code) Unleashing MAYHEM on Binary Code (SSP 2012) Given a tainted jump, symbolic execution is used to find if instruction pointer can be modified to execute a malicious payload 26 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
36 Conclusions Symbolic execution is a very powerful technique Hardly scales in general, but is widely adopted in specific contexts: indeed, compromises are needed! Can be used to tackle many non-trivial problems......and fun things can be done with it :) 27 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
37 References [AEG-NDSS11] T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: automatic exploit generation (NDSS 2011) [DISSOLVER-TR03] Y. Hamadi. Disolver: A distributed constraint solver (Technical report, 2003) [EXE-CCS06] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. Exe: Automatically generating inputs of death (CCS 2006) [FIRMALICE-NDSS15] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna. FIRMALICE - automatic detection of authentication bypass vulnerabilities in binary firmware (NDSS 2015) [K-ACM76] J. C. King. Symbolic execution and program testing (ACM Comm. 1976) [KLEE-OSDI08] C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs (OSDI 2008) 28 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
38 References (cont d) [MAYHEM-SP12] S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing MAYHEM on binary code (IEEE SSP 2012) [MineSweeper-BOTNET08] D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Botnet Detection: Countering the Largest Security Threat, chapter Automatically Identifying Trigger-based Behavior in Malware (Springer, 2008) [SAGE-NDSS08] P. Godefroid, M. Y. Levin, and D. A. Molnar. Automated white-box fuzz testing (NDSS 2008) [Z3-TACAS08] L. De Moura and N. BjÃÿrner. Z3: An efficient SMT solver (TACAS-ETAPS 2008) [KKM-USEC05] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis (SSYM 2005) [DART-PLDI05] P. Godefroid, N. Klarlund, and K. Sen. Dart: Directed automated random testing (PLDI 2005) 29 / 29 Daniele Cono D Elia Symbolic Execution for Bug Detection & A.E.G.
Symbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationCMSC 430 Introduction to Compilers. Fall Symbolic Execution
CMSC 430 Introduction to Compilers Fall 2015 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationSymbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois
Symbolic Execution Joe Hendrix Galois, Inc SMT Summer School 2015 Galois, Inc We solve hard research problems for clients. Symbolic Execution is a technique for mapping code into logic. is widely used
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationA Hybrid Symbolic Execution Assisted Fuzzing Method
A Hybrid Symbolic Execution Assisted Fuzzing Method Li Zhang Institute for Infocomm Research A*STAR Singapore zhang-li@i2r.a-star.edu.sg Vrizlynn L. L. Thing Institute for Infocomm Research A*STAR Singapore
More informationCYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationSoftware has bugs. Static analysis 4/9/18. CYSE 411/AIT681 Secure Software Engineering. To find them, we use testing and code reviews
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationIC-Cut: A Compositional Search Strategy for Dynamic Test Generation
IC-Cut: A Compositional Search Strategy for Dynamic Test Generation Maria Christakis 1 and Patrice Godefroid 2 1 Department of Computer Science ETH Zurich, Switzerland maria.christakis@inf.ethz.ch 2 Microsoft
More informationCMSC 631 Program Analysis and Understanding. Spring Symbolic Execution
CMSC 631 Program Analysis and Understanding Spring 2013 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all
More informationKLEE: Effective Testing of Systems Programs Cristian Cadar
KLEE: Effective Testing of Systems Programs Cristian Cadar Joint work with Daniel Dunbar and Dawson Engler April 16th, 2009 Writing Systems Code Is Hard Code complexity Tricky control flow Complex dependencies
More informationUnleashing MAYHEM on Binary Code
Unleashing MAYHEM on Binary Code Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert and David Brumley Carnegie Mellon University Pittsburgh, PA {sangkilc, thanassis, alexandre.rebert, dbrumley}@cmu.edu
More informationResearch on Fuzz Testing Framework based on Concolic Execution
017 International Conference on Computer Science and Application Engineering (CSAE 017) ISBN: 978-1-60595-505-6 Research on uzz Testing ramework based on Concolic Execution Xiong Xie and Yuhang Chen *
More informationProtection and Mitigation of Software Bug Exploitation
Protection and Mitigation of Software Bug Exploitation Vartan Padaryan vartan@ispras.ru 1 How safe is latest Linux release? Command line arguments fuzzer (inspired by Brumley s article) Launch programs
More informationSelective Symbolic Execution
Selective Symbolic Execution Vitaly Chipounov, Vlad Georgescu, Cristian Zamfir, George Candea School of Computer and Communication Sciences École Polytechnique Fédérale de Lausanne (EPFL), Switzerland
More informationSymbolic Execution. Michael Hicks. for finding bugs. CMSC 631, Fall 2017
Symbolic Execution for finding bugs Michael Hicks CMSC 631, Fall 2017 Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features Rare circumstances Nondeterminism
More informationReferences: Thomas A. Henzinger (1996): The theory of hybrid automata In: Annual IEEE Symposium on Logic in Computer Science
Hybrid Systems Modeling In today's fast evolving technologies where the line between analog and digital systems is getting blurred, systems consist of a mix of continuous and discrete components. A discrete
More informationDART: Directed Automated Random Testing
DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC Presented by Wei Fang January 22, 2015 PLDI 2005 Page 1 June 2005 Motivation Software testing:
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationA Survey of Search Strategies in the Dynamic Symbolic Execution
A Survey of Search Strategies in the Dynamic Symbolic Execution Yu LIU *, Xu ZHOU a and Wei-Wei GONG b National University of Defense Technology, Changsha, China a zhouxu@nudt.edu.cn, b IssacGong@outlook.com
More informationAEG: Automatic Exploit Generation
AEG: Automatic Exploit Generation Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao and David Brumley Carnegie Mellon University, Pittsburgh, PA {thanassis, sangkilc, brentlim, dbrumley}@cmu.edu Abstract
More informationDART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley Verification and esting We would like to prove programs correct Verification and esting We
More informationAEG: Automatic Exploit Generation
Carnegie Mellon University Research Showcase @ CMU Department of Electrical and Computer Engineering Carnegie Institute of Technology 2-2011 AEG: Automatic Exploit Generation Thanassis Avgerinos Carnegie
More informationSymbolic Execution for Software Testing: Three Decades Later
doi:10.1145/2408776.2408795 The challenges and great promise of modern symbolic execution techniques, and the tools to help implement them. By Cristian Cadar and Koushik Sen Symbolic Execution for Software
More informationSymbolic Memory with Pointers
Symbolic Memory with Pointers Marek Trtík 1, and Jan Strejček 2 1 VERIMAG, Grenoble, France Marek.Trtik@imag.fr 2 Faculty of Informatics, Masaryk University, Brno, Czech Republic strejcek@fi.muni.cz Abstract.
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationA Backtracking Symbolic Execution Engine with Sound Path Merging
A Backtracking Symbolic Execution Engine with Sound Path Merging Andreas Ibing Chair for IT Security TU München, Germany Email: andreas.ibing@tum.de Abstract Software vulnerabilities are a major security
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationEmblematic Execution for Software Testing based on DART AND CUTE
Emblematic Execution for Software Testing based on DART AND CUTE K. K. V. D. Hari Prasad 1, Ch. V. Phani Krishna and V. Samson Deva Kumar 3 1 Student, IV/IV B.Tech, Department of Computer Science Engineering,
More informationLAVA: Large-scale Automated Vulnerability Addition
LAVA: Large-scale Automated Vulnerability Addition Engin Kirda Andrea Mambretti Wil Robertson Northeastern University Brendan Dolan-Gavitt NYU Tandon Patrick Hulin, Tim Leek, Fredrich Ulrich, Ryan Whelan
More informationDynamic Symbolic Execution using Eclipse CDT
Dynamic Symbolic Execution using Eclipse CDT Andreas Ibing Chair for IT Security TU München Boltzmannstrasse 3, 85748 Garching, Germany Email: andreas.ibing@tum.de Abstract Finding software bugs before
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationAutomated Whitebox Fuzz Testing
Automated Whitebox Fuzz Testing ( Research Patrice Godefroid (Microsoft Michael Y. Levin (Microsoft Center for ( Excellence Software David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application
More informationTest Generation Using Symbolic Execution
Test Generation Using Symbolic Execution Patrice Godefroid Microsoft Research pg@microsoft.com Abstract This paper presents a short introduction to automatic code-driven test generation using symbolic
More informationSoftware Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18
Software Testing CS 408 Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18 Relevant Papers CUTE: A Concolic Unit Testing Engine for C Koushik Sen, Darko Marinov, Gul Agha Department of
More informationMicrosoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis
Microsoft SAGE and LLVM KLEE Julian Cohen HockeyInJune@isis.poly.edu Manual and Automatic Program Analysis KLEE KLEE [OSDI 2008, Best Paper Award] Based on symbolic execution and constraint solving techniques
More informationJPF SE: A Symbolic Execution Extension to Java PathFinder
JPF SE: A Symbolic Execution Extension to Java PathFinder Saswat Anand 1,CorinaS.Păsăreanu 2, and Willem Visser 2 1 College of Computing, Georgia Institute of Technology saswat@cc.gatech.edu 2 QSS and
More informationAutomated Software Testing
Automated Software Testing for the 21 st Century Patrice Godefroid Microsoft Research Page 1 June 2015 Outline Two parts: 1. Some recent advances on automated software testing Technical developments Applications
More informationTowards Automatic Generation of Vulnerability- Based Signatures
Towards Automatic Generation of Vulnerability- Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha (presented by Boniface Hicks) Systems and Internet Infrastructure Security
More informationTesting & Symbolic Execution
Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationTackling the Path Explosion Problem in Symbolic Execution-driven Test Generation for Programs
2010 19th IEEE Asian Test Symposium Tackling the Path Explosion Problem in Symbolic Execution-driven Test Generation for Programs Saparya Krishnamoorthy, Michael S. Hsiao and Loganathan Lingappan Department
More informationAn Empirical Study of Path Feasibility Queries
An Empirical Study of Path Feasibility Queries Asankhaya Sharma Department of Computer Science National University of Singapore asankhs@comp.nus.edu.sg Abstract In this paper we present a comparative study
More informationTesting, Fuzzing, & Symbolic Execution
Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed
More informationSimuVEX. Using VEX in Symbolic Analysis
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu
More informationFrom Symbolic Execution to Concolic Testing. Daniel Paqué
From Symbolic Execution to Concolic Testing Daniel Paqué Structure Symbolic Execution Concolic Testing Execution Generated Testing Concurrency in Concolic Testing 2 Motivation Software Testing usually
More informationDynamic Software Model Checking
Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2014 Ed Clarke: A man, An idea LASER 2011 summer school (Elba island, Italy) Page 2 September 2014 Ed Clarke: A man,
More informationDirected symbolic execution
Directed symbolic execution Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster, and Michael Hicks Computer Science Department, University of Maryland, College Park {kkma,khooyp,jfoster,mwh}@cs.umd.edu Technical
More informationSOFTWARE testing techniques have not progressed significantly
EDIC RESEARCH PROPOSAL 1 Scalable Automated Testing Using Symbolic Execution Stefan Bucur DSLAB, I&C, EPFL Abstract Current software testing processes involve significant human intervention, which is both
More informationMACKE: Compositional Analysis of Low-Level Vulnerabilities with Symbolic Execution
MACKE: Compositional Analysis of Low-Level Vulnerabilities with Symbolic Execution Saahil Ognawala 1, Martín Ochoa 2, Alexander Pretschner 1, Tobias Limmer 3 1 Technical University of Munich, Germany,
More informationSoftware Crash Analysis for Automatic Exploit GenerationonBinaryPrograms
270 IEEE TRANSACTIONS ON RELIABILITY, VOL. 63, NO. 1, MARCH 2014 Software Crash Analysis for Automatic Exploit GenerationonBinaryPrograms Shih-Kun Huang, Member, IEEE, Min-Hsiang Huang, Po-Yen Huang, Han-Lin
More informationIndustrial Application of Concolic Testing Approach: A Case Study on libexif by Using CREST-BV and KLEE
Industrial Application of Concolic Testing Approach: A Case Study on libexif by Using CREST-BV and KLEE Yunho Kim, Moonzoo Kim, YoungJoo Kim CS Dept. KAIST, South Korea kimyunho@kaist.ac.kr, moonzoo@cs.kaist.ac.kr,
More informationConstraint Solving Challenges in Dynamic Symbolic Execution. Cristian Cadar. Department of Computing Imperial College London
Constraint Solving Challenges in Dynamic Symbolic Execution Cristian Cadar Department of Computing Imperial College London Joint work with Dawson Engler, Daniel Dunbar Peter Collingbourne, Paul Kelly,
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationIntroduction to software exploitation ISSISP 2017
Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationSymbolic Execution for Software Testing in Practice Preliminary Assessment
Symbolic Execution for Software Testing in Practice Preliminary Assessment Cristian Cadar Imperial College London c.cadar@imperial.ac.uk Koushik Sen U.C. Berkeley ksen@eecs.berkeley.edu Patrice Godefroid
More informationInception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati
Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18 Embedded
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More information(State of) The Art of War: Offensive Techniques in Binary Analysis
2016 IEEE Symposium on Security and Privacy (State of) The Art of War: Offensive Techniques in Binary Analysis Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher,
More informationAutomatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus Cristian Cadar Imperial College London United Kingdom {t.kapus, c.cadar}@imperial.ac.uk Abstract
More informationBillions and Billions of Constraints: Whitebox Fuzz Testing in Production
Billions and Billions of Constraints: Whitebox Fuzz Testing in Production Ella Bounimova Microsoft Research, USA Patrice Godefroid Microsoft Research, USA David Molnar Microsoft Research, USA Abstract
More informationFinding vulnerabilifes CS642: Computer Security
Finding vulnerabilifes CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Finding vulnerabilifes Manual analysis Simple
More informationFitness-Guided Path Exploration in Dynamic Symbolic Execution
Fitness-Guided Path Exploration in Dynamic Symbolic Execution Tao Xie 1 Nikolai Tillmann 2 Jonathan de Halleux 2 Wolfram Schulte 2 1 Department of Computer Science, North Carolina State University, NC
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationSymbolic Execution of Virtual Devices
2013 13th International Conference on Quality Software Symbolic Execution of Virtual Devices Kai Cong, Fei Xie, and Li Lei Department of Computer Science Portland State University Portland, OR 97207, USA
More informationHow to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
More informationDynamic Test Generation to Find Bugs in Web Application
Dynamic Test Generation to Find Bugs in Web Application C.SathyaPriya 1 and S.Thiruvenkatasamy 2 1 Department of IT, Shree Venkateshwara Hi-Tech Engineering College, Gobi, Tamilnadu, India. 2 Department
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationRecovering Types from Binaries
Recovering Types from Binaries Teodora Baluta Shiqi Shen Alexandros Dimos Advised by prof. Prateek Saxena School of Computing, NUS {teobaluta, shensq04, alexandros.dimos95}@gmail.com Decompilation Load
More informationAutomated Signature Generation: Overview and the NoAH Approach. Bernhard Tellenbach
Automated Signature Generation: Overview and the NoAH Approach Structure Motivation: The speed of insecurity Overview Building Blocks and Techniques The NoAH approach 2 The speed of insecurity Source:
More informationarxiv: v1 [cs.pl] 23 Jan 2012
On Synergy of Metal, Slicing, and Symbolic Execution Jiří Slabý, Jan Strejček, and Marek Trtík arxiv:1201.4719v1 [cs.pl] 23 Jan 2012 Faculty of Informatics, Masaryk University Botanická 68a, 60200 Brno,
More informationTaintscope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang Tao Wei Guofei Gu Wei Zou March 12, 2014 is: A Fuzzing tool Checksum-Aware Directed Why a new fuzzing
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationTargeted Program Transformations for Symbolic Execution. Cristian Cadar. Software Reliability Group Department of Computing. ESEC/FSE New Ideas Track
Targeted Program Transformations for Symbolic Execution Cristian Cadar Software Reliability Group Department of Computing ESEC/FSE New Ideas Track 2nd September 2015 Background: Dynamic Symbolic Execution
More informationCan the Best Defense be to Attack?
Can the Best Defense be to Attack? MITACS Digital Security Seminar Series at Carleton University Presenter: Dr. Nur Zincir-Heywood Dalhousie University, Faculty of Computer Science Arms Race Security engineers
More informationRooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018
Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationStatic Vulnerability Analysis
Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds
More informationFuzzgrind: an automatic fuzzing tool
Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com Fuzzgrind: an automatic fuzzing tool 2/55 Plan 1 2 3 4 Fuzzgrind:
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationIdentifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software
Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software Hong Hu, Zheng Leong Chua, Zhenkai Liang, and Prateek Saxena Department of Computer Science, National University of Singapore
More informationBINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE
BINARY-LEVEL SECURITY: SEMANTIC ANALYSIS TO THE RESCUE Sébastien Bardin (CEA LIST) Joint work with Richard Bonichon, Robin David, Adel Djoudi & many other people 1 ABOUT MY LAB @CEA 2 IN A NUTSHELL Binary-level
More informationS2PF: Speculative Symbolic PathFinder
S2PF: Speculative Symbolic PathFinder Yufeng Zhang, Zhenbang Chen, Ji Wang National Laboratory for Parallel and Distributed Processing Department of Computing Science, National University of Defense Technology
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationEnhancing Symbolic Execution with Veritesting By Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley
Enhancing Symbolic Execution with Veritesting By Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley DOI:1.1145/2927924 1. INTRODUCTION Symbolic execution is a popular automatic approach
More informationDynamic Symbolic Database Application Testing
Dynamic Symbolic Database Application Testing Chengkai Li, Christoph Csallner University of Texas at Arlington June 7, 2010 DBTest 2010 Chengkai Li, Christoph Csallner Dynamic Symbolic Database Application
More informationNetwork Architecture Laboratory
Automated Synthesis of Adversarial Workloads for Network Functions Luis Pedrosa, Rishabh Iyer, Arseniy Zaostrovnykh, Jonas Fietz, Katerina Argyraki Network Architecture Laboratory Software NFs The good:
More informationTo Detect Stack Buffer Overflow With Polymorphic Canaries
To Detect Stack Buffer Overflow With Polymorphic Canaries 何钟灵 April 29, 2018 1 Personal 1.1 intro This is based on an essay by Zhilong Wang in our group. Our group is named SECLAB in Lab 428, Building
More informationMLSA: a static bugs analysis tool based on LLVM IR
International Journal of Networked and Distributed Computing, Vol. 4, No. 3 (July 2016), 137-144 MLSA: a static bugs analysis tool based on LLVM IR Hongliang Liang 1, Lei Wang 1, Dongyang Wu 1, Jiuyun
More informationUsing static analysis to detect use-after-free on binary code
Using static analysis to detect use-after-free on binary code Josselin Feist Laurent Mounier Marie-Laure Potet Verimag / University of Grenoble - Alpes France SDTA 2014 - Clermont-Ferrand 5 décembre 2014
More informationBuilding a Reactive Immune System for Software Services
Building a Reactive Immune System for Software Services Tobias Haupt January 24, 2007 Abstract In this article I summarize the ideas and concepts of the paper Building a Reactive Immune System for Software
More informationOn Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs
1 On Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs Hui Xu, Zirui Zhao, Yangfan Zhou, and Michael R. Lyu, Fellow, IEEE arxiv:1712.01674v2 [cs.se] 25 May 2018 Abstract Symbolic
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More information