Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Fan Yao,Yongbo Li,Yurong Chen,Hongfa Xue,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1109/dsn.2017.57

2017-01-01

Abstract:Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

Xueshuai Ge,Tieming Liu,Yaobin Xie,YuanYuan Zhang

DOI: https://doi.org/10.1117/12.2682314

2023-01-01

Abstract:With increasing number of software vulnerabilities, the quantity of attacks utilizing malicious samples is also on rise, leading to intensified adversarial competition. In particular, the application of automatic vulnerability mining techniques has resulted in a significant increase in the number of vulnerabilities, but security researchers often do not have enough time to deal with them. This paper proposes a symbol-execution-based automated vulnerability exploitation method, which can achieve automation of vulnerability detection, classification and exploitation. Finally, this paper designs and implements a prototype system for symbol-execution-based automated vulnerability exploitation and verifies its effectiveness through experiments. This research provides security analysts with an in-depth understanding of the types of vulnerabilities and determines methods for vulnerability exploitability, further improving the efficiency of analyzing and fixing vulnerabilities.

Weiyu Pan,Zhenbang Chen,Guofeng Zhang,Yunlai Luo,Yufeng Zhang,Ji Wang

DOI: https://doi.org/10.1145/3460319.3464845

2021-01-01

Abstract:Parsing code exists extensively in software. Symbolic execution of complex parsing programs is challenging. The inputs generated by the symbolic execution using the byte-level symbolization are usually rejected by the parsing program, which dooms the effectiveness and efficiency of symbolic execution. Complex parsing programs usually adopt token-based input grammar checking. A token sequence represents one case of the input grammar. Based on this observation, we propose grammar-agnostic symbolic execution that can automatically generate token sequences to test complex parsing programs effectively and efficiently. Our method's key idea is to symbolize tokens instead of input bytes to improve the efficiency of symbolic execution. Technically, we propose a novel two-stage algorithm: the first stage collects the byte-level constraints of token values; the second stage employs token symbolization and the constraints collected in the first stage to generate the program inputs that are more possible to pass the parsing code. We have implemented our method on a Java Pathfinder (JPF) based concolic execution engine. The results of the extensive experiments on real-world Java parsing programs demonstrate the effectiveness and efficiency in testing complex parsing programs. Our method detects 6 unknown bugs in the benchmark programs and achieves orders of magnitude speedup to find the same bugs.

NIU Wei-na,DING Xue-feng,LIU Zhi,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.10.024

2013-01-01

Computer Science

Abstract:Software vulnerability is one main source of computer safety issues,and the key technology of vulnerabilities finding is fuzzing(fuzzy test)which is based on randomly changing the input,however,it cannot construct test cases effectively and eliminate the redundancy of test cases.In order to overcome the shortcomings of traditional fuzzing test,effectively generate test inputs and do not need to analyze the input format,we designed and implemented vulnerability found system(called SEVE)based on symbolic execution for binary program.SEVE makes the inputs symbolic and uses dynamic instrumentation tools to establish the propagation relationship of the symbolic variable,collect path constraints in branch statement,uses interpreter to solve these path constraints to obtain test cases.Experimental results which are based on mp3 and pdf software show that the system can improve the efficiency and the degree of automation of vulnerability discovery.

Peilin Zheng,Zibin Zheng,Xiapu Luo

DOI: https://doi.org/10.1145/3533767.3534395

2022-01-01

Abstract:Symbolic detection has been widely used to detect vulnerabilities in smart contracts. Unfortunately, as reported, existing symbolic tools cost too much time, since they need to execute all paths to detect vulnerabilities. Thus, their accuracy is limited by time. To tackle this problem, in this paper, we propose Park, the first general framework of parallel-fork symbolic execution for smart contracts. The main idea is to use multiple processes during symbolic execution, leveraging multiple CPU cores to enhance efficiency. Firstly, we propose a fork-operation based dynamic forking algorithm to achieve parallel symbolic contract execution. Secondly, to address the SMT performance loss problem in parallelization, we propose an adaptive processes restriction and adjustment algorithm. Thirdly, we design a shared-memory based global variable reconstruction method to collect and rebuild the global variables from different processes. We implement Park as a plug-in and apply it to two popular symbolic execution tools for smart contracts: Oyente and Mythril. The experimental results with third-party datasets show that Park-Oyente and Park-Mythril can provide up to 6.84x and 7.06x speedup compared to original tools, respectively.

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder

2024-09-20

Abstract:In modern software development, vulnerability detection is crucial due to the inevitability of bugs and vulnerabilities in complex software systems. Effective detection and elimination of these vulnerabilities during the testing phase are essential. Current methods, such as fuzzing, are widely used for this purpose. While fuzzing is efficient in identifying a broad range of bugs and vulnerabilities by using random mutations or generations, it does not guarantee correctness or absence of vulnerabilities. Therefore, non-random methods are preferable for ensuring the safety and security of critical infrastructure and control systems. This paper presents a vulnerability detection approach based on symbolic execution and control flow graph analysis to identify various types of software weaknesses. Our approach employs a divide-and-conquer algorithm to eliminate irrelevant program information, thus accelerating the process and enabling the analysis of larger programs compared to traditional symbolic execution and model checking methods.

Cryptography and Security

Xinglu He,Pengfei Wang,Kai Lu,Xu Zhou

DOI: https://doi.org/10.3390/app121910182

2022-01-01

Abstract:Symbolic execution is well known as a dynamic vulnerability discovery technique. Its greatest advantage is the capability to analyze the execution information of the program and to explore the path in the program deterministically. This is a more accurate way to determine if there are vulnerabilities in a program than randomized testing by fuzzing. In addition, symbolic execution does not suffer from the problem of decreasing the capability to discover new paths as more paths are discovered, similar to that caused by random-based fuzzing. However, the reason why symbolic execution is not widely used in vulnerability discovery is mainly due to the state space explosion in the program. The state space explosion severely affects the applicability of symbolic execution. To further improve the applicability of symbolic execution, this paper proposes a path exploration technology based on abstract syntax tree analysis. With the distance between the expression generated by the symbolic execution of the repeat location and the “unsatisfiable” condition of the “unsat” state, we can perform multi-priority scheduling for the repeat location state, thus mitigating the impact of the state space explosion on path exploration. We proposed and implemented EtWExplorer, a multi-priority scheduling technique based on abstract syntax tree analysis. With this technique, we can significantly improve the capability of symbolic execution to discover unknown paths even in state space exploration. Experiments show that EtWExplorer introduces a performance overhead of 72% in the worst case and can improve performance by 294% in the best case. EtWExplorer has a 95% improvement in state space explosion mitigation capability and a 199% to 983% improvement in the path exploration capability of block coverage and a 181% to 1047% improvement in the path exploration capability of edge coverage when facing programs that cause a state space explosion.

Tong Liu,Zhongru Wang,Yuntao Zhang,Zhehui Liu,Binxing Fang,Zhengyuan Pang

DOI: https://doi.org/10.1109/dsc55868.2022.00038

2022-01-01

Abstract:At present, program vulnerabilities occur frequently, which seriously threatens the security of cyberspace. Automated vulnerability discovery technology has attracted more and more attention because of its efficiency and universality. In the current field of vulnerability discovery, it is common to combine fuzzing with symbolic execution technology. Symbolic execution technology is often used to solve the input of complex paths and help fuzzing improve the program coverage, so as to detect vulnerabilities better. However, the symbolic execution has no goals in the process of hybrid execution exploration path, it is easy to cause the execution path to deviate from the expected target points. And generating the test case of the corresponding path requires frequently calling the solver for solution, while the current solver has low efficiency and poor solvability for nonlinear operation. In order to solve the above problems, we propose an automated vulnerability discovery system based on hybrid execution. In the system, we propose the symbolic execution guidance algorithm based on dynamic and static combination to guide the symbolic execution to solve the input reaching the target points, so as to avoid exploring in useless paths and avoid consuming a lot of time and computing resources. In addition we hook some nonlinear functions to optimize the nonlinear function constraint solving, so as to improve the hybrid execution efficiency. We have conducted extensive experiments on the RHG 2019 challenge dataset and the RHG 2021 challenge dataset. The experimental results show the effectiveness and scalability of the system.

Xu Xiao,Xiao-song Zhang,Xiong-da Li

DOI: https://doi.org/10.1109/PCSPA.2010.80

2010-01-01

Abstract:This paper is dedicated to the study of Symbolic Execution and improves the core algorithm of it using Heuristic learning, search and Function Abstraction to effectively address the path explosion problem, which will trigger the vulnerabilities that the traditional method can not find and improve the efficiency, precision and accuracy of software vulnerability discovery.

Shibo Tang,Xingxin Wang,Yifei Gao,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031481

2022-01-01

Abstract:Model checking is one of the most commonly used technique in formal verification. However, the exponential scale state space renders exhaustive state enumeration inefficient even for a moderate System on Chip (SoC) design. In this paper, we propose a method that leverages symbolic execution to accelerate state space search and pinpoint security vulnerabilities. We automatically convert the hardware design to functionally equivalent C++ code and utilize the KLEE symbolic execution engine to perform state exploration through heuristic search. To reduce the search space, we symbolically represent essential input signals while making non-critical inputs concrete. Experiment results have demonstrated that our method can precisely identify security vulnerabilities at significantly lower computation cost.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

ZHANG Jun-xian,LI Zhou-jun

DOI: https://doi.org/10.13190/j.jbupt.2016.s.012

2016-01-01

Abstract:Buffer overflow is a source of many security problems in C programs. A new tool named Path-Checker to detect buffer overflows in C codes using dynamic symbolic execution method is proposed. PathChecker uses quantifier-free predicate formulas to describe the safety properties of buffer access oper-ations and check these properties using a SMT solver. Experimental results show the effectiveness of this tool which is very easy to extend to check other safety properties.

Hui Huang,Yu-Liang Lu,Jun Zhao,Zhi-Yong Wu

DOI: https://doi.org/10.1109/imccc.2013.32

2013-01-01

Abstract:Symbolic Execution based defect discovery techniques for binary programs are now widely applied. However, because of the path explosion problem, it's still not applicable for security analysis on large programs. A great many infeasible paths in the target program also reduce the performance. To fast generate test cases reaching the potentially vulnerable program points, this paper introduces constraints implied in input protocols to symbolic execution, calculates vulnerable point reachable control flow paths using static control flow analysis. The path information is then used to limit dynamic symbolic execution's path exploration space. Experiments prove the effectiveness of our method on performance enhancement in symbolic execution and defect discovery.

Yao Yao,Hui Li 0022,Xin Yang,Yiwang Le

DOI: https://doi.org/10.1109/BigData55660.2022.10020730

IF: 4.426

2022-01-01

Big Data

Abstract:Smart contracts emerged as programs running on the blockchain. Security is one of the major concerns against smart contracts which also exist various vulnerabilities as for any other traditional programs. What was worse, security vulnerabilities in smart contracts may lead to irreversible economic losses. Hence, there is an apparent demand for security audits of contracts before deployment. In recent years, a large number of smart contract vulnerability detection tools have emerged. The methods used by these tools include formal verification, symbolic execution, machine learning, and fuzz testing. These methods can well analyze vulnerabilities, but there are still limitations. In this paper, we optimized and extended the Mythril symbolic execution tool. The optimized pruning algorithm improves the speed of symbolic execution, while the proposed detection algorithm for Transaction Order Dependence vulnerability expands the range of detecting vulnerability. In addition, a machine learning vulnerability detection model is introduced as an auxiliary detection method, which is used to build the complete smart contract vulnerability detection system. The experimental results show that the proposed system reduces the execution time, and improves the accuracy as well as the recall of vulnerability detection compared with the original Mythril tool.

YANG Yang,ZHANG Huan-guo,WANG Hou-zhen

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.06.036

2010-01-01

Computer Science

Abstract:Symbolic execution is an effective and automatic bug-finding method.But symbolic execution is limited in practice by the computation cost and path explosion.We presented a tool for full-automatic detection and generating inputs that lead to memory safety violations in C programs,including buffer overflow,buffer overrun and pointer derefe-rence error.In order to reduce the amount of symbol variable,we used the symbol variable to track the length of buf-fer and C string.The use of symbolic buffer length makes it possible to compactly summarize the behavior of standard buffer manipulation functions.While resolving the problem of path explosion,we introduced the dynamic slicing metho-ds to prune the redundant paths.It’s shown by the experiments that our method presented in this paper not only is feasible but also has little cost.

Weizhong Qiang,Yuehua Liao,Guozhong Sun,Laurence T. Yang,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/access.2017.2676161

IF: 3.9

2017-01-01

IEEE Access

Abstract:During the lifecycle of a software system, software patches are committed to software repositories to fix discovered bugs or append new features. Unfortunately, the patches may bring new bugs or vulnerabilities, which could break the stability and security of the software system. A study shows that more than 15% of software patches are erroneous due to poor testing. In this paper, we present a novel approach for automatically determining whether a patch brings new vulnerabilities. Our approach combines symbolic execution with data flow analysis and static analysis, which allows a quick check of patch-related codes. We focus on typical memory-related vulnerabilities, including buffer overflows, memory leaks, uninitialized data, and dangling pointers. We have implemented our approach as a tool called KPSec, which we used to test a set of real-world software patches. Our experimental results show that our approach can effectively identify typical memory-related vulnerabilities introduced by the patches and improve the security of the updated software.

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder,Olivier Mattmann

2023-11-07

Abstract:Symbolic Execution is a formal method that can be used to verify the behavior of computer programs and detect software vulnerabilities. Compared to other testing methods such as fuzzing, Symbolic Execution has the advantage of providing formal guarantees about the program. However, despite advances in performance in recent years, Symbolic Execution is too slow to be applied to real-world software. This is primarily caused by the \emph{path explosion problem} as well as by the computational complexity of SMT solving. In this paper, we present a divide-and-conquer approach for symbolic execution by executing individual slices and later combining the side effects. This way, the overall problem size is kept small, reducing the impact of computational complexity on large problems.

Cryptography and Security,Symbolic Computation,Systems and Control

Ting Chen,Xiao-song Zhang,Xu Xiao,Yue Wu,Chun-xiang Xu,Hong-tian Zhao

DOI: https://doi.org/10.1108/03321641311297016

2013-01-01

COMPEL The International Journal for Computation and Mathematics in Electrical and Electronic Engineering

Abstract:PurposeSoftware vulnerabilities have been the greatest threat to the software industry for a long time. Many detection techniques have been developed to address this kind of issue, such as Fuzzing, but mere Fuzz Testing is not good enough, because the Fuzzing only alters the input of program randomly, and does not consider the basic semantics of the target software. The purpose of this paper is to introduce a new vulnerability exploring system, called “SEVE” to explore the target software more deeply and to generate more test cases with more accuracy.Design/methodology/approachSymbolic execution is the core technique of SEVE. The user can just input a standard input, and the SEVE system will record the execution path, alter the critical branches of it, and generate a totally different test case which will make the software under test execute a different path. In this way, some potential bugs or defects, even the exploitable vulnerabilities will be discovered. To alleviate path explosion, the authors propose heuristic method and function abstraction, which in turn improve the performance of SEVE even further.FindingsWe evaluate SEVE system to record critical data about its efficiency and performance. We have tested some real‐world vulnerabilities, from which the underlying file‐input programs suffer. After that, the results show that SEVE is not only re‐creating the discovery of these vulnerabilities, but also at a higher performance level than traditional techniques.Originality/valueThe paper proposes a new vulnerability exploring system, called “SEVE” to explore the target software and generate test cases automatically and also heuristic method and function abstraction to handle path explosion.