Xi Ge,Kunal Taneja,Tao Xie,Nikolai Tillmann

DOI: https://doi.org/10.1145/1985793.1985971

2011-01-01

Abstract:Software-defect detection is an increasingly important research topic in software engineering. To detect defects in a program, static verification and dynamic test generation are two important proposed techniques. However, both of these techniques face their respective issues. Static verification produces false positives, and on the other hand, dynamic test generation is often time consuming. To address the limitations of static verification and dynamic test generation, we present an automated defect-detection tool, called DyTa, that combines both static verification and dynamic test generation. DyTa consists of a static phase and a dynamic phase. The static phase detects potential defects with a static checker; the dynamic phase generates test inputs through dynamic symbolic execution to confirm these potential defects. DyTa reduces the number of false positives compared to static verification and performs more efficiently compared to dynamic test generation.

WANG Wei-Guang,ZENG Qing-Kai,SUN Hao

DOI: https://doi.org/10.13328/j.cnki.jos.005027

2016-01-01

Journal of Software

Abstract:Addressing the requirement for defect detection, this paper proposes critical operation oriented dynamic symbolic execution. First, based on the defined critical operations and the relevant critical paths, a set of initial inputs are evaluated by computing the ability of covering critical operations under different contexts, and efficient initial inputs can be selected for the following dynamic symbolic execution. Second, leveraging the critical operations, dynamic symbolic execution is guided to explore paths which are more prone to defects. In this way, defect detection becomes a process of locating critical operations and exploring critical paths. A prototype system called CrashFinder is implemented and tested on a number of Linux x86 executables. The experimental results show that this approach is effective in initial input evaluation and efficient in defect detection.

Hui Huang,Yu-Liang Lu,Jun Zhao,Zhi-Yong Wu

DOI: https://doi.org/10.1109/imccc.2013.32

2013-01-01

Abstract:Symbolic Execution based defect discovery techniques for binary programs are now widely applied. However, because of the path explosion problem, it's still not applicable for security analysis on large programs. A great many infeasible paths in the target program also reduce the performance. To fast generate test cases reaching the potentially vulnerable program points, this paper introduces constraints implied in input protocols to symbolic execution, calculates vulnerable point reachable control flow paths using static control flow analysis. The path information is then used to limit dynamic symbolic execution's path exploration space. Experiments prove the effectiveness of our method on performance enhancement in symbolic execution and defect discovery.

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

CUI Baojiang,GUO Pengfei,WANG Jianxin

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.019

2009-01-01

Abstract:A system model that combines symbolic and actual execution was developed for path analyses of binary codes to find program bug.A debugger was built to dynamically load a program to obtain the binary code.The transformed system binary code is transformed into expressions containing more information than the assembly code which are useful for svmbolic execution.The symbolic code is then executed with the actual code to obtain the path conditions.The svmbolic execution analysis of the verification test program links the program's execution path to its unique input.Tests show that the system model can precisely analyze the relationships between the program input and its execution path.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

YANG Yang,ZHANG Huan-guo,WANG Hou-zhen

DOI: https://doi.org/10.3969/j.issn.1002-137X.2010.06.036

2010-01-01

Computer Science

Abstract:Symbolic execution is an effective and automatic bug-finding method.But symbolic execution is limited in practice by the computation cost and path explosion.We presented a tool for full-automatic detection and generating inputs that lead to memory safety violations in C programs,including buffer overflow,buffer overrun and pointer derefe-rence error.In order to reduce the amount of symbol variable,we used the symbol variable to track the length of buf-fer and C string.The use of symbolic buffer length makes it possible to compactly summarize the behavior of standard buffer manipulation functions.While resolving the problem of path explosion,we introduced the dynamic slicing metho-ds to prune the redundant paths.It’s shown by the experiments that our method presented in this paper not only is feasible but also has little cost.

Shubin Yuan,Chenyu Liu,Jianheng Shi,Xinyu Liu,Wei Pu,JunTao Yu,LiQun Yang

DOI: https://doi.org/10.1145/3672121.3672141

2024-01-01

Abstract:With the continuous increase in the scale and complexity of computer software, code defects in software pose a serious threat to public security. A Static Detection Method for Code Defects Based on Transformer is proposed to address the issues of poor scalability of static analysis tools, as well as coarse detection granularity and unsatisfactory detection performance of existing methods. Firstly, perform data flow and control flow analysis on key points in the source code, and adopt a slicing method based on Interprocedural Finite Distributive Subset (IFDS) to obtain code fragments composed of multiple lines of statements related to code defects. Then, the word embedding method is used to obtain vector representations related to the semantics of the code snippets, in order to select the appropriate length of the code snippets while ensuring accuracy. Finally, use Transformer to detect the segment features at the slice level to determine whether the code has defects. The experimental results show that the proposed method can effectively detect different types of code defects, and the detection effect is significantly better than the static analysis tool Flawfender. Under fine-grained conditions, the IFDS slicing method can further improve F1 value and accuracy, reaching 89.64 and 92.08 respectively. It can be seen that the proposed method has better comprehensive detection performance without significantly increasing time complexity.

Chun Shan,Shiyou Sun,Jingfeng Xue,Changzhen Hu,Hongjin Zhu

DOI: https://doi.org/10.1007/978-3-319-64701-2_27

2017-01-01

Abstract:Array bounds is the most commonly fault in java programs design, it often leads to wrong results even system crash. To solve these problems, this paper proposed a detecting array bounds method based on symbolic execution. The method generated the abstract syntax tree from the source code, and then created a control flow graph according to the abstract syntax tree. It adopted flaw detectors to detect defects of array bound. Finally, using the standard function to test the ability of this method in detecting array bounds. The results indicated that this method can detect array bounds defects of crossing process indirectly, array bounds defects within process and array bounds defects of crossing process directly very well and it is better than some existing Java methods of detecting array bounds defects.

Yong Wang,Hailin Yan,Zhenyan Liu,Jingfeng Xue,Changzhen Hu,Ming Li

DOI: https://doi.org/10.1109/3pgcic.2015.102

2015-01-01

Abstract:Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

Xiaobing Liang,Baojiang Cui,Yingjie Lv,Yilun Fu

DOI: https://doi.org/10.1109/imis.2015.40

2015-01-01

Abstract:The security defect detection technology based on source code usually makes use of static analysis methods to detect security vulnerabilities in the test software, which does not consider the runtime information of program execution and the interaction information with the program runtime surrounding environment, so the security defect detection technology based on source code usually results in higher false positive rate. The binary program vulnerability detection methods based upon dynamic analysis usually have lower false positive rate, but their effectiveness depends entirely on test case generation, the detection efficiency of dynamic analysis based on binary program is lower. Moreover, the research of source code vulnerability detection technique and binary executable vulnerability detection technique are essentially fragmented, without considering the relationship between the two classes of methods. In order to improve the efficiency for source code and binary executables vulnerability detection, we presents a collaborative analysis method for vulnerability detection of source code and binary executables based upon the unified defect mode set, meanwhile, we verify the effectiveness of our method using a concrete example in this paper.

Chengsong Wang,Xiaoguang Mao,Ziying Dai,Yan Lei

DOI: https://doi.org/10.1109/csae.2012.6272595

2012-01-01

Abstract:Because of inherent drawbacks of Software Engineering, no software is defect-free. If the defects are resulted from highly optimized compilers, or in software without source code, software maintainers may have to test and debug programs at binary level, considering the fact that there are not practical reverse engineering tools. We propose a dynamic and automatic instrumentation framework, DABITTD, to support bytecode programs testing and debugging. According to the user requirements, it can provide the program run-time information and alter program run-time behaviors as well. DABITTD works at bytecode level without needs to access source code and doesn't pollute the original class files. What is more, the whole process of instrumentation is performed fully automatically and dynamically. Meanwhile, in order to help maintainers fix defects, DABITTD can also directly edit class files on the disk statically.

HU Chaojian,ZHANG Jia,LI Zhoujun,SHI Zhiwei,ZHANG Yan

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.017

2009-01-01

Abstract:Since there are semantic differences between a source code and its executable code, analysis of only the source code may miss some vulnerabilities in the executable code.Typical vulnerability patterns were analyzed to design a security vulnerability detection tool to work directly on executables.The system combines static disassembly analysis, dynamic auto-debugging and function based argument injection.The tool successfully found buffer overflow vulnerabilities in both a CVE (common vulnerabilities & exposures) benchmark and two real executables.The resuIts show that this detection method can be used to directly detect security vulnerabilities in executable codes.

Liu Xingbo,Li Yuanlin,Yu mingjun,Zheng Yan,Yu Jinlong,Guo Yunfeng,Kong Huafeng,Qiang Weizhong

DOI: https://doi.org/10.3969/j.issn.1000-386x.2022.11.045

2022-01-01

Abstract:Taint analysis technology is an important technical means for vulnerability detection. Due to the lack of additional information at runtime, using static taint analysis technology to detect code will produce many false positives. Based on the taint analysis technology, this paper proposes a more fine-grained taint analysis method for Web vulnerabilities. A more accurate object status record was generated during code analysis. The execution path of the code was judged and the stain and sink transfer processes were accurately recorded, which effectively reduced over-pollution and under-pollution. The symbol execution tool was used to verify the reachability of the vulnerability location, and some false vulnerability warnings could be eliminated, which effectively reduced the false positive and false negative rates.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Haijun Wang,Ting Liu,Xiaohong Guan,Chao Shen,Qinghua Zheng,Zijiang Yang

DOI: https://doi.org/10.1109/TSE.2016.2584063

IF: 7.4

2017-01-01

IEEE Transactions on Software Engineering

Abstract:Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored paths usually grows exponentially with the increase of program size. In this paper, we argue that for the purpose of fault detection it is not necessary to systematically explore the paths, and propose a new symbolic execution approach to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value. Our approach can achieve the equivalent fault detection capability as traditional symbolic execution without exhaustive path exploration. In addition, we develop a practical implementation called Dependence Guided Symbolic Execution (DGSE) to soundly approximate our approach. Through exploiting program dependence, DGSE can predict and eliminate the redundant paths at a reasonable computational cost. Our empirical study shows that the redundant paths are abundant and widespread in a program. Compared with traditional symbolic execution, DGSE only explores 6.96 to 96.57 percent of the paths and achieves a speedup of 1.02 $\\times$ to 49.56$\\times$ . We have released our tool and the benchmarks used to evaluate DGSE$^\\ast$ .

Yu Hao,Xiaodong Zhang,Zijiang Yang,Ting Liu

2017-01-01

Abstract:With the advent of multicore processors, there is a great need to write concurrency programs to take advantage of parallel computing resources. However, the undetermined execution of the concurrency programs poses a huge challenge to current dynamic malware analysis how to guarantee the program is secure under the same input. In our work, a dynamic taint analysis of concurrent program (DTAC) is proposed to systematically detect tainted instances on all possible executions under a given input, by introducing the symbolic execution to guide dynamic analysis. Symbolic analysis infers alternate interleavings of an executed trace and computes thread schedules that guide future executions. Dynamic analysis explores new execution traces that drive future symbolic analysis. Then, the analysis can identify whether there is abnormal behavior within these executions by tracing the data flow. A prototype is developed for multithreaded C programs, built upon LLVM, KLEE and Z3. The primary experiments show that our method can find all possible tainted instances in the demo case and can systematically analyze real concurrency programs in SPLASH2 and PARSEC.

Pan-Pan SUN,Wei DONG

2016-01-01

Abstract:In software engineering, symbolic execution technology is an efficient program defect detection technology. Symbolic execution uses symbolic values as the inputs, which transforms the execution of the program into the corresponding symbolic expressions, and the precise analysis of the program behaviors is realized by systematacially traversing routing space. However, due to the restriction of the path explosion and constraint solving problems, symbolic execution technology has poor scalability. In order to mitigate the problem, this paper implemented a distributed symbolic execution platform which realized tasks parallelly execute and reduced the symbolic execution time overhead through a scheduling algorithm distributes tasks from master to slaves.

GU Ke,LIU Chao,JIN Mao-zhong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.05.008

2009-01-01

Abstract:The C++ program which is all right in compiling process does not always insure there are no defects in the code.For the reason that there may be defects relative to securities,design and code style,it may result in memory leak,misuse of pointers or make the program code unclearly and unreadable.The defects will place bad impact on the normal running and the maintain ability of the software.This paper introduced a good technology of defect-extendable automated C++ code defect detection,including two methods to detect the defects,a description of defect rules based on XPath technology and an introduction of the C++ defect automation detector.Furthermore,analyzed the detector in stability,credibility and easy-to-use by experiment.

Ting Chen,Xiao-Song Zhang,Shi-Ze Guo,Hong-Yuan Li,Yue Wu

DOI: https://doi.org/10.1016/j.future.2012.02.006

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Dynamic symbolic execution for automated test generation consists of instrumenting and running a program while collecting path constraint on inputs from predicates encountered in branch instructions, and of deriving new inputs from a previous path constraint by an SMT (Satisfiability Modulo Theories) solver in order to steer next executions toward new program paths. It has been introduced into several applications, such as automated test generation, automated filter generation and malware analysis mainly for its two intrinsic properties: low false positives and high code-coverage. In this paper, we focus on the topics that are closely related to automated test generation. Our contributions are five-fold. First, we summarize the theoretical foundation of dynamic symbolic execution. Second, we highlight the challenges when turning ideas into reality. Besides, we describe the state-of-the-art solutions including advantages and disadvantages for those challenges. In addition, twelve typical tools are analyzed and many properties of those tools are censused. Finally, we outline the prospects of this research field in detail.