Ting Chen,Xiao-song Zhang,Xu Xiao,Yue Wu,Chun-xiang Xu,Hong-tian Zhao

DOI: https://doi.org/10.1108/03321641311297016

2013-01-01

COMPEL The International Journal for Computation and Mathematics in Electrical and Electronic Engineering

Abstract:PurposeSoftware vulnerabilities have been the greatest threat to the software industry for a long time. Many detection techniques have been developed to address this kind of issue, such as Fuzzing, but mere Fuzz Testing is not good enough, because the Fuzzing only alters the input of program randomly, and does not consider the basic semantics of the target software. The purpose of this paper is to introduce a new vulnerability exploring system, called “SEVE” to explore the target software more deeply and to generate more test cases with more accuracy.Design/methodology/approachSymbolic execution is the core technique of SEVE. The user can just input a standard input, and the SEVE system will record the execution path, alter the critical branches of it, and generate a totally different test case which will make the software under test execute a different path. In this way, some potential bugs or defects, even the exploitable vulnerabilities will be discovered. To alleviate path explosion, the authors propose heuristic method and function abstraction, which in turn improve the performance of SEVE even further.FindingsWe evaluate SEVE system to record critical data about its efficiency and performance. We have tested some real‐world vulnerabilities, from which the underlying file‐input programs suffer. After that, the results show that SEVE is not only re‐creating the discovery of these vulnerabilities, but also at a higher performance level than traditional techniques.Originality/valueThe paper proposes a new vulnerability exploring system, called “SEVE” to explore the target software and generate test cases automatically and also heuristic method and function abstraction to handle path explosion.

Xueshuai Ge,Tieming Liu,Yaobin Xie,YuanYuan Zhang

DOI: https://doi.org/10.1117/12.2682314

2023-01-01

Abstract:With increasing number of software vulnerabilities, the quantity of attacks utilizing malicious samples is also on rise, leading to intensified adversarial competition. In particular, the application of automatic vulnerability mining techniques has resulted in a significant increase in the number of vulnerabilities, but security researchers often do not have enough time to deal with them. This paper proposes a symbol-execution-based automated vulnerability exploitation method, which can achieve automation of vulnerability detection, classification and exploitation. Finally, this paper designs and implements a prototype system for symbol-execution-based automated vulnerability exploitation and verifies its effectiveness through experiments. This research provides security analysts with an in-depth understanding of the types of vulnerabilities and determines methods for vulnerability exploitability, further improving the efficiency of analyzing and fixing vulnerabilities.

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder

2024-09-20

Abstract:In modern software development, vulnerability detection is crucial due to the inevitability of bugs and vulnerabilities in complex software systems. Effective detection and elimination of these vulnerabilities during the testing phase are essential. Current methods, such as fuzzing, are widely used for this purpose. While fuzzing is efficient in identifying a broad range of bugs and vulnerabilities by using random mutations or generations, it does not guarantee correctness or absence of vulnerabilities. Therefore, non-random methods are preferable for ensuring the safety and security of critical infrastructure and control systems. This paper presents a vulnerability detection approach based on symbolic execution and control flow graph analysis to identify various types of software weaknesses. Our approach employs a divide-and-conquer algorithm to eliminate irrelevant program information, thus accelerating the process and enabling the analysis of larger programs compared to traditional symbolic execution and model checking methods.

Cryptography and Security

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845694

2014-01-01

Abstract:Despite more than two decades of independent, academic, and industry-related research, software vulnerabilities remain the main reason that undermine the security of our systems. Taint analysis and symbolic execution are among the most promising approaches for vulnerability detection, but either one can't remit the problem separately. In this paper, we try to combine taint analysis and symbolic execution for binary vulnerability mining and proposed a method named directed symbolic execution. Our three-step approach firstly adopts dynamic taint analysis technology to identify the safety-related data, and then uses symbolic execution system to execute the binary software while marks those safety-related data as symbols, and finally discovers vulnerabilities with our check-model. The evaluation shows that our method can be used to detect vulnerabilities in binary software more efficiently.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Tong Liu,Zhongru Wang,Yuntao Zhang,Zhehui Liu,Binxing Fang,Zhengyuan Pang

DOI: https://doi.org/10.1109/dsc55868.2022.00038

2022-01-01

Abstract:At present, program vulnerabilities occur frequently, which seriously threatens the security of cyberspace. Automated vulnerability discovery technology has attracted more and more attention because of its efficiency and universality. In the current field of vulnerability discovery, it is common to combine fuzzing with symbolic execution technology. Symbolic execution technology is often used to solve the input of complex paths and help fuzzing improve the program coverage, so as to detect vulnerabilities better. However, the symbolic execution has no goals in the process of hybrid execution exploration path, it is easy to cause the execution path to deviate from the expected target points. And generating the test case of the corresponding path requires frequently calling the solver for solution, while the current solver has low efficiency and poor solvability for nonlinear operation. In order to solve the above problems, we propose an automated vulnerability discovery system based on hybrid execution. In the system, we propose the symbolic execution guidance algorithm based on dynamic and static combination to guide the symbolic execution to solve the input reaching the target points, so as to avoid exploring in useless paths and avoid consuming a lot of time and computing resources. In addition we hook some nonlinear functions to optimize the nonlinear function constraint solving, so as to improve the hybrid execution efficiency. We have conducted extensive experiments on the RHG 2019 challenge dataset and the RHG 2021 challenge dataset. The experimental results show the effectiveness and scalability of the system.

Hongpeng Man,Jing An,Wei Huang,Wenqing Fan

DOI: https://doi.org/10.1109/icsrs.2018.8688844

2018-01-01

Abstract:Modularity is an important feature of Java Web applications nowadays, which challenges traditional program analytical techniques. Symbolic execution and Fuzzing, as two promising methods, both have some defects. On one hand, fuzzing is difficult to detect the branch with harsh path conditions; on the other hand, symbolic execution makes it difficult to symbolize complex inputs in a modular context. To improve these defects, we have designed JSEFuzz, a vulnerability detection method for Java Web applications. JSEFuzz combines the methods of fuzzing and symbolic execution: using fuzzing to find module-level vulnerability triggering conditions and corresponding input data, using symbolic execution to transform module-level input data, and verifying vulnerability triggerability at the program level, which is proved feasibility through experiments.

Zhaokun Deng,Yuliang Lu,Zhao Huang,Kailong Zhu,Bin Yang

DOI: https://doi.org/10.1109/imccc.2018.00222

2018-01-01

Abstract:The security of software is threaten by the vulnerability from itself. In recent years, the testing of the binary software is becoming more and more important, and researchers have also put forward many analyzing methods to find the vulnerability of the softwares. This paper studies several kinds of the analyzing methods on binary software, and on this basis, mainly study the development of the Selective Symbolic Execution(S2E) platform. Moreover, this paper tests the technical effect of this technology. The experiment results show that this method is effective in finding the vulnerabilities of the software.

Yun-Peng WAN,Yi DENG,Dong-Hui SHI,Liang CHENG,Yang ZHANG

DOI: https://doi.org/10.15888/j.cnki.csa.005991

2017-01-01

Abstract:In this paper we present BAEG,a system to automatically look for exploitable bugs in the binary program.Every bug reported by BAEG is accompanied by the control flow hijacking exploit.The working exploits ensure robustness that each bug report is security-critical and exploitable.Giving BAEG a vulnerable program and an input crash,the challenges are:1) how to replay crash and get the state of crash;2) how to automatically generate exploit.For the first challenge,we present a path-guided algorithm,take crash input as symbolic data,and replay crash path.For the second challenge,we summarize the principles of multiple control-flow hijack and establish the corresponding exploit generation model.Besides,BAEG can explore deep code especially for invalid symbolic read and symbolic write,which can help us decide whether there still are exploits at deeper code.

Jun Yang,Peng Zhou,Yunze Ni

DOI: https://doi.org/10.1007/978-3-030-02613-4_28

2018-01-01

Abstract:Software Fuzzing technology is widely used in automated software vulnerability mining. In order to improve efficiency, various techniques such as symbolical execution and taint tracking have been applied to software Fuzzing. Due to the lack of uniform and standardized test samples, researchers can only use existing software for testing. Therefore, there are sample differences when compared with existing technologies, and it is impossible to accurately measure the advantages and disadvantages of different technologies. In this paper, we propose a source-based software vulnerability auto-generation technology, through the analysis of the source code structure characteristics, to find the potential vulnerability insertion point, combined with known types of vulnerabilities, and automatically insert the vulnerability into the source code. We selected some open source projects such as coreutils as the test target, and inserted multiple vulnerabilities in the source code. We create a basis of judgement by providing a standardized sample of vulnerability programs.

Chaojian Hu,Zhoujun Li,Jinxin Ma,Tao Guo,Zhiwei Shi

DOI: https://doi.org/10.1109/tase.2012.13

2012-01-01

Abstract:Symbolic execution simulates program execution by replacing concrete values with symbolic variables for inputs. It could be used in software behavior analysis, vulnerability detection and software security assessment. In this paper, we analyze the path explosion problem encountered in vulnerability detection with the state-of-the-art symbolic execution technology for large scale file parsing programs. We also propose 4 alleviations to ease the problem, i.e. loop controlling, irrelevant path elimination, path selecting and parallel symbolic execution. Based on these alleviations, we implemented a prototype tool to detect file parsing vulnerability in large scale programs automatically, and evaluate it with a suit of benchmarks chosen from open source programs. Our tool detected not only all reported vulnerabilities of memory overflow in the benchmarks, but also some unreported vulnerabilities. The evaluation results show these alleviations could effectively ease the path explosion problem while analyzing large scale file parsing programs.

Ying WANG,Li-ze GU,Yi-xian YANG,Yu-xin DONG

DOI: https://doi.org/10.3969/j.issn.0372-2112.2014.10.023

2014-01-01

Abstract:The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increas-ingly interest in recent years .In this paper ,we present a new automated whitebox fuzzing tool EWFT (Execution-based Whitebox Fuzzing Tool ) ,which implements dynamic symbolic execution and taint tracing techniques during program execution .Our contribu-tions are:1 )we propose a ROBDD (Reduced Ordered Binary Decision Diagram )-based approach to analyse execution process ,2 )we introduce a new path weight analysis algorithm (PWA )for searching path space and automating test data generation ,and 3 )we build a prototype tool that automatically finds software vulnerabilities .Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications .Compared to the related work in the research area ,it explored deeper program paths on the average ,and achieved higher structural coverage .

Fan Yao,Yongbo Li,Yurong Chen,Hongfa Xue,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1109/dsn.2017.57

2017-01-01

Abstract:Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.

Luhang Xu,Liangze Yin,Wei Dong,Weixi Jia,Yongjun Li

DOI: https://doi.org/10.18293/seke2018-120

2018-01-01

Abstract:Fuzzing is an important method for binary vulnerability mining. It can analyze binary programs without their source codes, which is not easy to do by other technologies. But due to the blindness of input generation, binary fuzzing often falls into traps for a long time when the new mutated inputs cannot generate unexplored paths. In this paper, we propose an efficient and flexible fuzzing framework named Tinker. It defines the growth rate of path coverage to measure the current state of fuzzing. If the fuzzing falls into low-speed or blocked states, a symbolic analysis procedure is invoked to generate a new input which can help the fuzzing jump out of the trap. In the symbolic analysis procedure, we employ dynamic execution to track the traversed nodes. The untraversed branches are then identified according to the recorded data of American Fuzzy Lop (AFL) [M. Zalewski, American Fuzzy Lop (2014), http://lcamtuf.coredump.cx/afl/ ]. At last, we employ control flow graph (CFG) to construct complete paths to these branches and a new input is generated using symbolic execution. Moreover, to expedite the detection of vulnerabilities, we generate inputs which trigger more high-risk system calls first, such that the possibility of finding vulnerabilities can be improved. Tinker has been implemented and the experiments on DARPA CGC benchmark show that Tinker is more efficient in vulnerability mining than state-of-the-art binary vulnerability mining tools.

Weizhong Qiang,Yuehua Liao,Guozhong Sun,Laurence T. Yang,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/access.2017.2676161

IF: 3.9

2017-01-01

IEEE Access

Abstract:During the lifecycle of a software system, software patches are committed to software repositories to fix discovered bugs or append new features. Unfortunately, the patches may bring new bugs or vulnerabilities, which could break the stability and security of the software system. A study shows that more than 15% of software patches are erroneous due to poor testing. In this paper, we present a novel approach for automatically determining whether a patch brings new vulnerabilities. Our approach combines symbolic execution with data flow analysis and static analysis, which allows a quick check of patch-related codes. We focus on typical memory-related vulnerabilities, including buffer overflows, memory leaks, uninitialized data, and dangling pointers. We have implemented our approach as a tool called KPSec, which we used to test a set of real-world software patches. Our experimental results show that our approach can effectively identify typical memory-related vulnerabilities introduced by the patches and improve the security of the updated software.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Bo Wu,Meng Jun Li,Bin Zhang,Chao Feng,Quan Zhang,Chao Jing Tang

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.553

2014-01-01

Applied Mechanics and Materials

Abstract:Despite many automatic vulnerability detection approaches have been well documented, existing solutions for discovering software vulnerabilities in binary software are still difficult and time consuming. In this paper we present an approach based on random programming that works to quickly discover vulnerability in programmable binary software. By extracting the code snippets for special features and fixed API usages, we can get a set of original functional templates, and then we randomize the mutable factors in those templates. After that we reasonably make combination of those templates to produce final test templates. Finally, by concretizing the random factors we execute those test templates and monitor the software be tested to discover vulnerabilities. By template programming we can produce more reasonable test case, which makes our approach more effective than other solutions.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0188229

IF: 3.7

2017-11-16

PLoS ONE

Abstract:Formal techniques have been devoted to analyzing whether network protocol specifications violate security policies; however, these methods cannot detect vulnerabilities in the implementations of the network protocols themselves. Symbolic execution can be used to analyze the paths of the network protocol implementations, but for stateful network protocols, it is difficult to reach the deep states of the protocol. This paper proposes a novel model-guided approach to detect vulnerabilities in network protocol implementations. Our method first abstracts a finite state machine (FSM) model, then utilizes the model to guide the symbolic execution. This approach achieves high coverage of both the code and the protocol states. The proposed method is implemented and applied to test numerous real-world network protocol implementations. The experimental results indicate that the proposed method is more effective than traditional fuzzing methods such as SPIKE at detecting vulnerabilities in the deep states of network protocol implementations.

Qixue Xiao,Yu Chen,Chengang Wu,Kang Li,Junjie Mao,Shize Guo,Yuanchun Shi

DOI: https://doi.org/10.1109/dsn.2017.48

2017-01-01

Abstract:The study of software bugs has long been a key area in software security. Dynamic symbolic execution, in exploring the program's execution paths, finds bugs by analyzing all potential dangerous operations. Due to its high coverage and abilities to generate effective testcases, dynamic symbolic execution has attracted wide attention in the research community. However, the success of dynamic symbolic execution is limited due to complex program logic and its difficulty to handle large symbolic data. In our experiments we found that phase-related features of a program often prevents dynamic symbolic execution from exploring deep paths. On the basis of this discovery, we proposed a novel symbolic execution technology guided by program phase characteristics. Compared to KLEE, the most well-known symbolic execution approach, our method is capable of covering more code and discovering more bugs. We designed and implemented pbSE system, which was used to test several commonly used tools and libraries in Linux. Our results showed that pbSE on average covers code twice as much as what KLEE does, and we discovered 21 previously unknown vulnerabilities by using pbSE, out of which 7 are assigned CVE IDs.

Shibo Tang,Xingxin Wang,Yifei Gao,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031481

2022-01-01

Abstract:Model checking is one of the most commonly used technique in formal verification. However, the exponential scale state space renders exhaustive state enumeration inefficient even for a moderate System on Chip (SoC) design. In this paper, we propose a method that leverages symbolic execution to accelerate state space search and pinpoint security vulnerabilities. We automatically convert the hardware design to functionally equivalent C++ code and utilize the KLEE symbolic execution engine to perform state exploration through heuristic search. To reduce the search space, we symbolically represent essential input signals while making non-critical inputs concrete. Experiment results have demonstrated that our method can precisely identify security vulnerabilities at significantly lower computation cost.