Xueshuai Ge,Tieming Liu,Yaobin Xie,YuanYuan Zhang

DOI: https://doi.org/10.1117/12.2682314

2023-01-01

Abstract:With increasing number of software vulnerabilities, the quantity of attacks utilizing malicious samples is also on rise, leading to intensified adversarial competition. In particular, the application of automatic vulnerability mining techniques has resulted in a significant increase in the number of vulnerabilities, but security researchers often do not have enough time to deal with them. This paper proposes a symbol-execution-based automated vulnerability exploitation method, which can achieve automation of vulnerability detection, classification and exploitation. Finally, this paper designs and implements a prototype system for symbol-execution-based automated vulnerability exploitation and verifies its effectiveness through experiments. This research provides security analysts with an in-depth understanding of the types of vulnerabilities and determines methods for vulnerability exploitability, further improving the efficiency of analyzing and fixing vulnerabilities.

Liu Xingbo,Li Yuanlin,Yu mingjun,Zheng Yan,Yu Jinlong,Guo Yunfeng,Kong Huafeng,Qiang Weizhong

DOI: https://doi.org/10.3969/j.issn.1000-386x.2022.11.045

2022-01-01

Abstract:Taint analysis technology is an important technical means for vulnerability detection. Due to the lack of additional information at runtime, using static taint analysis technology to detect code will produce many false positives. Based on the taint analysis technology, this paper proposes a more fine-grained taint analysis method for Web vulnerabilities. A more accurate object status record was generated during code analysis. The execution path of the code was judged and the stain and sink transfer processes were accurately recorded, which effectively reduced over-pollution and under-pollution. The symbol execution tool was used to verify the reachability of the vulnerability location, and some false vulnerability warnings could be eliminated, which effectively reduced the false positive and false negative rates.

NIU Wei-na,DING Xue-feng,LIU Zhi,ZHANG Xiao-song

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.10.024

2013-01-01

Computer Science

Abstract:Software vulnerability is one main source of computer safety issues,and the key technology of vulnerabilities finding is fuzzing(fuzzy test)which is based on randomly changing the input,however,it cannot construct test cases effectively and eliminate the redundancy of test cases.In order to overcome the shortcomings of traditional fuzzing test,effectively generate test inputs and do not need to analyze the input format,we designed and implemented vulnerability found system(called SEVE)based on symbolic execution for binary program.SEVE makes the inputs symbolic and uses dynamic instrumentation tools to establish the propagation relationship of the symbolic variable,collect path constraints in branch statement,uses interpreter to solve these path constraints to obtain test cases.Experimental results which are based on mp3 and pdf software show that the system can improve the efficiency and the degree of automation of vulnerability discovery.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Ting Chen,Xiao-song Zhang,Xu Xiao,Yue Wu,Chun-xiang Xu,Hong-tian Zhao

DOI: https://doi.org/10.1108/03321641311297016

2013-01-01

COMPEL The International Journal for Computation and Mathematics in Electrical and Electronic Engineering

Abstract:PurposeSoftware vulnerabilities have been the greatest threat to the software industry for a long time. Many detection techniques have been developed to address this kind of issue, such as Fuzzing, but mere Fuzz Testing is not good enough, because the Fuzzing only alters the input of program randomly, and does not consider the basic semantics of the target software. The purpose of this paper is to introduce a new vulnerability exploring system, called “SEVE” to explore the target software more deeply and to generate more test cases with more accuracy.Design/methodology/approachSymbolic execution is the core technique of SEVE. The user can just input a standard input, and the SEVE system will record the execution path, alter the critical branches of it, and generate a totally different test case which will make the software under test execute a different path. In this way, some potential bugs or defects, even the exploitable vulnerabilities will be discovered. To alleviate path explosion, the authors propose heuristic method and function abstraction, which in turn improve the performance of SEVE even further.FindingsWe evaluate SEVE system to record critical data about its efficiency and performance. We have tested some real‐world vulnerabilities, from which the underlying file‐input programs suffer. After that, the results show that SEVE is not only re‐creating the discovery of these vulnerabilities, but also at a higher performance level than traditional techniques.Originality/valueThe paper proposes a new vulnerability exploring system, called “SEVE” to explore the target software and generate test cases automatically and also heuristic method and function abstraction to handle path explosion.

Chaojian Hu,Zhoujun Li,Jinxin Ma,Tao Guo,Zhiwei Shi

DOI: https://doi.org/10.1109/tase.2012.13

2012-01-01

Abstract:Symbolic execution simulates program execution by replacing concrete values with symbolic variables for inputs. It could be used in software behavior analysis, vulnerability detection and software security assessment. In this paper, we analyze the path explosion problem encountered in vulnerability detection with the state-of-the-art symbolic execution technology for large scale file parsing programs. We also propose 4 alleviations to ease the problem, i.e. loop controlling, irrelevant path elimination, path selecting and parallel symbolic execution. Based on these alleviations, we implemented a prototype tool to detect file parsing vulnerability in large scale programs automatically, and evaluate it with a suit of benchmarks chosen from open source programs. Our tool detected not only all reported vulnerabilities of memory overflow in the benchmarks, but also some unreported vulnerabilities. The evaluation results show these alleviations could effectively ease the path explosion problem while analyzing large scale file parsing programs.

Shameng Wen,Qingkun Meng,Chao Feng,Chaojing Tang

DOI: https://doi.org/10.1371/journal.pone.0188229

IF: 3.7

2017-11-16

PLoS ONE

Abstract:Formal techniques have been devoted to analyzing whether network protocol specifications violate security policies; however, these methods cannot detect vulnerabilities in the implementations of the network protocols themselves. Symbolic execution can be used to analyze the paths of the network protocol implementations, but for stateful network protocols, it is difficult to reach the deep states of the protocol. This paper proposes a novel model-guided approach to detect vulnerabilities in network protocol implementations. Our method first abstracts a finite state machine (FSM) model, then utilizes the model to guide the symbolic execution. This approach achieves high coverage of both the code and the protocol states. The proposed method is implemented and applied to test numerous real-world network protocol implementations. The experimental results indicate that the proposed method is more effective than traditional fuzzing methods such as SPIKE at detecting vulnerabilities in the deep states of network protocol implementations.

Hui Huang,Yu-Liang Lu,Jun Zhao,Zhi-Yong Wu

DOI: https://doi.org/10.1109/imccc.2013.32

2013-01-01

Abstract:Symbolic Execution based defect discovery techniques for binary programs are now widely applied. However, because of the path explosion problem, it's still not applicable for security analysis on large programs. A great many infeasible paths in the target program also reduce the performance. To fast generate test cases reaching the potentially vulnerable program points, this paper introduces constraints implied in input protocols to symbolic execution, calculates vulnerable point reachable control flow paths using static control flow analysis. The path information is then used to limit dynamic symbolic execution's path exploration space. Experiments prove the effectiveness of our method on performance enhancement in symbolic execution and defect discovery.

Fan Yao,Yongbo Li,Yurong Chen,Hongfa Xue,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1109/dsn.2017.57

2017-01-01

Abstract:Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder

2024-09-20

Abstract:In modern software development, vulnerability detection is crucial due to the inevitability of bugs and vulnerabilities in complex software systems. Effective detection and elimination of these vulnerabilities during the testing phase are essential. Current methods, such as fuzzing, are widely used for this purpose. While fuzzing is efficient in identifying a broad range of bugs and vulnerabilities by using random mutations or generations, it does not guarantee correctness or absence of vulnerabilities. Therefore, non-random methods are preferable for ensuring the safety and security of critical infrastructure and control systems. This paper presents a vulnerability detection approach based on symbolic execution and control flow graph analysis to identify various types of software weaknesses. Our approach employs a divide-and-conquer algorithm to eliminate irrelevant program information, thus accelerating the process and enabling the analysis of larger programs compared to traditional symbolic execution and model checking methods.

Cryptography and Security

HU Chaojian,ZHANG Jia,LI Zhoujun,SHI Zhiwei,ZHANG Yan

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.z2.017

2009-01-01

Abstract:Since there are semantic differences between a source code and its executable code, analysis of only the source code may miss some vulnerabilities in the executable code.Typical vulnerability patterns were analyzed to design a security vulnerability detection tool to work directly on executables.The system combines static disassembly analysis, dynamic auto-debugging and function based argument injection.The tool successfully found buffer overflow vulnerabilities in both a CVE (common vulnerabilities & exposures) benchmark and two real executables.The resuIts show that this detection method can be used to directly detect security vulnerabilities in executable codes.

TANG He-ping,HUANG Shu-guang,ZHANG Liang

2010-01-01

Abstract:Software vulnerabilities have become an omnipresent and dangerous threat to network security.Vulnerability Exploits Detection is proposed to take active defense measures to monitor system state and cut exploit data sources off or terminate program execution before exploitation.Taint analysis for vulnerability exploits detection is composed of taint propagation link,taint propagation,taint analysis and taint track.A Vulnerability exploits detection prototype system was implemented by emulator and many optimization mechanisms.In contrast to the experiment result of other taint analysis systems,our prototype system has higher accuracy and vulnerability exploits coverage.

HUANG Hui,LU Yu-liang,XIA Yang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2013.09.064

2013-01-01

Abstract:Aiming towards automatic defect detection for binary programs,based on software virtual machine's dynamic binary translation and taint propagation,this paper studied mechanisms necessary for symbolic execution including program's run-time semantics' extraction,intermediate language based symbolic calculation,enhanced the path-scheduling mechanism in traditional dynamic symbolic execution,analyzed symbolic asserts' expressions for common program defects,with an online dynamic symbolic execution system built up detecting defects in binary programs.Experiments prove the method's effectiveness in defect detection for real binary programs.

Zhi Liu,Xiaosong Zhang,Yue Wu,Ting Chen

DOI: https://doi.org/10.1108/03321641311296873

2013-01-01

Abstract:PurposeThe purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approachCurrent dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.FindingsConversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/valueThis paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.

Zhenhui Li,Shuangping Xing,Lin Yu,Huiping Li,Fan Zhou,Guangqiang Yin,Xikai Tang,Zhiguo Wang

DOI: https://doi.org/10.32604/cmc.2023.046595

2024-01-01

Abstract:Software security analysts typically only have access to the executable program and cannot directly access the source code of the program. This poses significant challenges to security analysis. While it is crucial to identify vulnerabilities in such non-source code programs, there exists a limited set of generalized tools due to the low versatility of current vulnerability mining methods. However, these tools suffer from some shortcomings. In terms of targeted fuzzing, the path searching for target points is not streamlined enough, and the completely random testing leads to an excessively large search space. Additionally, when it comes to code similarity analysis, there are issues with incomplete code feature extraction, which may result in information loss. In this paper, we propose a cross-platform and cross-architecture approach to exploit vulnerabilities using neural network obfuscation techniques. By leveraging the Angr framework, a deobfuscation technique is introduced, along with the adoption of a VEX-IR-based intermediate language conversion method. This combination allows for the unified handling of binary programs across various architectures, compilers, and compilation options. Subsequently, binary programs are processed to extract multi-level spatial features using a combination of a skip-gram model with self-attention mechanism and a bidirectional Long Short-Term Memory (LSTM) network. Finally, the graph embedding network is utilized to evaluate the similarity of program functionalities. Based on these similarity scores, a target function is determined, and symbolic execution is applied to solve the target function. The solved content serves as the initial seed for targeted fuzzing. The binary program is processed by using the de-obfuscation technique and intermediate language transformation method, and then the similarity of program functions is evaluated by using a graph embedding network, and symbolic execution is performed based on these similarity scores. This approach facilitates cross-architecture analysis of executable programs without their source codes and concurrently reduces the risk of symbolic execution path explosion.

computer science, information systems,materials science, multidisciplinary

Bo Wu,Bin Zhang,Sha Meng Wen,Meng Jun Li,Quan Zhang,Chao Jing Tang

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.539

2014-01-01

Applied Mechanics and Materials

Abstract:Traditional Fuzzing is simple and easy to deploy but inefficient due to different inputs usually execute the redundant path. In this paper, we put forward a binary-oriented Fuzzing technique based on input format analysis and dynamic taint analysis, which can detect vulnerability more efficient than traditional Fuzzing method. We implemented a prototype system called Smart and Directed Fuzz (SDFuzz), which first searches the locations where interested functions are called, then uses dynamic taint analysis technique to classify input data into safety-related data and safety-unrelated data, finally mutates safety-related data to direct the test procedure. The evaluation shows that our method can be used to detect vulnerabilities in binary software efficiently.

Shibo Tang,Xingxin Wang,Yifei Gao,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031481

2022-01-01

Abstract:Model checking is one of the most commonly used technique in formal verification. However, the exponential scale state space renders exhaustive state enumeration inefficient even for a moderate System on Chip (SoC) design. In this paper, we propose a method that leverages symbolic execution to accelerate state space search and pinpoint security vulnerabilities. We automatically convert the hardware design to functionally equivalent C++ code and utilize the KLEE symbolic execution engine to perform state exploration through heuristic search. To reduce the search space, we symbolically represent essential input signals while making non-critical inputs concrete. Experiment results have demonstrated that our method can precisely identify security vulnerabilities at significantly lower computation cost.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Zhaokun Deng,Yuliang Lu,Zhao Huang,Kailong Zhu,Bin Yang

DOI: https://doi.org/10.1109/imccc.2018.00222

2018-01-01

Abstract:The security of software is threaten by the vulnerability from itself. In recent years, the testing of the binary software is becoming more and more important, and researchers have also put forward many analyzing methods to find the vulnerability of the softwares. This paper studies several kinds of the analyzing methods on binary software, and on this basis, mainly study the development of the Selective Symbolic Execution(S2E) platform. Moreover, this paper tests the technical effect of this technology. The experiment results show that this method is effective in finding the vulnerabilities of the software.