Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Chao Chang,Kesheng Liu,Jun Zhao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2018.01.029

2018-01-01

Abstract:In the process of safety testing in large-scale programs,Concolic tests often faced problems such as path explosion and lack of constraint solving ability.In order to alleviate these problems,this paper proposed a directed Concolic testing method for source code.Aiming at the danger code area prone to produce defects,the paths which could reach the critical code areas and the essential symbolic variables could be inferred based on backtracking control-flow and data-flow analysis.These information limited the dynamic testing only to cover the danger code area.The empirical results show that by ignoring analysis of the unconcerned paths and symbolic variables,the method significantly improves the test efficiency and the provability of finding defects.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Jingxi Li,Xin Xu,Lejian Liao,Lu Li

DOI: https://doi.org/10.1109/cis.2015.99

2015-01-01

Abstract:This paper proposes a method which utilizing taint analysis to reduce the unnecessary analysis routine, concentrating on the control-flow altering input using concolic (concrete and symbolic) execution procedure. A prototype, Concolic Fuzz is implemented based on this method, which is built on Pin platform at x86 binary level and using Z3 as the SMT (Satisfiability Modulo Theories) solver. The results of experiments verify that our approach is effective in increasing code coverage with remarkably lower resource and time cost than the standard fuzzing and concolic testing tools. The scale of fuzzing range and symbols are reduced, so as the computing resource and time consumption, especially when the input data is in highly structured and complex file format.

Binbin Li,Rui Ma,Xuefei Wang,Xiajing Wang,Jinyuan He

DOI: https://doi.org/10.1145/3380625.3380642

2020-01-01

Abstract:Since static taint analysis is performed prior to execution by considering all possible execution paths, it can discover potential security issues before the program running. Currently, many taint analysis tools pay more attention to data dependence in the program. Whereas implicit flow analysis based on control dependence is generally not considered owning to its complexity. Therefore, this paper presents a static taint analysis method named DepTaint, which expands the static checkers of LLVM, focuses on program dependence including data and control dependence in the program. DepTaint analyzes the taint variables propagated along explicit flows and implicit flows, especially commendably handles the under-taint in explicit flow analysis. Our evaluations demonstrate that, for 8 programs containing data and control dependence and 8 programs injected different common vulnerabilities (i.e., array bounds, double free, format string vulnerability, heap overflow, integer overflow, stack overflow, and UAF), DepTaint significantly outperforms LLVM's static checker both at marking taint variables and achieving more finegrained taint propagation paths. Specially, for the programs containing branch selection and loop structure, DepTaint on average marks 2X and 3.6X taint variables than LLVM's static checker.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Weiguang Wang,Qingkai Zeng

DOI: https://doi.org/10.1109/tase.2015.14

2015-01-01

Abstract:Concolic testing is a powerful technique for vulnerability detection. Current concolic testing tools usually randomly select one well-formed concrete input to start their workflow, then employ different path selection methods to explore the execution space. However, experiments have shown that concolic testing tools have different vulnerability detection performance when starting with different well-formed concrete inputs. In this paper, we present an evaluation method to help concolic testing tools select better initial inputs. The key idea is that: if the concolic execution triggered by one candidate initial input covers more error-prone operations with different execution contexts, it is likely to detect more bugs. Specifically, we firstly identify error-prone operations using fine-grained dynamic taint analysis. Then we propose a scoring algorithm to evaluate the vulnerability detection ability of different candidate initial inputs. We implemented this method in a new tool called CrashFinderHB, and applied it to four applications in Linux: readelf, convert, cjpeg, swftool. Experimental results show that using our evaluation method to select starting points can improve the effectiveness of concolic testing. Moreover, starting with carefully selected initial inputs, we found 4 previously unknown errors in readelf and convert.

Ting Chen,Xiao-Song Zhang,Xiao-Li Ji,Cong Zhu,Yang Bai,Yue Wu

DOI: https://doi.org/10.1109/tr.2014.2363153

IF: 5.883

2015-01-01

IEEE Transactions on Reliability

Abstract:Traditional software testing methods are not effective for testing embedded software thoroughly due to the fact that generating effective test inputs to cover all code is extremely difficult. In this work, we propose an automatic method to generate test inputs for embedded executables which is based on concolic execution. The core idea of our method is to divide concolic execution into symbolic execution on hosts, and concrete execution on targets, so considerable development work can be saved. Our method overcomes the limitations of the software and hardware abilities of embedded systems by restricting heavy-weight work on resourceful hosts. One feature of our method is that it targets executables, so the source of tested software is not needed. Another feature is that tested programs run in a real environment rather than in a simulator, so accurate run-time information can be acquired. Symbolic execution and concrete execution are coordinated by cross-debugging functions. Then we implement our method on Wind River VxWorks. Experiments show that our method achieves high code coverage with acceptable speed.

Yu Hao,Xiaodong Zhang,Zijiang Yang,Ting Liu

2017-01-01

Abstract:With the advent of multicore processors, there is a great need to write concurrency programs to take advantage of parallel computing resources. However, the undetermined execution of the concurrency programs poses a huge challenge to current dynamic malware analysis how to guarantee the program is secure under the same input. In our work, a dynamic taint analysis of concurrent program (DTAC) is proposed to systematically detect tainted instances on all possible executions under a given input, by introducing the symbolic execution to guide dynamic analysis. Symbolic analysis infers alternate interleavings of an executed trace and computes thread schedules that guide future executions. Dynamic analysis explores new execution traces that drive future symbolic analysis. Then, the analysis can identify whether there is abnormal behavior within these executions by tracing the data flow. A prototype is developed for multithreaded C programs, built upon LLVM, KLEE and Z3. The primary experiments show that our method can find all possible tainted instances in the demo case and can systematically analyze real concurrency programs in SPLASH2 and PARSEC.

Gary Wassermann,Dachuan Yu,Ajay Chander,Dinakar Dhurjati,Hiroshi Inamura,Zhendong Su

DOI: https://doi.org/10.1145/1390630.1390661

2008-01-01

Abstract:Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications. Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays. In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.

Rulin Xu,Xiaoguang Mao,Luohui Chen

DOI: https://doi.org/10.1109/apsec60848.2023.00035

2023-01-01

Abstract:Taint analysis of value flows, as a static analysis technique, has gained widespread application in the fields of software security and vulnerability mining. However, when dealing with complex programs, it still faces challenges in terms of precision and performance. This research proposes P-DATA, a parallel framework implementing dependency-aware taint analysis. P-DATA employs modeling to capture data and control dependencies, reducing false positives over tools like Clang Static Analyzer and SVF. To accelerate the analysis, P-DATA leverages a task-level parallel framework introducing Preemption of Computational Resources (PCR) and Asynchronous Taint Source Registration, lead to impressive scalability and efficiency. Evaluations demonstrate P-DATA's ability to significantly expedite taint analysis for large programs using multi-core resources, achieving over 25X speedup on 32 cores. P-DATA makes notable contributions by boosting precision, efficiency and scalability of security-critical program analysis through advanced dependency modeling and paral-lelization techniques. It provides an extensible high-performance framework benefiting static analysis advancement.

CHEN Yan-ling,ZHAO Jing

DOI: https://doi.org/10.3724/sp.j.1087.2011.02367

2011-01-01

Abstract:The record of the current taint analysis tool is not accurate.To solve this,dynamic taint analysis based on the virtual technology was studied and implemented.A virtualization based dynamic taint analysis framework was designed,and two kinds of taint signature models based on Hook technology and Hash-traversal technology were given respectively for memory taint and hard disk taint.A taint propagation strategy was put forward according to the instruction type which was classified by instruction encoding format of InterAMD,and a taint record strategy based on instruction filtering was given to solve the problem of redundant information records.The experimental results prove that the proposed method is effective,and can be well used in test case generation and vulnerability detection of fuzzy test.

Ruoyu Zhang,Shiqiu Huang,Zhengwei Qi,Haibing Guan

DOI: https://doi.org/10.1016/j.camwa.2011.08.001

IF: 3.218

2012-01-01

Computers & Mathematics with Applications

Abstract:The evolution of computer science has exposed us to the growing gravity of security problems and threats. Dynamic taint analysis is a prevalent approach to protect a program from malicious behaviors, but fails to provide any information about the code which is not executed. This paper describes a novel approach to overcome the limitation of traditional dynamic taint analysis by integrating static analysis into the system and presents framework SDCF to detect software vulnerabilities with high code coverage. Our experiments show that SDCF is not only able to provide efficient runtime protection by introducing an overhead of 4.16× based on the taint tracing technique, but is also capable of discovering latent software vulnerabilities which have not been exploited, and achieve code coverage of more than 90%.

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

孔德光,郑烇,帅建梅,陈超,葛瑶

2009-01-01

Abstract:Static analysis technology is a significant method to detect software vulnerabilities. To cope with the problem of untrusting data inputs leading to software vulnerabilities, presents a vulnerability detection method based on taint analysis. It tracks various kinds of input including program parameters and environment variables ,marks the type of input, after constructing the control flow graph, makes use of dataflow information, propagating the taint data to the vulnerability functions, to settle the problem of buffer overflow and format string. It utilizes the related information of control flow and dataflow during this process, thus improves the accuracy and decreases the false negatives. It is proved by experiment that this technology is an effective vulnerability analysis method.

Xing Zhang,Chao Feng,Bin Zhang,Quan Zhang

2016-01-01

Abstract:Many vulnerabilities in binary program today are caused by particular area which is so-called sensitive area, and it is very important to cover the path to the sensitive area which is called sensitive path in software testing. This paper cares about three main sensitive area and proposed a test case auto generate algorithm with static analysis, dynamic taint analysis and offline symbolic execution. The algorithm can efficiently generate test case which can cover the sensitive path. First, static analysis can locate the sensitive area and find out sensitive area call chain. Then dynamic taint analysis mark key segment in input test case which can avoid status explosion in symbolic execution. Finally offline symbolic execution generates new test case to cover the sensitive area. Experiment results show that the algorithm can cover the sensitive area with less round and cost less time than other popular algorithm.

Qixing Dong,Jun Yan,Jian Zhang,Fanping Zeng

DOI: https://doi.org/10.1109/QSIC.2013.68

2013-01-01

Abstract:Test generation plays an important role in software testing. Concolic testing runs concrete executions on programs simultaneously with symbolic executions. It faces the same problem as symbolic execution when generating test inputs, namely the combinatorial explosion of the path space. Most of the existing approaches can search only a fraction of the path space. Therefore, how to cover as many branches as possible with a few test inputs becomes an important research issue. Upon this issue, the paper proposes a heuristic search strategy based on inter-procedural control flow graph. The proposed strategy calculates the approximate mathematic expectation of uncovered branches. Then this expectation guides the search process to select the optimal branch to form a path condition. According to the path condition, the test input that may cover a large number of uncovered branches is generated. Experiments on three classes of test benchmarks show that, compared to the other strategies, the proposed strategy can significantly reduce the number of test inputs for covering reachable branches, and achieve high branch coverage quickly.

Ting Chen,Xiaodong Lin,Jin Huang,Abel Bacchus,Xiaosong Zhang

DOI: https://doi.org/10.1002/sec.1290

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Recently, concolic execution has become a hotspot in the domain of software testing and program analysis. However, a practical challenge, called path divergence, impairs the soundness and completeness of concolic execution. A path divergence indicates the tested program runs an unpredicted path. In this work, we carry out a comprehensive empirical study on path divergences using an open-source concolic execution tool, named CREST. To make the investigation representative, we select 120 test units randomly from 21 different open-source programs. The results are interesting, and will provide insight to solve the challenging path-divergence problem. First, about one-half of test units suffer frompath divergences, indicating path divergences are so prevalent that the issue isworthy of great attention. Second, quite a number of generated test inputs drive test units to take divergent paths. This means testers need considerable effort to eliminate the misleading test inputs before aggregating them to a test suite. Third, we dig out ten divergent patterns through manual analysis of each path divergence. Among them, the threemost prevalent ones, which are exceptions, external calls, and type casts, lead to almost 82% of path divergences. Finally, we discuss several countermeasures to overcome path divergences. Copyright (C) 2015 John Wiley & Sons, Ltd.

唐和平,黄曙光,张亮

DOI: https://doi.org/10.3969/j.issn.1002-137x.2010.07.036

2010-01-01

Computer Science

Abstract:Untrusted data originating from network user input and configuration files,causes many software security problems,when operated by security-critical function without strict data validation.Keeping track of the propagation of untrusted data is the main idea of dynamic taint analysis for vulnerability exploits detection.Data derived from network user input and configuration files were labeled as taint.Executed taint propagating algorithm by virtue of data flow analysis,and carried out several taint detection policies for each security-critical function.A vulnerability exploits detection prototype system was implemented on open source emulator and many optimization mechanisms were deployed.

Xiajing Wang,Rui Ma,Bowen Dou,Zefeng Jian,Hongzhou Chen

DOI: https://doi.org/10.1155/2018/7693861

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.