Hui Xu,Yangfan Zhou,Yu Kang,Michael R. Lyu

DOI: https://doi.org/10.1109/dsn.2017.11

2017-01-01

Abstract:Concolic execution has achieved great success in many binary analysis tasks. However, it is still not a primary option for industrial usage. A well-known reason is that concolic execution cannot scale up to large-size programs. Many research efforts have focused on improving its scalability. Nonetheless, we find that, even when processing small-size programs, concolic execution suffers a great deal from the accuracy and scalability issues. This paper systematically investigates the challenges that can be introduced even by small-size programs, such as symbolic array and symbolic jump. We further verify that the proposed challenges are non-trivial via real-world experiments with three most popular concolic execution tools: BAP, Triton, and Angr. Among a set of 22 logic bombs we designed, Angr can solve only four cases correctly, while BAP and Triton perform much worse. The results imply that current tools are still primitive for practical industrial usage. We summarize the reasons and release the bombs as open source to facilitate further study.

Hongliang Liang,Wenqing Yu,Lu Ai,Lin Jiang

DOI: https://doi.org/10.1145/3383219.3383254

2020-01-01

Abstract:The state explosion problem faced by concolic execution is significantly serious when detecting program bugs especially in large scale software systems. To mitigate the issue, we propose a practical concolic execution approach to detect vulnerabilities in this paper. First, we identify the correlation between symbolic memory and control flow by statically analyzing the software under test, and distinguish the critical symbolic memory and ordinary symbolic memory according to the above correlation. Then, we design different strategies for two kinds of symbolic memory in order to generate state when performing concolic execution of the target software. We present these ideas in a prototype system, Pracolic, and evaluate it with four file systems in Linux, i.e., ext4, XFS, Btrfs, and ReiserFS. Experimental results show that Pracolic can effectively mitigate the problem of state explosion in concolic execution, and outperform S2E, a state-of-the-art analysis system, on state reduction and code coverage for large scale software systems.

Hui Huang,Yu-Liang Lu,Jun Zhao,Zhi-Yong Wu

DOI: https://doi.org/10.1109/imccc.2013.32

2013-01-01

Abstract:Symbolic Execution based defect discovery techniques for binary programs are now widely applied. However, because of the path explosion problem, it's still not applicable for security analysis on large programs. A great many infeasible paths in the target program also reduce the performance. To fast generate test cases reaching the potentially vulnerable program points, this paper introduces constraints implied in input protocols to symbolic execution, calculates vulnerable point reachable control flow paths using static control flow analysis. The path information is then used to limit dynamic symbolic execution's path exploration space. Experiments prove the effectiveness of our method on performance enhancement in symbolic execution and defect discovery.

Erzhou Zhu,Feng Liu,Xianyong Fang,Xuejun Li,Yindong Yang,Alei Liang

DOI: https://doi.org/10.4304/jsw.9.3.560-568

2014-01-01

Abstract:Nowadays, applications are usually large-scale, this making tasks of comprehending and debugging software rather complicated. As a dynamic reduction technique for simplifying programs, dynamic program slicing is an effective and important approach for locating and diagnosing software attacks. However, most of the existing dynamic slicing tools perform slicing at the source code level, but the source code of most software is hard to acquire in practice. In order to cope with this issue, a novel lightweight dynamic slicing framework---DYBS, is proposed for diagnosing attacks on x86 binary programs. During the execution, DYBS first gathers the runtime profile information of the target program. Once the attack is encountered and set as the slicing criterion, the normal execution terminates, and a backward program slicing is started to locate the vulnerabilities. Furthermore, a Function Call Filtration optimization mechanism is proposed to improve the performance of the framework. It is proved in the experiments that DYBS can diagnose software attacks with much lower overhead than many other similar analyzing systems.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Jun-xian Zhang,Zhou-jun Li,Xian-chen Zheng

DOI: https://doi.org/10.1007/978-3-319-25942-0_15

2015-01-01

Abstract:Dynamic symbolic execution or concolic execution is a powerful method for program analysis and software testing by attaching symbolic execution to the concrete running of a program. This paper proposes an approach to handle aggregate types e.g., pointers, arrays, structures and their complex combinations for the dynamic symbolic execution of C programs. The main idea of the approach is splitting a complex type program variable into a series of primitive type variables. During the concrete execution of a program, a concolic execution engine is provided to observe the operations on every program variable at the level of primitive types, and then the symbolic state of the program is updated. The path constraints which must be satisfied to drive the program running along the current execution path are collected to generate new test data for other paths. Our approach guarantees that only primitive type variables can appear in the symbolic states and path constraints. Based on LLVM byte code instrumentation, we present a new tool, called PathWalker, which implements this approach. Experimental results reveal that PathWalker is effective to deal with complex types in C codes.

Charitha Saumya,Rohan Gangaraju,Kirshanthan Sundararajah,Milind Kulkarni

2023-08-03

Abstract:Dynamic symbolic execution (DSE) suffers from path explosion problem when the target program has many conditional branches. Classical approach for managing the path explosion problem is dynamic state merging. Dynamic state merging combines similar symbolic program states together to avoid the exponential growth of states in DSE. However, state merging still requires solver invocations at each branch point of the program even when both paths of the branch is feasible and, the best path search strategy for DSE may not create the best state merging opportunities. Some drawbacks of state merging can be mitigated by compile-time state merging i.e. branch elimination by converting control-flow into data-flow. In this paper, we propose a non-semantics preserving but failure-preserving compiler technique for removing expensive symbolic branches in a program to improve the scalability of DSE. We develop a framework for detecting spurious bugs that can be inserted by our transformation. Finally, we show that our transformation can significantly improve the performance of exhaustive DSE on variety of benchmarks and helps in achieving more coverage in a large real-world subjects within a limited time budget.

Software Engineering,Programming Languages

Yu Hao,Xiaodong Zhang,Zijiang Yang,Ting Liu

2017-01-01

Abstract:With the advent of multicore processors, there is a great need to write concurrency programs to take advantage of parallel computing resources. However, the undetermined execution of the concurrency programs poses a huge challenge to current dynamic malware analysis how to guarantee the program is secure under the same input. In our work, a dynamic taint analysis of concurrent program (DTAC) is proposed to systematically detect tainted instances on all possible executions under a given input, by introducing the symbolic execution to guide dynamic analysis. Symbolic analysis infers alternate interleavings of an executed trace and computes thread schedules that guide future executions. Dynamic analysis explores new execution traces that drive future symbolic analysis. Then, the analysis can identify whether there is abnormal behavior within these executions by tracing the data flow. A prototype is developed for multithreaded C programs, built upon LLVM, KLEE and Z3. The primary experiments show that our method can find all possible tainted instances in the demo case and can systematically analyze real concurrency programs in SPLASH2 and PARSEC.

Yufeng Zhang,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.48550/arXiv.1205.4951

2012-05-31

Abstract:Symbolic execution is an effective path oriented and constraint based program analysis technique. Recently, there is a significant development in the research and application of symbolic execution. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large-scale or very complex programs. In this paper, we propose a new fashion of symbolic execution, named Speculative Symbolic Execution (SSE), to speed up symbolic execution by reducing the invocation times of constraint solver. In SSE, when encountering a branch statement, the search procedure may speculatively explore the branch without regard to the feasibility. Constraint solver is invoked only when the speculated branches are accumulated to a specified number. In addition, we present a key optimization technique that enhances SSE greatly. We have implemented SSE and the optimization technique on Symbolic Pathfinder (SPF). Experimental results on six programs show that, our method can reduce the invocation times of constraint solver by 21% to 49% (with an average of 30%), and save the search time from 23.6% to 43.6% (with an average of 30%).

Software Engineering

Ting Chen,Xiao-Song Zhang,Xiao-Li Ji,Cong Zhu,Yang Bai,Yue Wu

DOI: https://doi.org/10.1109/tr.2014.2363153

IF: 5.883

2015-01-01

IEEE Transactions on Reliability

Abstract:Traditional software testing methods are not effective for testing embedded software thoroughly due to the fact that generating effective test inputs to cover all code is extremely difficult. In this work, we propose an automatic method to generate test inputs for embedded executables which is based on concolic execution. The core idea of our method is to divide concolic execution into symbolic execution on hosts, and concrete execution on targets, so considerable development work can be saved. Our method overcomes the limitations of the software and hardware abilities of embedded systems by restricting heavy-weight work on resourceful hosts. One feature of our method is that it targets executables, so the source of tested software is not needed. Another feature is that tested programs run in a real environment rather than in a simulator, so accurate run-time information can be acquired. Symbolic execution and concrete execution are coordinated by cross-debugging functions. Then we implement our method on Wind River VxWorks. Experiments show that our method achieves high code coverage with acceptable speed.

Yue Wang,Hao Sun,Qingkai Zeng

DOI: https://doi.org/10.18293/seke2015-94

2015-01-01

Abstract:Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection.In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem.In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program.In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis.We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11.Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection.

Xue Lei,Wei Huang,Wenqing Fan,Yixian Yang

DOI: https://doi.org/10.1587/transinf.2015edp7037

2015-01-01

IEICE Transactions on Information and Systems

Abstract:Dynamic analysis is frail and insufficient to find hidden paths in environment-intensive program. By analyzing a broad spectrum of different concolic testing systems, we conclude that a number of them cannot handle programs that interact with the environment or require a complete working model. This paper addresses this problem by automatically identifying and modifying outputs of the data input interface function(DIIF). The approach is based on fine-grained taint analysis for detecting and updating the data that interacts with the environment to generate a new set of inputs to execute hidden paths. Moreover, we developed a prototype and conducted extensive experiments using a set of complex and environmentally intensive programs. Finally, the result demonstrates that our approach could identify the DIIF precisely and discover hidden path obviously.

Ting Chen,Youzheng Feng,Xingwei Lin,Zihao Li,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-030-02744-5_27

2018-01-01

Abstract:Dynamic binary analysis is difficult and burdensome. In practice, analysts always develop dynamic binary analyzers (DBAs) based on binary instrumentation tools (BITs), which are responsible for extracting information from a binary, monitoring or altering the execution of the binary. However, existing BITs either expose machine instructions to analysts or lack user-friendly APIs. Such problems result in a steep learning curve to grasp BITs and difficulties in eliminating bugs in DBAs. This work designs DBAF, a dynamic binary analysis framework that instruments binaries dynamically, conducts an online translation from machine code into an easy-to-handle intermediate representation (IR) and provides tens of APIs for IR processing. With DBAF, analysts can process binaries in the level of IR without the troubles to interpret machine instructions. Then, we develop five DBAs on top of DBAF, which are a division-by-zero protector, an IR counter, a memory tracer, a taint analyzer and a concolic executor. It demonstrates that DBAF can reduce the development effort for DBAs, especially the ones requiring semantic interpretation of instructions. Experiments show that DBAF brings about reasonable overhead in online translation.

Bo Wu,Yufeng Ma,Qian Zhang,Fengchen Qian

DOI: https://doi.org/10.23977/meet.2019.93720

2019-01-01

Abstract:Buffer overflows in C and C++ programs are among the most common and serious classes of software vulnerabilities for two decades. To mitigate and to eradicate this security threat, many detection approaches based on static and dynamic analysis techniques have been proposed. This paper aims to provide an alternative and multipath solution to existing symbolic execution approaches by catching the red-zones in memory, rather than the strict memory object bounds, which are absolute vulnerable to buffer overflows. From the observations of buffer overflow attacks that are commonly overwrite a special position to exploit the vulnerabilities, in this paper, we propose a multipath dynamic buffer overflow detecting approach (symbolic-execution-based), relying on catching the red-zones in the stack and heap memory. We examine every memory store operation both in concrete addresses and symbolic pointers, whose writing size should never overlap or cross a red-zone position. We implement a practical dynamic checking tool called MACBin based on S2E platform. We apply it to test several real world software, the results show that MACBin is useful and effective at detecting buffer overflow vulnerabilities.

XIA Chao,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.065

2008-01-01

Abstract:This paper proposes a method to detect buffer-overflow vulnerabilities for executables.Combining dynamic analysis and static analysis, it makes further detection of buffer-overflow vulnerabilities.Static methods mainly deal with the internal semantic relationship of assembly instructions and the properties of a function's stack frame for executables.Dynamic emulation provides a virtual run-time environment,which enables the program to combine its static properties while virtually executed,and then it can get the function's semantic results on buffer manipulation,and determine whether there is a buffer-overflow vulnerability.

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

Haibing Guan,Erzhou Zhu,Hongxi Wang,Ruhui Ma,Yindong Yang,Bin Wang

DOI: https://doi.org/10.1016/j.sysarc.2012.05.002

IF: 5.836

2012-01-01

Journal of Systems Architecture

Abstract:Dynamic binary translation (DBT) is an important technique in virtualization, and in migrating legacy binaries to platforms based on a new architecture. However, poor profile information limits the process of optimization at runtime, so the DBT system may suffer from substantial overhead. In this paper, we design and implement a static-integrated optimization framework (SINOF) to improve the runtime performance for DBT. Combining static and dynamic approaches can greatly reduce the overhead of optimizing, profiling and translating for any program that runs repeatedly. Under this framework, once the source image has been executed, the profile information and target code will be saved in a software cache, and will be available for future runs. In the static phase, the saved code is analyzed and optimized based on the information collected in the previous run. Especially, we reorganize the code layout of the software cache. Experimental results show that the proposed framework can reduce run time by more than 30% on average compared to the original versions of DBT that the framework is based on.

WANG Wei-Guang,ZENG Qing-Kai,SUN Hao

DOI: https://doi.org/10.13328/j.cnki.jos.005027

2016-01-01

Journal of Software

Abstract:Addressing the requirement for defect detection, this paper proposes critical operation oriented dynamic symbolic execution. First, based on the defined critical operations and the relevant critical paths, a set of initial inputs are evaluated by computing the ability of covering critical operations under different contexts, and efficient initial inputs can be selected for the following dynamic symbolic execution. Second, leveraging the critical operations, dynamic symbolic execution is guided to explore paths which are more prone to defects. In this way, defect detection becomes a process of locating critical operations and exploring critical paths. A prototype system called CrashFinder is implemented and tested on a number of Linux x86 executables. The experimental results show that this approach is effective in initial input evaluation and efficient in defect detection.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Bu Lei,Liang Yongjuan,Xie Zhunyi,Qian Hong,Hu Yi-Qi,Yu Yang,Chen Xin,Li Xuandong

DOI: https://doi.org/10.1007/s00165-021-00538-3

2021-01-01

Formal Aspects of Computing

Abstract:During program traversing, symbolic execution collects pathconditions and feeds them to a constraint solver to obtain feasiblesolutions. However, complex path conditions, like nonlinearconstraints, which widely appear in programs, are hard to be handledefficiently by the existing solvers. In this paper, we adapt theclassical symbolic execution framework with a machine learningapproach for constraint satisfaction. The approach samples andlearns from different solutions to identify potentially feasiblearea. This sampling-learning style solving can be applied indifferent class of complex problems easily. Therefore, incorporatingthis approach, our framework, MLBSE, supports the symbolicexecution of not only simple linear path conditions, but alsononlinear arithmetic operations, and even black-box function callsof library methods. Meanwhile, thanks to the theoretical foundationof the machine learning based approach, when the solver fails tosolve a path condition, we can have an estimation of the confidencein the satisfiability (ECS) of the problem to give users insightsabout how the problem is analyzed and whether they could ultimatelyfind a solution. We implement MLBSE on the basis of SymbolicPath Finder (SPF) into a fully automatic Java symbolic executionengine. Users can feed their code to MLBSE directly, which isvery convenient to use. To evaluate its performance, 22 real caseprograms are used as the benchmarks for MLBSE to generate testcases, which involve a total number of 1042 methods that are full ofnonlinear operations, floating-point arithmetic as well as nativemethod calls. Experiment results show that the coverage achieved byMLBSE is much higher than the state-of-the-art tools.