Angr - The Next Generation of Binary Analysis

Wang, Fish; Shoshitaishvili, Yan

doi:10.1109/secdev.2017.14

Cited by 63 publications

(39 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…At the other extreme of program transparency, White-Box fuzzers [11] and symbolic execution tools [2,9,20,21,23,28] like KLEE [6] and SAGE [14] symbolically manipulate the source code to deterministically discover input sequences that explore every code path. As they are able to walk the entire source code tree, they can discover bugs in nested code.…”

Section: Fuzzing Overviewmentioning

confidence: 99%

Adaptive Grey-Box Fuzz-Testing with Thompson Sampling

Karamcheti

Mann

Rosenberg

2018

Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

Fuzz testing, or "fuzzing, " refers to a widely deployed class of techniques for testing programs by generating a set of inputs for the express purpose of finding bugs and identifying security flaws. Grey-box fuzzing, the most popular fuzzing strategy, combines light program instrumentation with a data driven process to generate new program inputs. In this work, we present a machine learning approach that builds on AFL, the preeminent grey-box fuzzer, by adaptively learning a probability distribution over its mutation operators on a program-specific basis. These operators, which are selected uniformly at random in AFL and mutational fuzzers in general, dictate how new inputs are generated, a core part of the fuzzer's efficacy. Our main contributions are two-fold: First, we show that a sampling distribution over mutation operators estimated from training programs can significantly improve performance of AFL. Second, we introduce a Thompson Sampling, bandit-based optimization approach that fine-tunes the mutator distribution adaptively, during the course of fuzzing an individual program. A set of experiments across complex programs demonstrates that tuning the mutational operator distribution generates sets of inputs that yield significantly higher code coverage and finds more crashes faster and more reliably than both baseline versions of AFL as well as other AFL-based learning approaches.

show abstract

Section: Fuzzing Overviewmentioning

confidence: 99%

Adaptive Grey-Box Fuzz-Testing with Thompson Sampling

Karamcheti

Mann

Rosenberg

2018

Proceedings of the 11th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

show abstract

“…We implemented Legion as a prototype in Python 3 on top of the symbolic execution engine angr [8]. We have extended its solver backend, claripy, by the approximate path-preserving fuzzing algorithm, relying on the optimizer component of Z3 [2].…”

Section: Tool Description and Configurationmentioning

confidence: 99%

Legion: Best-First Concolic Testing (Competition Contribution)

Liu

Ernst

Murray

et al. 2020

Fundamental Approaches to Software Engineering

View full text Add to dashboard Cite

Legion is a grey-box coverage-based concolic tool that aims to balance the complementary nature of fuzzing and symbolic execution to achieve the best of both worlds. It proposes a variation of Monte Carlo tree search (MCTS) that formulates program exploration as sequential decision-making under uncertainty guided by the best-first search strategy. It relies on approximate path-preserving fuzzing, a novel instance of constrained random testing, which quickly generates many diverse inputs that likely target program parts of interest. In Test-Comp 2020 [1], the prototype performed within 90% of the best score in 9 of 22 categories.

show abstract

“…For binary files, we perform a symbolic summarization of each function present in the binary using an integration of static analysis and symbolic execution based on Angr [70]. Specifically, we conduct a multi-path exploration of each function with the goal of discovering references to a set of predetermined features, including strings, constants, functions, and external variables.…”

Section: Source Vs Binary Matchingmentioning

confidence: 99%

Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Duan

Bijlani

Yang

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Mobile application developers rely heavily on opensource software (OSS) to offload common functionalities such as the implementation of protocols and media format playback. Over the past years, several vulnerabilities have been found in popular open-source libraries like OpenSSL and FFmpeg. Mobile applications that include such libraries inherit these flaws, which make them vulnerable. Fortunately, the open-source community is responsive and patches are made available within days. However, mobile application developers are often left unaware of these flaws. The App Security Improvement Program (ASIP) is a commendable effort by Google to notify application developers of these flaws, but recent work has shown that many developers do not act on this information. Our work addresses vulnerable mobile applications through automatic binary patching from source patches provided by the OSS maintainers and without involving the developers. We propose novel techniques to overcome difficult challenges like patching feasibility analysis, source-code-to-binary-code matching, and in-memory patching. Our technique uses a novel variabilityaware approach, which we implement as OSSPATCHER. We evaluated OSSPATCHER with 39 OSS and a collection of 1,000 Android applications using their vulnerable versions. OSSPATCHER generated 675 function-level patches that fixed the affected mobile applications without breaking their binary code. Further, we evaluated 10 vulnerabilities in popular apps such as Chrome with public exploits, which OSSPATCHER was able to mitigate and thwart their exploitation.

show abstract

Angr - The Next Generation of Binary Analysis

Cited by 63 publications

References 1 publication

Adaptive Grey-Box Fuzz-Testing with Thompson Sampling

Adaptive Grey-Box Fuzz-Testing with Thompson Sampling

Legion: Best-First Concolic Testing (Competition Contribution)

Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries

Contact Info

Product

Resources

About