Directed test generation using symbolic grammars

Majumdar, Rupak; Xu, Ru-Gang

doi:10.1145/1295014.1295039

Cited by 48 publications

(69 citation statements)

References 15 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In general, based on code instrumentation or program tracing, these tools replace concrete input data with symbolic values, collect and solve the constraints on execution traces and guide input error detection and generation. When testing applications with highly-structured inputs, such as compilers and interpreters, Godefroid et al [41] and Majumdar et al [50] proposed a variation technique which employs input symbolic grammar specifications. These tools have proven to highly improve the effectiveness of traditional fuzzing tools.…”

Section: Related Workmentioning

confidence: 99%

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Wang

Wei

et al. 2010

2010 IEEE Symposium on Security and Privacy

300

185

View full text Add to dashboard Cite

Abstract-Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques.We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688. Corresponding patches from vendors are released or in progress based on our reports.

show abstract

Section: Related Workmentioning

confidence: 99%

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Wang

Wei

et al. 2010

2010 IEEE Symposium on Security and Privacy

300

185

View full text Add to dashboard Cite

show abstract

“…One can approach the fuzzing problem by different techniques, as using symbolic execution [3], [13], [8], where input variables are made symbolic, and constraints are assembled to these variables along the execution path. Tracing tainted data is another approach where system functions and system calls from input data are followed to trace the behavior of an application as described in [19], [16], [6].…”

Section: Related Workmentioning

confidence: 99%

An Autonomic Testing Framework for IPv6 Configuration Protocols

Becker

Abdelnur

State

et al. 2010

Mechanisms for Autonomous Management of Networks and Services

View full text Add to dashboard Cite

Abstract. The current underutilization of IPv6 enabled services makes accesses to them very attractive because of higher availability and better response time, like the IPv6 specific services from Google and Youtube have recently got a lot of requests. In this paper, we describe a fuzzing framework for IPv6 protocols. Fuzzing is a process by which faults are injected in order to find vulnerabilities in implementations. Our paper describes a machine learning approach, that leverages reinforcement based fuzzing method. We describe a reinforcement learning algorithm to allow the framework to autonomically learn the best fuzzing mechanisms and to automatically test stability and reliability of IPv6.

show abstract

“…Information that constrains the space of valid inputs to a program, in the form of a grammar or otherwise, is key to scaling input space exploration beyond the limits of bruteforce exhaustive search. Previous research using symbolic execution [10,24,33] demonstrates the benefit of using an input grammar for this purpose. In the application domains we target, suitable grammars are easily available, so we simply use them.…”

Section: Technique Overviewmentioning

confidence: 99%

Loop-Extended Symbolic Execution on Binary Programs

Saxena¹,

Poosankam²,

McCamant³

et al. 2009

View full text Add to dashboard Cite

Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including securityrelevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data dependencies. We introduce loop-extended symbolic execution, a generalization that broadens the coverage of symbolic results in programs with loops. It introduces symbolic variables for the number of times each loop executes, and links these with features of a known input grammar such as variable-length or repeating fields. This allows the symbolic constraints to cover a class of paths that includes different numbers of loop iterations, expressing loop-dependent program values in terms of properties of the input. By performing more reasoning symbolically, instead of by undirected exploration, applications of loop-extended symbolic execution can achieve better results and/or require fewer program executions. To demonstrate our technique, we apply it to the problem of discovering and diagnosing buffer-overflow vulnerabilities in software given only in binary form. Our tool finds vulnerabilities in both a standard benchmark suite and 3 real-world applications, after generating only a handful of candidate inputs, and also diagnoses general vulnerability conditions.

show abstract

Directed test generation using symbolic grammars

Cited by 48 publications

References 15 publications

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

An Autonomic Testing Framework for IPv6 Configuration Protocols

Loop-Extended Symbolic Execution on Binary Programs

Contact Info

Product

Resources

About