Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Shoshitaishvili, Yan; Wang, Ruoyu; Hauser, Christophe; Kruegel, Christopher; Vigna, Giovanni

doi:10.14722/ndss.2015.23294

Cited by 260 publications

(134 citation statements)

References 17 publications

Supporting

Mentioning

133

Contrasting

Order By: Relevance

“…Veritesting [1] proposed an advanced path merging technique to reduce the number of paths being executed, Firmalice [29] performs extensive static analysis and limits symbolic execution to small slices of code, and under-constrained symbolic execution exchanges precision for scalability [16], [27]. However, these techniques either fail to mitigate the path explosion problem (Veritesting delays the explosion, but such explosion still eventually occurs) or produce inputs that are not directly actionable (for example, the slicing done by Firmalice produces inputs that satisfy the constraints of a particular slice, but no input is provided to reach the code in the first place).…”

Section: Concolic Executionmentioning

confidence: 99%

See 1 more Smart Citation

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Stephens¹,

Grosen²,

Salls³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

593

497

View full text Add to dashboard Cite

Abstract-Memory corruption vulnerabilities are an everpresent risk in software, which attackers can exploit to obtain unauthorized access to confidential information. As products with access to sensitive data are becoming more prevalent, the number of potentially exploitable systems is also increasing, resulting in a greater need for automated software vetting tools. DARPA recently funded a competition, with millions of dollars in prize money, to further research focusing on automated vulnerability finding and patching, showing the importance of research in this area. Current techniques for finding potential bugs include static, dynamic, and concolic analysis systems, which each having their own advantages and disadvantages. A common limitation of systems designed to create inputs which trigger vulnerabilities is that they only find shallow bugs and struggle to exercise deeper paths in executables.We present Driller, a hybrid vulnerability excavation tool which leverages fuzzing and selective concolic execution in a complementary manner, to find deeper bugs. Inexpensive fuzzing is used to exercise compartments of an application, while concolic execution is used to generate inputs which satisfy the complex checks separating the compartments. By combining the strengths of the two techniques, we mitigate their weaknesses, avoiding the path explosion inherent in concolic analysis and the incompleteness of fuzzing. Driller uses selective concolic execution to explore only the paths deemed interesting by the fuzzer and to generate inputs for conditions that the fuzzer cannot satisfy. We evaluate Driller on 126 applications released in the qualifying event of the DARPA Cyber Grand Challenge and show its efficacy by identifying the same number of vulnerabilities, in the same time, as the top-scoring team of the qualifying event.

show abstract

Section: Concolic Executionmentioning

confidence: 99%

“…Furthermore, with the rise of the Internet of Things, the number of devices that run potentially vulnerable software has skyrocketed, and vulnerabilities are increasingly being discovered in the software running these devices [29].…”

Section: Introductionmentioning

confidence: 99%

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Stephens¹,

Grosen²,

Salls³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

593

497

View full text Add to dashboard Cite

show abstract

“…The authors of ByteWeight [23] made their dataset available online 4 . This dataset contains the GNU coreutils, binutils and findutils compiled for Linux, for the x86 and x86-64 architectures, and using different compilers (GNU GCC and Intel ICC) and optimization levels (O0, O1, O2, O3).…”

Section: Architecture Identificationmentioning

confidence: 99%

“…They range from disassemblers and decompilers, to complex analysis frameworks [1,2] that combine static analysis with other techniques, primarily symbolic execution [3,4], fuzzing [5,6], or both [7]. Binary analysis techniques are useful in many domains: For example, discovering vulnerabilities [8], understanding and reconstructing the behavior of a program, as well as modifying legacy software when the source code is lost (e.g., to apply security [9] or functionality patches).…”

Section: Introductionmentioning

confidence: 99%

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

Nicolao

Pogliani

Polino

et al. 2018

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Static binary analysis techniques are widely used to reconstruct the behavior and discover vulnerabilities in software when source code is not available. To avoid errors due to mis-interpreting data as machine instructions (or vice-versa), disassemblers and static analysis tools must precisely infer the boundaries between code and data. However, this information is often not readily available. Worse, compilers may embed small chunks of data inside the code section. Most state of the art approaches to separate code and data are rooted on recursive traversal disassembly, with severe limitations when dealing with indirect control instructions. We propose ELISA, a technique to separate code from data and ease the static analysis of executable files. ELISA leverages supervised sequential learning techniques to locate the code section(s) boundaries of header-less binary files, and to predict the instruction boundaries inside the identified code section. As a preliminary step, if the Instruction Set Architecture (ISA) of the binary is unknown, ELISA leverages a logistic regression model to identify the correct ISA from the file content. We provide a comprehensive evaluation on a dataset of executables compiled for different ISAs, and we show that our method is capable to identify code sections with a byte-level accuracy (F1 score) ranging from 98.13% to over 99.9% depending on the ISA. Fine-grained separation of code from embedded data on x86, x86-64 and ARM executables is accomplished with an accuracy of over 99.9%.

show abstract

“…Our experiment is carried out in the system Ubuntu 14.04, running in an angr virtual environment [11][12] [13] . The language we use is Python.…”

Section: Methodsmentioning

confidence: 99%

SemHunt: Identifying Vulnerability Type with Double Validation in Binary Code

Li¹,

Xu²,

Tang

et al. 2017

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

Abstract-when manufacturers release patches, they are usually released as binary executable programs. Vendors generally do not disclose the exact location of the vulnerabilities, even they may conceal some of the vulnerabilities, which is not conducive to study the in-depth situation of security for the need of consumers. In this paper we introduce a vulnerability discover method using machine learning based on patch information -SemHunt. Firstly, we use it to compare two versions of the same program to get the potential vulnerability-patched function pairs using binary comparison technology. Then, we combine it with vulnerability and patch knowledge database to classify these function pairs and identify the possible vulnerable functions and the vulnerability types. We completed a prototype of SemHunt, which can effectively identify vulnerable function types and the location of corresponding vulnerabilities, which are not revealed in the released patch files. Finally, we test some programs containing real-world CWE vulnerabilities, and one of the experimental results about CWE843 shows that the results returned from only searching source program are about twice as much as the results from SemHunt. We can see that using SemHunt can significantly reduce false positive rate of discovering vulnerabilities compared with analyzing source files alone.

show abstract

Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

Cited by 260 publications

References 17 publications

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation

SemHunt: Identifying Vulnerability Type with Double Validation in Binary Code

Contact Info

Product

Resources

About