Memory models in symbolic execution: key ideas and new thoughts

Borzacchiello, Luca; Coppa, Emilio; D’Elia, Daniele Cono; Demetrescu, Camil

doi:10.1002/stvr.1722

Cited by 13 publications

(4 citation statements)

References 35 publications

(81 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…angr also has a feature to support generating path constraints from an entire lookup table [6] which we investigated, but we were not able to set up an appropriate experimental comparison as of this submission. In the example we tried, it appeared that angr did successfully generate a lookup table but it concluded that the path, on which the CRC of the symbolic input matched the concrete target, was infeasible.…”

Section: B Resultsmentioning

confidence: 99%

It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs

Sharma¹,

Emamdoost²,

Kim³

et al. 2020

Proceedings 2020 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Cyclic redundancy check functions (CRCs) are commonly used as checksums in hardware and software systems. Though some previous work has treated CRCs as if they would be difficult for automated reasoning or proposed using them for obfuscation, we argue that CRCs need not be difficult for symbolic execution. CRCs have a strong algebraic structure, and the key to efficient reasoning about them is exposing this structure. Common CRC implementation techniques use perbit branching or lookup tables, but these code structures can be compactly summarized by symbolic execution engines that perform path merging or create formulas reflecting the contents of a table, respectively. To evaluate the effectiveness of these techniques, we test the binary symbolic execution tools angr and FuzzBALL, and the Java bytecode tool Java Ranger, on symbolically finding CRC preimages for output sizes of 32 and 64 bits and input sizes up to 8192 bytes. The best configurations can find short CRC preimages in just a fraction of a second and long ones in under 10 seconds, demonstrating that constraint solving with CRCs is not difficult.

show abstract

Section: B Resultsmentioning

confidence: 99%

It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs

Sharma¹,

Emamdoost²,

Kim³

et al. 2020

Proceedings 2020 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…To mitigate this problem, Qs y m [4] has proposed a concolic executor built through dynamic binary instrumentation (DBI) that cuts down the time spent for running the program by maintaining only the symbolic state and offloads completely the concrete state to the native c P u . Additionally, it simplifies the symbolic state by concretizing symbolic addresses [22], [23] but also generates inputs that can lead the program to access alternative mem-ory locations. More recently, SYMCC [5] has improved the design of Qs y m by proposing a source-based instrumentation approach that further reduces the emulation time.…”

Section: Concolic Executionmentioning

confidence: 99%

Fuzzing Symbolic Expressions

Borzacchiello

Coppa

Demetrescu

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Recent years have witnessed a wide array of results in software testing, exploring different approaches and methodologies ranging from fuzzers to symbolic engines, with a full spectrum of instances in between such as concolic execution and hybrid fuzzing. A key ingredient of many of these tools is Satisfiability Modulo Theories (SMT) solvers, which are used to reason over symbolic expressions collected during the analysis. In this paper, we investigate whether techniques borrowed from the fuzzing domain can be applied to check whether symbolic formulas are satisfiable in the context of concolic and hybrid fuzzing engines, providing a viable alternative to classic SMT solving techniques. We devise a new approximate solver, Fu z z y -Sa t , and show that it is both competitive with and complementary to state-of-the-art solvers such as Z3 with respect to handling queries generated by hybrid fuzzers.

show abstract

“…Its scheme brings byte manipulations and table lookups relevant for transformation functions of variable complexity that users may obfuscate. In the presence of table lookups, using concrete values for input-dependent pointers is no longer effective (even counterproductive) for DSE engines for exploring relevant states, thus we enable the per-page theory-of-arrays [15] memory model of S2E. S2E could thus recover a 6-byte input in approximately 102 seconds for the original implementation, 180 for 2VM-imp last , 281 for 2VM-imp all , and 1622 for 3VM-imp last .…”

Section: Deployabilitymentioning

confidence: 99%

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Borrello,

Coppa,

D'Elia

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Largely known for attack scenarios, code reuse techniques at a closer look reveal properties that are appealing also for program obfuscation. We explore the popular return-oriented programming paradigm under a new light, transforming program functions into chains of gadgets that coexist seamlessly with the surrounding software stack. We show how to build chains that can withstand state-to-the-art static and dynamic deobfuscation approaches, evaluating the robustness and overheads of the design over common programs. The results suggest a significant increase in the amount of resources that would be required to carry man-at-the-end attacks. CCS CONCEPTS• Security and privacy → Software and application security;• Software and its engineering → Software notations and tools.

show abstract

Memory models in symbolic execution: key ideas and new thoughts

Cited by 13 publications

References 35 publications

It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs

It Doesn’t Have to Be So Hard: Efficient Symbolic Reasoning for CRCs

Fuzzing Symbolic Expressions

Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation

Contact Info

Product

Resources

About