TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Wang, Tielei; Wei, Tao; Gu, Guofei; Zou, Wei

doi:10.1109/sp.2010.37

Cited by 300 publications

(198 citation statements)

References 31 publications

Supporting

Mentioning

185

Contrasting

Unclassified

Order By: Relevance

“…This allows the auditor to fuzz logic deeper within the application without crafting inputs which conform to the format required by the target, at the cost of time spent investigating the validity of crashing inputs found. Similarly, Taintscope uses a checksum detection algorithm to remove checksum code from applications, effectively "patching out" branch predicates which are difficult to satisfy with a mutational approach [30]. This enables the fuzzer to handle specific classes of difficult constraints.…”

Section: A Guided Fuzzingmentioning

confidence: 99%

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Stephens¹,

Grosen²,

Salls³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

620

537

View full text Add to dashboard Cite

Abstract-Memory corruption vulnerabilities are an everpresent risk in software, which attackers can exploit to obtain unauthorized access to confidential information. As products with access to sensitive data are becoming more prevalent, the number of potentially exploitable systems is also increasing, resulting in a greater need for automated software vetting tools. DARPA recently funded a competition, with millions of dollars in prize money, to further research focusing on automated vulnerability finding and patching, showing the importance of research in this area. Current techniques for finding potential bugs include static, dynamic, and concolic analysis systems, which each having their own advantages and disadvantages. A common limitation of systems designed to create inputs which trigger vulnerabilities is that they only find shallow bugs and struggle to exercise deeper paths in executables.We present Driller, a hybrid vulnerability excavation tool which leverages fuzzing and selective concolic execution in a complementary manner, to find deeper bugs. Inexpensive fuzzing is used to exercise compartments of an application, while concolic execution is used to generate inputs which satisfy the complex checks separating the compartments. By combining the strengths of the two techniques, we mitigate their weaknesses, avoiding the path explosion inherent in concolic analysis and the incompleteness of fuzzing. Driller uses selective concolic execution to explore only the paths deemed interesting by the fuzzer and to generate inputs for conditions that the fuzzer cannot satisfy. We evaluate Driller on 126 applications released in the qualifying event of the DARPA Cyber Grand Challenge and show its efficacy by identifying the same number of vulnerabilities, in the same time, as the top-scoring team of the qualifying event.

show abstract

Section: A Guided Fuzzingmentioning

confidence: 99%

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Stephens¹,

Grosen²,

Salls³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

620

537

View full text Add to dashboard Cite

show abstract

“…Lai et al [13] mark each byte of external input data to perform fine-grained taint analysis, which improves the granularity of dynamic taint analysis. Wang et al [14] propose a method to bypass the checksum mechanism, which combines with symbolic execution and fine-grained dynamic taint analysis, to develop TaintScope. Zhuge et al [15] present a method of type-based dynamic taint analysis, according to the type information of instructions and functions, which provides better semantic support.…”

Section: Related Workmentioning

confidence: 99%

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

Wang

Dou

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Dynamic taint analysis is a powerful technique for tracking the flow of sensitive information. Different approaches have been proposed to accelerate this process in an online or offline manner. Unfortunately, most of these approaches still have performance bottlenecks and thus reduce analytical efficiency. To address this limitation, we present OFFDTAN, a new approach of offline dynamic taint analysis for binaries. OFFDTAN can be described in terms of four stages: dynamic information acquisition, vulnerability modeling, offline analysis, and backtrace analysis. It first records program runtime information and models the stack buffer overflow vulnerabilities and controlled jump vulnerabilities. Then it performs offline analysis and backtrace analysis to locate vulnerabilities. We implement OFFDTAN on the basis of QEMU virtual machine and apply it to off-the-shelf applications. In order to illustrate how our approach works, we first employ a case study. Furthermore, six applications have been verified so as to evaluate our approach. Experimental results demonstrate that our approach is correct and effective. Compared with other offline analysis tools, OFFDTAN has much lower application runtime overhead.

show abstract

“…Though they use symbolic exploration to find vulnerabilities, they use a different technique, based on searching for an inverse function in the same binary, to generate preimages. The decomposition and restitching technique can also recompute checksums, which is a key capability of TaintScope [28]. TaintScope uses taintdirected fuzzing to search for vulnerabilities, and a checksum can typically be recomputed using simple concrete execution.…”

Section: Related Workmentioning

confidence: 99%

HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism

Caselden

Bazhanyuk²,

Payer

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Security analysis often requires understanding both the control and data-flow structure of a binary. We introduce a new program representation, a hybrid information-and control-flow graph (HI-CFG), and give algorithms to infer it from an instruction-level trace. As an application, we consider the task of generalizing an attack against a program whose inputs undergo complex transformations before reaching a vulnerability. We apply the HI-CFG to find the parts of the program that implement each transformation, and then generate new attack inputs under a user-specified combination of transformations. Structural knowledge allows our approach to scale to applications that are infeasible with monolithic symbolic execution. Such attack polymorphism shows the insufficiency of any filter that does not support all the same transformations as the vulnerable application. In case studies, we show this attack capability against a PDF viewer and a word processor.

show abstract

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Cited by 300 publications

References 31 publications

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

Driller: Augmenting Fuzzing Through Selective Symbolic Execution

OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries

HI-CFG: Construction by Binary Analysis and Application to Attack Polymorphism

Contact Info

Product

Resources

About