Testing Network Protocol Binary Software with Selective Symbolic Execution

The vulnerabilities existing in network protocol implementations are difficult to detect. The main reason is that the state space of complex protocol binary software is too large to explore. This paper proposes a novel approach that leverages selective symbolic execution to test network protocol binary software directly, which confines symbolic execution in the secure-sensitive area. This paper also builds a prototype system, S2EProtocol, upon the Selective Symbolic Execution (S2E) platform and uses it to test several real network protocol binary software. The evaluation results show that the proposed method can be used to find vulnerabilities efficiently and effectively.

[1]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[2]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[3]  Konrad Rieck,et al.  Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols , 2015, SecureComm.

[4]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[5]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[6]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[7]  Bin Zhang,et al.  Memory corruption vulnerabilities detection for Android binary software , 2015, 2015 IEEE International Conference on Signal Processing, Communications and Computing (ICSPCC).

[8]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[9]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[10]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[11]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[12]  П. Довгалюк,et al.  Два способа организации механизма полносистемного детерминированного воспроизведения в симуляторе QEMU , 2012 .

[13]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[14]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[15]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[16]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[17]  Soojin Park,et al.  Enhancing Conformance Testing Using Symbolic Execution for Network Protocols , 2015, IEEE Transactions on Reliability.

[18]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[19]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[20]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[21]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.