Multi-packet symbolic execution testing for network protocol binary software

Current network protocol binary software testing methods cannot discover serious vulnerabilities in deep states. This article introduces a novel method based on multi-packet symbolic execution, which can drive the software to deep states, to test the whole network protocol binary software stacks. This article also presents a prototype system, S2EProtocol-multi, upon Selective Symbolic Execution (S2E) platform and evaluates it on real-world network protocol binary software. The results validate that the proposed method can explore deep states and detect vulnerabilities efficiently and effectively.

[1]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[2]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[3]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[4]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[5]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[6]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[7]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[8]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[9]  Cheng Wang,et al.  LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[10]  Soojin Park,et al.  Enhancing Conformance Testing Using Symbolic Execution for Network Protocols , 2015, IEEE Transactions on Reliability.

[11]  П. Довгалюк,et al.  Два способа организации механизма полносистемного детерминированного воспроизведения в симуляторе QEMU , 2012 .

[12]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[13]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[16]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[17]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[18]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[19]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..