Decoupling Dynamic Test Generation from Specific Operating System Details Based on Whole System Virtual Machine

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software. However, such existing approaches and tools are not retargetable and can only find vulnerabilities over a specific OS because the execution trace is totally OS-independently recorded in these tools. This paper presents a new dynamic test generation technique and a tool, ReTBLDTG, short for ReTargetable Dynamic Test Generation, that implements this technique. Unlike other such techniques that can only operate over a specific OS, ReTBLDTG can process the programs over any OSes. ReTBLDTG is based on the whole system virtual machine that provides OS-independent and fast concrete execution of the target program. And which thread the executing instruction belongs to is OS-independently identified by analyzing the registers' value and hardware events over the virtual machine. Thus, the execution trace is recorded, without knowing the internal structure of the guest OS. We have implemented our ReTBLDTG and used it to automatically find the six known bugs in the six benchmarks over Linux and Windows. Our results indicate that our ReTBLDTG can operate on any OSes; and ReTBLDTG can effectively find bugs located deep within large applications over any OSes.

[1]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[2]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[3]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[4]  Norman Ramsey,et al.  Specifying representations of machine instructions , 1997, TOPL.

[5]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[6]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[7]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[8]  Wei Liu,et al.  PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[9]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[10]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[12]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[13]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[14]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.