Improving guide-based vulnerability detection with hybrid symbolic execution

Symbolic Execution is a key and useful technology in current refinement software test, but there still exists some problems such as space explosion. In order to mitigate this problem and improve the ability for detecting vulnerabilities, this paper presents the improving guide-based vulnerability detection with hybrid symbolic execution, which aims to test suspicious objects. This method conducts path traversal with a hybrid symbolic execution model, which alternates between dynamic and static symbolic execution, and verify whether it is vulnerability through summarizing the characteristics of vulnerabilities and generating a constraint expression. Experimental result shows that this method can successfully detect errors in 56 seconds, which exceeds any other modern mainstream symbolic execution tools including CUTE, KLEE, S2E and Cloud9. Compared with CUTE, this method alleviates the problem of space explosion. Besides, this papaer successfully verifies the vulnerabilities of OpenSSL and some other commonly used software.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[3]  Erica Mealy,et al.  BegBunch: benchmarking for C bug detection tools , 2009, DEFECTS '09.

[4]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[5]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[6]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[7]  Gadi Evron,et al.  Open Source Fuzzing Tools , 2007 .

[8]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[9]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[10]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[11]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Richard J. Enbody,et al.  Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing , 2007 .

[13]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.