A Taint Based Approach for Smart Fuzzing

Fuzzing is one of the most popular test-based software vulnerability detection techniques. It consists in running the target application with dedicated inputs in order to exhibit potential failures that could be exploited by a malicious user. In this paper we propose a global approach for fuzzing, addressing the main challenges to be faced in an industrial context: large-size applications, without source code access, and with a partial knowledge of the input specifications. This approach integrates several successive steps, and we mostly focus here on an important one which relies on binary-level dynamic taint analysis. We summarize the main problems to be addressed in this step, and we detail the solution we implemented to solve them.

[1]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Barton P. Miller,et al.  An empirical study of the robustness of Windows NT applications using random testing , 2000 .

[3]  Marie-Laure Potet,et al.  Taint Dependency Sequences: A Characterization of Insecure Execution Paths Based on Input-Sensitive Cause Sequences , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[4]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[5]  Giovanni Vigna,et al.  Static Detection of Vulnerabilities in x86 Executables , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[7]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[8]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[9]  Hua Chen,et al.  An Heuristic Method for Web-Service Program Security Testing , 2009, 2009 Fourth ChinaGrid Annual Conference.

[10]  Juha Röning,et al.  Experiences with Model Inference Assisted Fuzzing , 2008, WOOT.

[11]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[12]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[13]  Daniel P. Siewiorek,et al.  Automated robustness testing of off-the-shelf software components , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[14]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[15]  Peter Oehlert,et al.  Violating Assumptions with Fuzzing , 2005, IEEE Secur. Priv..

[16]  David Lee,et al.  Testing Security Properties of Protocol Implementations - a Machine Learning Based Approach , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[17]  Martin Vuagnoux,et al.  Autodafé: an Act of Software Torture , 2005 .

[18]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[19]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[20]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[21]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[22]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Barton P. Miller,et al.  An empirical study of the robustness of MacOS applications using random testing , 2006, RT '06.

[24]  Roland Groz,et al.  Finding Software Vulnerabilities by Smart Fuzzing , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[25]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[26]  David Lee,et al.  Detecting Communication Protocol Security Flaws by Formal Fuzz Testing and Machine Learning , 2008, FORTE.

[27]  Will Drewry,et al.  Flayer: Exposing Application Internals , 2007, WOOT.

[28]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[29]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[30]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[31]  Dawn Xiaodong Song,et al.  TaintEraser: protecting sensitive data leaks using application-level taint tracking , 2011, OPSR.