Differential Slicing: Identifying Causal Execution Differences for Security Applications

A security analyst often needs to understand two runs of the same program that exhibit a difference in program state or output. This is important, for example, for vulnerability analysis, as well as for analyzing a malware program that features different behaviors when run in different environments. In this paper we propose a differential slicing approach that automates the analysis of such execution differences. Differential slicing outputs a causal difference graph that captures the input differences that triggered the observed difference and the causal path of differences that led from those input differences to the observed difference. The analyst uses the graph to quickly understand the observed difference. We implement differential slicing and evaluate it on the analysis of 11 real-world vulnerabilities and 2 malware samples with environment-dependent behaviors. We also evaluate it in an informal user study with two vulnerability analysts. Our results show that differential slicing successfully identifies the input differences that caused the observed difference and that the causal difference graph significantly reduces the amount of time and effort required for an analyst to understand the observed difference.

[1]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.

[2]  Xiangyu Zhang,et al.  Analyzing concurrency bugs using dual slicing , 2010, ISSTA '10.

[3]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[4]  Xiangyu Zhang,et al.  Efficient program execution indexing , 2008, PLDI '08.

[5]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[6]  Xiangyu Zhang,et al.  Towards locating execution omission errors , 2007, PLDI '07.

[7]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[8]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[9]  Zhendong Su,et al.  Temporal search: detecting hidden malware timebombs with virtual machines , 2006, ASPLOS XII.

[10]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[11]  Christopher Krügel,et al.  Identifying Dormant Functionality in Malware Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[13]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[14]  Gregg Rothermel,et al.  An empirical investigation of the relationship between spectra differences and regression faults , 2000, Softw. Test. Verification Reliab..

[15]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[16]  David Evans,et al.  Towards Differential Program Analysis , 2022 .

[17]  Tao Xie,et al.  Checking Inside the Black Box: Regression Fault Exposure and Localization Based on Value Spectra Differences , 2002 .

[18]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[19]  Tibor Gyimóthy,et al.  An efficient relevant slicing method for debugging , 1999, ESEC/FSE-7.

[20]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[21]  H. Cleve,et al.  Locating causes of program failures , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[22]  Dawn Song,et al.  Grammar and model extraction for security applications using dynamic program binary analysis , 2010 .

[23]  Xiangyu Zhang,et al.  Memory indexing: canonicalizing addresses across executions , 2010, FSE '10.

[24]  ZellerAndreas,et al.  Simplifying and Isolating Failure-Inducing Input , 2002 .

[25]  Liang Guo,et al.  Accurately Choosing Execution Runs for Software Fault Localization , 2006, CC.

[26]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[27]  Xiangyu Zhang,et al.  Precise dynamic slicing algorithms , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[28]  Xiangyu Zhang,et al.  Algorithms for Automatically Computing the Causal Paths of Failures , 2009, FASE.

[29]  Joseph Robert Horgan,et al.  Incremental regression testing , 1993, 1993 Conference on Software Maintenance.

[30]  John A. Clark,et al.  The Way Forward for Unifying Dynamic Test Case Generation: The Optimisation-based Approach , 1998 .