Combining Static and Dynamic Analysis for Vulnerability Detection

In this paper, we present a hybrid approach for buffer overflow detection in C code. The approach makes use of static and dynamic analysis of the application under investigation. The static part consists in calculating taint dependency sequences (TDS) between user controlled inputs and vulnerable statements. This process is akin to program slice of interest to calculate tainted data- and control-flow path which exhibits the dependence between tainted program inputs and vulnerable statements in the code. The dynamic part consists of executing the program along TDSs to trigger the vulnerability by generating suitable inputs. We use genetic algorithm to generate inputs. We propose a fitness function that approximates the program behavior (control flow) based on the frequencies of the statements along TDSs. This runtime aspect makes the approach faster and accurate. We provide experimental results on the Verisec benchmark to validate our approach.

[1]  Yang Cao,et al.  Search-based multi-paths test data generation for structure-oriented testing , 2009, GEC '09.

[2]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[3]  Wasif Afzal,et al.  A systematic review of search-based testing for non-functional system properties , 2009, Inf. Softw. Technol..

[4]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[5]  Thomas W. Reps,et al.  The Use of Program Profiling for Software Testing , 1997, GI Jahrestagung.

[6]  Wu Gang,et al.  Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[7]  Timo Mantere,et al.  Evolutionary software engineering, a review , 2005, Appl. Soft Comput..

[8]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[9]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[10]  Spiros Mancoridis,et al.  Static Security Analysis Based on Input-Related Software Faults , 2009, 2009 13th European Conference on Software Maintenance and Reengineering.

[11]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[12]  Thomas Ball,et al.  The concept of dynamic analysis , 1999, ESEC/FSE-7.

[13]  Thomas Ball,et al.  What's in a region?: or computing control dependence regions in near-linear time for reducible control flow , 1993, LOPL.

[14]  Giuliano Antoniol,et al.  Detecting buffer overflow via automatic test input data generation , 2008, Comput. Oper. Res..

[15]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[16]  Giuliano Antoniol,et al.  Improving network applications security: a new heuristic to generate stress testing data , 2005, GECCO '05.

[17]  Mary Lou Soffa,et al.  Refining buffer overflow detection via demand-driven path-sensitive analysis , 2007, PASTE '07.

[18]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[19]  Marie-Laure Potet,et al.  Taint Dependency Sequences: A Characterization of Insecure Execution Paths Based on Input-Sensitive Cause Sequences , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[20]  Jared D. DeMott The Evolving Art of Fuzzing , 2006 .

[21]  Massimiliano Di Penta,et al.  An Evolutionary Testing Approach to detect Buffer Overflows , 2004 .

[22]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[23]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[24]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[25]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[26]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.