Hunter: Online Accurate Taint Propagation Analysis Based System for Detecting Bugs in Binaries

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software, and is applied to detect bugs in binaries. However, the existing such systems adopt offline symbolic analysis and execution, based on program execution trace which includes the flow of execution instructions and the operand values, with all input-related memory access replaced by their execution values. And this brings two fatal problems: first, all symbolic information of input-related memory access is missing, second, the symbolic information of other variables is not accurate, especially for variables operated with input-related memory accesses. This paper presents an online taint analysis based automatic dynamic test generation system, Hunter, which can online find unknown high-priority fatal bugs that must be fixed immediately at a pre-release stage in binaries. To yield this goal, we present a new abstract representation called Taint Single Assignment DAG (TSADAG) to depict the taint propagation information, and we present the algorithm to build TSADAG during online execution, and we build the Hunter system finally. Experimental results show that Hunter has a very low divergence rate of less than 5.4% thanks to the online accurate taint propagation Analysis, and can find pointer-related or indirect memory access-related bugs.

[1]  Ying Zhang,et al.  Mixing Concrete and Symbolic Execution to Improve the Performance of Dynamic Test Generation , 2009, 2009 3rd International Conference on New Technologies, Mobility and Security.

[2]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[3]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[4]  김윤호,et al.  A Case Study of the Application of Dynamic Symbolic Execution to Real-World Binary Programs , 2012 .

[5]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[6]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[7]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[8]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[9]  Ravishankar K. Iyer,et al.  Formal Reasoning of Various Categories of Widely Exploited Security Vulnerabilities by Pointer Taintedness Semantics , 2004, SEC.

[10]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[11]  Jay Ligatti,et al.  Defining code-injection attacks , 2012, POPL '12.

[12]  Tai-Myung Chung,et al.  A Framework of Static Analyzer for Taint Analysis of Binary Executable File , 2013, ITCS.

[13]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[14]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[15]  Kai Lu,et al.  Decoupling Binary-Level Dynamic Test Generation from Specific Architecture Details , 2009, 2009 Fourth International Conference on Computer Sciences and Convergence Information Technology.

[16]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[17]  Wei Liu,et al.  PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[18]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[19]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[20]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[21]  Nicholas Nethercote,et al.  How to shadow every byte of memory used by a program , 2007, VEE '07.

[22]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[23]  Ravishankar K. Iyer,et al.  Defeating memory corruption attacks via pointer taintedness detection , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[24]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[25]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.