SMT Solvers in Software Security

Computational capacity of modern hardware and algorithmic advances have allowed SAT solving to become a tractable technique to rely on for the decision of properties in industrial software. In this article, we present three practical applications of SAT to software security in static vulnerability checking, exploit generation, and the study of copy protections. These areas are some of the most active in terms of both theoretical research and practical solutions. Investigating the successes and failures of approaches to these problems is instructive in providing guidance for future work on the problems themselves as well as other SMT-based systems.

[1]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[3]  Shuvendu K. Lahiri,et al.  Zap: Automated Theorem Proving for Software Analysis , 2005, LPAR.

[4]  Michael D. Ernst,et al.  Efficient incremental algorithms for dynamic detection of likely invariants , 2004, SIGSOFT '04/FSE-12.

[5]  Rolf Rolles,et al.  Unpacking Virtualization Obfuscators , 2009, WOOT.

[6]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[7]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[8]  José Nuno Oliveira,et al.  FME 2001: Formal Methods for Increasing Software Productivity , 2001, Lecture Notes in Computer Science.

[9]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[10]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[11]  Brecht Wyseur,et al.  White-Box Cryptography , 2011, Encyclopedia of Cryptography and Security.

[12]  Ralf-Philipp Weinmann,et al.  A Framework for Automated Architecture-Independent Gadget Search , 2010, WOOT.

[13]  David Brumley,et al.  Q: Exploit Hardening Made Easy , 2011, USENIX Security Symposium.

[14]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[15]  Shuvendu K. Lahiri,et al.  ExplainHoudini: Making Houdini Inference Transparent , 2011, VMCAI.

[16]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[17]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[18]  Daniel Kroening,et al.  MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities , 2009 .

[19]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Stephan Merz,et al.  Model Checking , 2000 .

[21]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[22]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[23]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[24]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[25]  Shuvendu K. Lahiri,et al.  Unbounded system verification using decision procedure and predicate abstraction , 2004 .

[26]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[27]  Julien Vanegue Zero-sized Heap Allocations Vulnerability Analysis , 2010, WOOT.

[28]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[29]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[30]  Edmund M. Clarke,et al.  Model Cheking , 1997, Foundations of Software Technology and Theoretical Computer Science.

[31]  Shuvendu K. Lahiri,et al.  Towards Scalable Modular Checking of User-Defined Properties , 2010, VSTTE.