STP/HAMPI and Computer Security

AbstractIn the past several years I have written two SMT solvers called STP and HAMPI that have foundwidespread use in computer security research by leading groups in academia, industry and the gov-ernment. In this note I summarize the features of STP/HAMPI that make them particularly suited forcomputer security research, and a brief description of some of the more important projects that use them. 1 Introduction SMT solvers [3,4] (Satisfiability-Modulo-TheoriesSolvers) are computerprograms that decide the satis-fiability problem for rich logics such as the theory of bit-vectors and arrays [10], integers, and datatypes.SMT solvers have recently proven to be particularly useful in finding security vulnerabilities, debug-ging, and program analysis aimed at security. The reason for the success of SMT solvers are threefold:1) The input logic of SMT solvers is rich enough to capture a wide variety of program behavior eas-ily and compactly, 2) SMT solvers have become very efficient at solving such formulas obtained fromreal-world applications, and 3) there are very effective techniques now available, such as symbolic exe-cution [7,8,11], that convert computation into SMT formulas. My solvers, STP [10] and HAMPI [12],are specifically designed to support computer security appl ications that perform security analysis aimedat finding security vulnerabilities [14], detecting malwar e [15] and constructing exploits [2,6].

[1]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[2]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[3]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[4]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[5]  Santosh Kumar,et al.  Finding Bugs In Web Applications Using Dynamic Test Generation , 2013 .

[6]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[7]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[9]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[10]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[11]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[12]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[13]  Toby Walsh,et al.  Handbook of Satisfiability: Volume 185 Frontiers in Artificial Intelligence and Applications , 2009 .

[14]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.