Automatically generating malicious disks using symbolic execution

Many current systems allow data produced by potentially malicious sources to be mounted as a file system. File system code must check this data for dangerous values or invariant violations before using it. Because file system code typically runs inside the operating system kernel, even a single unchecked value can crash the machine or lead to an exploit. Unfortunately, validating file system images is complex: they form DAGs with complex dependency relationships across massive amounts of data bound together with intricate, undocumented assumptions. This paper shows how to automatically find bugs in such code using symbolic execution. Rather than running the code on manually-constructed concrete input, we instead run it on symbolic input that is initially allowed to be "anything." As the code runs, it observes (tests) this input and thus constrains its possible values. We generate test cases by solving these constraints for concrete values. The approach works well in practice: we checked the disk mounting code of three widely-used Linux file systems: ext2, ext3, and JFS and found bugs in all of them where malicious data could either cause a kernel panic or form the basis of a buffer overflow attack

[1]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[2]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[3]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[4]  Bogdan Korel,et al.  The chaining approach for software test data generation , 1996, TSEM.

[5]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[6]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[7]  Mary Lou Soffa,et al.  Automated test data generation using an iterative relaxation method , 1998, SIGSOFT '98/FSE-6.

[8]  Arnaud Gotlieb,et al.  Automatic test data generation using constraint solving techniques , 1998, ISSTA '98.

[9]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[10]  James C. Corbett,et al.  Bandera: extracting finite-state models from Java source code , 2000, ICSE.

[11]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[12]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[13]  Sriram K. Rajamani,et al.  Automatically validating temporal safety properties of interfaces , 2001, SPIN '01.

[14]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[15]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[16]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[17]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[18]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[19]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[20]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[21]  Daniel Kroening,et al.  Hardware verification using ANSI-C programs as a reference , 2003, ASP-DAC '03.

[22]  Thomas Ball,et al.  A Theory of Predicate-Complete Test Coverage and Generation , 2004, FMCO.

[23]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[24]  Dawson R. Engler,et al.  Model Checking Large Network Protocol Implementations , 2004, NSDI.

[25]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[26]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[27]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[28]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[29]  Andrea C. Arpaci-Dusseau,et al.  IRON file systems , 2005, SOSP '05.

[30]  Junfeng Yang,et al.  Using model checking to find serious file system errors , 2004, TOCS.

[31]  Dawson R. Engler,et al.  EXE: A system for automatically generating inputs of death using symbolic execution , 2006, CCS 2006.