Dynamically Discovering Likely Memory Layout to Perform Accurate Fuzzing

Malicious Input through Buffer Overflow (MiBO) vulnerabilities play important roles in cyber security. To identify MiBO vulnerabilities, white-box testing approaches analyze instructions in all possible execution paths. Black-box testing approaches try to trigger MiBO vulnerabilities using different inputs. However, only limited coverage can be achieved: the identified MiBO vulnerabilities, when being “hit” by a test input, must cause exceptions (e.g., crashes). Type information could help to catch the non-crash MiBO vulnerabilities, but such information is not contained in binary code. In this paper, we present a white-box fuzzing method to detect non-crash MiBO vulnerabilities. Without source code, we dynamically discover likely memory layouts to help the fuzzing process. This is very challenging since memory addresses and layouts keep changing with the running of software. In different executions with different inputs, the layouts may also change. To address these challenges, we selectively analyze memory operations to identify memory layouts. If a buffer border identified from the memory layout is exceeded, an error will be reported. The fuzzing results will be compared with the layout for future input generation, which greatly increases the opportunity to expose MiBO vulnerabilities. We implemented a prototype called ArtFuzz and performed several evaluations. ArtFuzz discovered 23 real MiBO vulnerabilities (including 8 zero-day MiBO vulnerabilities) in nine applications.

[1]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[2]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[3]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[4]  Kai Chen,et al.  Automatically Generating Patch in Binary Programs Using Attribute-Based Taint Analysis , 2010, ICICS.

[5]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[6]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[7]  Thomas W. Reps,et al.  DIVINE: DIscovering Variables IN Executables , 2007, VMCAI.

[8]  Gary McGraw,et al.  An automated approach for identifying potential vulnerabilities in software , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  George Candea,et al.  Parallel symbolic execution for automated real-world software testing , 2011, EuroSys '11.

[10]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[11]  Junfeng Yang,et al.  Automatically generating malicious disks using symbolic execution , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[13]  Alexander Aiken,et al.  Saturn: A SAT-Based Tool for Bug Detection , 2005, CAV.

[14]  Dawn Xiaodong Song,et al.  MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery , 2011, USENIX Security Symposium.

[15]  Patrice Godefroid,et al.  Automatic partial loop summarization in dynamic test generation , 2011, ISSTA '11.

[16]  Guang R. Gao,et al.  Identifying loops using DJ graphs , 1996, TOPL.

[17]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[18]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[19]  Leonardo Mariani,et al.  Automatic generation of software behavioral models , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[20]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[21]  Mattia Monga,et al.  A hybrid analysis framework for detecting web application vulnerabilities , 2009, 2009 ICSE Workshop on Software Engineering for Secure Systems.

[22]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[24]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[25]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[26]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[28]  D. Wagner,et al.  Catchconv : Symbolic execution and run-time type inference for integer conversion errors , 2007 .

[29]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[30]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[31]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[32]  Thomas W. Reps,et al.  WYSINWYX: What You See Is Not What You eXecute , 2005, VSTTE.

[33]  Stephen McCamant,et al.  Statically-directed dynamic automated test generation , 2011, ISSTA '11.

[34]  Jingling Xue,et al.  Detecting Memory Leaks Statically with Full-Sparse Value-Flow Analysis , 2014, IEEE Transactions on Software Engineering.

[35]  George Candea,et al.  Execution synthesis: a technique for automated software debugging , 2010, EuroSys '10.

[36]  Samuel T. King,et al.  Digging for Data Structures , 2008, OSDI.

[37]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[38]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[39]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[40]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[41]  Kai Chen,et al.  Black-box testing based on colorful taint analysis , 2011, Science China Information Sciences.

[42]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[43]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.