Dowsing for overflows: a guided fuzzer to find buffer boundary violations
作者: Matthias Neugschwandtner , Asia Slowinska , Istvan Haller , Herbert Bos
DOI:
关键词: Arithmetic underflow 、 Computer science 、 Buffer overflow 、 Program analysis 、 Operating system 、 Taint checking 、 Rendering (computer graphics) 、 Byte 、 Fuzz testing 、 Programming language 、 Symbolic execution
摘要: Dowser is a 'guided' fuzzer that combines taint tracking, program analysis and symbolic execution to find buffer overflow underflow vulnerabilities buried deep in program's logic. The key idea of lets us pinpoint the right areas code probe appropriate inputs do so. Intuitively, for typical overflows, we need consider only accesses an array loop, rather than all possible instructions program. After finding such candidate sets instructions, rank them according estimation how likely they are contain interesting vulnerabilities. We then subject most promising further testing. Specifically, first use determine which input bytes influence index execute symbolically, making this set symbolic. By constantly steering along branch outcomes lead were able detect bugs real programs (like nginx webserver, inspircd IRC server, ffmpeg videoplayer). Two found previously undocumented overflows poppler PDF rendering library.
narcis.nl
acm.org 参考文章(38)
David A. Molnar, Michael Y. Levin, Patrice Godefroid, Automated Whitebox Fuzz Testing. network and distributed system security symposium. ,(2008)
Victor van der Veen, Nitish dutt-Sharma, Lorenzo Cavallaro, Herbert Bos, Memory Errors: The Past, the Present, and the Future Research in Attacks, Intrusions, and Defenses. pp. 86- 106 ,(2012) , 10.1007/978-3-642-33338-5_5
B. Marre, N. Williams, P. Mouy, On-the-fly generation of k-path tests for C functions automated software engineering. pp. 290- 293 ,(2004) , 10.1109/ASE.2004.52
David Molnar, David A. Wagner, Xue Cong Li, Dynamic test generation to find integer bugs in x86 binary linux programs usenix security symposium. pp. 67- 82 ,(2009)
Lorenzo Cavallaro, Prateek Saxena, R. Sekar, On the Limits of Information Flow Techniques for Malware Analysis and Containment international conference on detection of intrusions and malware and vulnerability assessment. pp. 143- 163 ,(2008) , 10.1007/978-3-540-70542-0_8
Asia Slowinska, Herbert Bos, Traian Stancescu, Body armor for binaries: preventing buffer overflows without recompilation usenix annual technical conference. pp. 11- 11 ,(2012) , 10.5555/2342821.2342832
Perry Wagle, Jonathan Walpole, Calton Pu, Steve Beattie, Aaron Grier, Crispin Cowan, Heather Hintony, Qian Zhang, Peat Bakke, Dave Maier, StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks usenix security symposium. pp. 5- 5 ,(1998)
Cristian Cadar, Daniel Dunbar, Dawson Engler, KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs operating systems design and implementation. pp. 209- 224 ,(2008) , 10.5555/1855741.1855756
Sarfraz Khurshid, Corina S. PĂsĂreanu, Willem Visser, Generalized symbolic execution for model checking and testing tools and algorithms for construction and analysis of systems. ,vol. 2619, pp. 553- 568 ,(2003) , 10.1007/3-540-36577-X_40
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, Dmitry Vyukov, AddressSanitizer: a fast address sanity checker usenix annual technical conference. pp. 28- 28 ,(2012)