Dowsing for overflows: A guided fuzzer to find buffer boundary violations

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 49-63

  Haller, Istvan ^a   Slowinska, Asia ^a   Neugschwandtner, Matthias ^b   Bos, Herbert ^a  

^a VU UNIVERSITY AMSTERDAM   (Netherlands)

^b VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

[No Author keywords available]

Indexed keywords

BUFFER STORAGE; MODEL CHECKING;

BUFFER OVERFLOWS; CANDIDATE SETS; MOST LIKELY; PROGRAM ANALYSIS; PROGRAM CODE; SYMBOLIC EXECUTION; UNDERFLOWS; WEB SERVERS;

PROGRAM DEBUGGING;

EID: 84954469022     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (45)

1. CVE-2009-2629: Buffer underflow vulnerability in nginx. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629, 2009.
2. ACZEL, A. D., and SOUNDERPANDIAN, J. Complete Business Statistics, sixth ed. McGraw-Hill, 2006.
3. AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., and CASTRO, M. Preventing memory error exploits with WIT. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008), S & P'08.
4. BABIĆ, D., MARTIGNONI, L., MCCAMANT, S., and SONG, D. Statically-directed dynamic automated test generation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (2011), ISSTA'11.
5. BANKS, G., COVA, M., FELMETSGER, V., ALMEROTH, K., KEMMERER, R., and VIGNA, G. SNOOZE: toward a stateful network protocol fuzZEr. In Proceedings of the 9th international conference on Information Security (2006), ISC'06.
6. BAO, T., ZHENG, Y., LIN, Z., ZHANG, X., and XU, D. Strict control dependence and its effect on dynamic information flow analyses. In Proceedings of the 19th International Symposium on Software testing and analysis (2010), ISSTA'10.
7. CADAR, C., DUNBAR, D., and ENGLER, D. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (2008), OSDI'08.
8. CADAR, C., GANESH, V., PAWLOWSKI, P. M., and DILL., D. L., and ENGLER, D. R. EXE: Automatically generating inputs of death. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security (2006).
9. CAVALLARO, L., SAXENA, P., and SEKAR, R. On the Limits of Information Flow Techniques for Malware Analysis and Containment. In Proceedings of the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (2008), DIMVA'08.
10. CHIPOUNOV, V., KUZNETSOV, V., and CANDEA, G. S2E: A platform for in vivo multi-path analysis of software systems. In Proceedings of the 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (2011), AS-PLOS'11.
11. COWAN, C., PU, C., MAIER, D., HINTONY, H., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., and ZHANG, Q. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the 7th USENIX Security Symposium (1998), SSYM'98.
12. CWE/SANS. CWE/SANS TOP 25 Most Dangerous Software Errors. www.sans.org/top25-software-errors, 2011.
13. DEMOTT, J. The evolving art of fuzzng. DEFCON 14, http://www.appliedsec.com/files/The_Evolving_Art_of_Fuzzing 2005.
14. FERRANTE, J., and OTTENSTEIN., K. J., and WARREN, J. D. The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9 (1997), 319-349.
15. GANESH, V., LEEK, T., and RINARD, M. Taint-based directed whitebox fuzzing. In Proceedings of the 31st International Conference on Software Engineering (2009), ICSE'09.
16. GEGICK, M., WILLIAMS, L., OSBORNE, J., and VOUK, M. Prioritizing software security fortification through code-level metrics. In Proc. of the 4th ACM workshop on Quality of protection (Oct. 2008), QoP'08, ACM Press.
17. GODEFROID, P., KLARLUND, N., and SEN, K. DART: directed automated random testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation (2005), PLDI'05.
18. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. A. Automated Whitebox Fuzz Testing. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008), NDSS'08.
19. GODEFROID, P., and LUCHAUP, D. Automatic partial loop summarization in dynamic test generation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (2011), ISSTA'11.
20. KAKSONEN, R. A functional method for assessing protocol implementation security. Tech. Rep. 448, VTT, 2001.
21. KANG, M. G., MCCAMANT, S., POOSANKAM, P., and SONG, D. DTA++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (2011), NDSS'11.
22. KHURSHID, S., PǍSǍREANU, C. S., AND VISSER, W. Generalized symbolic execution for model checking and testing. In Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems (2003), TACAS'03.
23. LATTNER, C., and ADVE, V. LLVM: A compilation framework for lifelong program analysis & transformation. In Proceedings of the international symposium on Code generation and optimization (2004), CGO'04.
24. MARINESCU, P. D., and CADAR, C. make test-zesti: a symbolic execution solution for improving regression testing. In Proc. of the 2012 International Conference on Software Engineering (June 2012), ICSE'12, pp. 716-726.
25. MILLER, B. P., FREDRIKSEN, L., and SO, B. An empirical study of the reliability of UNIX utilities. Commun. ACM 33 (Dec 1990), 32-44.
26. MITRE. Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/, 2011.
27. MOLNAR, D., and LI., X. C., and WAGNER, D. A. Dynamic test generation to find integer bugs in x86 binary linux programs. In Proceedings of the 18th conference on USENIX security symposium (2009), SSYM'09.
28. MOSER, A., KRUEGEL, C., and KIRDA, E. Exploring multiple execution paths for malware analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (2007), SP'07, IEEE Computer Society.
29. NAGAPPAN, N., BALL, T., and ZELLER, A. Mining metrics to predict component failures. In Proceedings of the 28th international conference on Software engineering (2006), ICSE'06.
30. NETHERCOTE, N., and SEWARD, J. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments (2007), VEE'07.
31. NEWSOME, J., and SONG, D. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the Network and Distributed Systems Security Symposium (2005), NDSS'05.
32. NGUYEN, V. H., and TRAN, L. M. S. Predicting vulnerable software components with dependency graphs. In Proc. of the 6th International Workshop on Security Measurements and Metrics (Sept. 2010), MetriSec'10, ACM Press.
33. SEN, K., MARINOV, D., and AGHA, G. CUTE: a concolic unit testing engine for C. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIG-SOFT international symposium on Foundations of software engineering (2005), ESEC/FSE-13.
34. SEREBRYANY, K., BRUENING, D., POTAPENKO, A., and VYUKOV, D. AddressSanitizer: A fast address sanity checker. In Proceedings of USENIX Annual Technical Conference (2012).
35. SHIN, Y., and WILLIAMS, L. An initial study on the use of execution complexity metrics as indicators of software vulnerabilities. In Proceedings of the 7th International Workshop on Software Engineering for Secure Systems (2011), SESS'11.
36. SLOWINSKA, A., and BOS, H. Pointless tainting?: evaluating the practicality of pointer tainting. In EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems (2009).
37. SLOWINSKA, A., STANCESCU, T., and BOS, H. Body Armor for Binaries: preventing buffer overflows without recompilation. In Proceedings of USENIX Annual Technical Conference (2012).
38. SOTIROV, A. Modern exploitation and memory protection bypasses. USENIX Security invited talk, http://www.usenix.org/events/sec09/tech/slides/sotirov.pdf, 2009.
39. SPIKE. http://www.immunitysec.com/resources-freesoftware.shtml.
40. SUTTON, M., GREENE, A., and AMINI, P. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional, 2007.
41. VAN DER VEEN, V., DUTT-SHARMA, N., CAVALLARO, L., AND BOS, H. Memory Errors: The Past, the Present, and the Future. In Proceedings of The 15th International Symposium on Research in Attacks, Intrusions and Defenses (2012), RAID'12.
42. WANG, T., WEI, T., GU, G., and ZOU, W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In Proceedings of the 31st IEEE Symposium on Security and Privacy (2010), SP'10.
43. WILLIAMS, N., MARRE, B., and MOUY, P. On-the-Fly Generation of K-Path Tests for C Functions. In Proceedings of the 19th IEEE international conference on Automated software engineering (2004), ASE'04.
44. ZIMMERMANN, T., NAGAPPAN, N., and WILLIAMS, L. Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista. In Proc. of the 3rd International Conference on Software Testing, Verification and Validation (Apr. 2010), ICST'10.
45. ZITSER, M., LIPPMANN, R., and LEEK, T. Testing static analysis tools using exploitable buffer overflows from open source code. In Proc. of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering (Nov. 2004), SIGSOFT '04/FSE-12.