Received date: 2013-06-30
Revised date: 2013-12-17
Online published: 2014-10-25
Supported by
National Natural Science Foundation of China (No.61003285, No.61121061); Fundamental Research Funds for the Central Universities (No.2012RC0218, No.2012RC0219, No.2013RC0311)
The dynamic testing for automaticlly identifing security vulnerabilities in binary executables has received increasingly interest in recent years.In this paper, we present a new automated whitebox fuzzing tool EWFT(Execution-based Whitebox Fuzzing Tool), which implements dynamic symbolic execution and taint tracing techniques during program execution.Our contributions are:1)we propose a ROBDD(Reduced Ordered Binary Decision Diagram)-based approach to analyse execution process, 2)we introduce a new path weight analysis algorithm(PWA)for searching path space and automating test data generation, and 3)we build a prototype tool that automatically finds software vulnerabilities.Results of our experiments show that execution-based whitebox fuzzing is powerful to identify variety of security vulnerabilities in real applications.Compared to the related work in the research area, it explored deeper program paths on the average, and achieved higher structural coverage.
WANG Ying , GU Li-ze , YANG Yi-xian , DONG Yu-xin . EWFT:Execution-based Whitebox Fuzzing for Executables[J]. Acta Electronica Sinica, 2014 , 42(10) : 2016 -2023 . DOI: 10.3969/j.issn.0372-2112.2014.10.023
[1] Cadar C,Godefroid P,et al.Symbolic execution for software testing in practice:preliminary assessment[A].Proceedings of the 2011 33rd International Conference on Software Engineering[C].New York:ACM,2011.1066-1071.
[2] Jim Chow,Ben Pfaff,et al.Understanding data lifetime via whole system simulation[A].Proceedings of the 13th conference on USENIX Security Symposium[C].California:USENIX Association Berkeley,2004.22-22.
[3] James Clause,Wanchun Li,Alessandro Orso.Dytan:a generic dynamic taint analysis framework[A].Proceedings of the 2007 international symposium on Software testing and analysis[C].New York:ACM,2007.196-206.
[4] Patrice Godefroid,Michael Levin,and David Molnar.Automated whitebox fuzz testing[A].Proceedings of the Network and Distributed System Security Symposium[C].California:Internet Society,2008.151-166.
[5] Papadakis M,Malevris N.Automatic mutation test case generation via dynamic symbolic execution[A].Proceedings of the 21st International Symposium on Software Reliability Engineering[C].Washington:IEEE Computer Society,2010.121-130.
[6] Rawat S,Mounier L.Offset-aware mutation based fuzzing for buffer overflow vulnerabilities:few preliminary results[A].Proceeedings of the Fourth International Conference on Software Testing,Verification and Validation Workshops[C].Washington:IEEE Computer Society,2011.531-533.
[7] Ganesh V,Leek T,Rinard M.Taint-based directed whitebox fuzzing[A].Proceedings of the IEEE 31st International Conference on Software Engineering[C].Washington:IEEE Computer Society,2009.474-484.
[8] Tielei Wang,Tao Wei,Guofei Gu,Wei Zou.Checksum-aware fuzzing combined with dynamic taint analysis and symbolic execution[J].ACM Transactions on Information and System Security,2011,14(2):1-28.
[9] Tielei Wang,Tao Wei,Guofei Gu,Wei Zou.Taintscope:a checksum-aware directed fuzzing tool for automatic software vulnerability detection[A].2010 IEEE Symposium on Security and Privacy[C].Washington:IEEE Computer Society,2010.497-512.
[10] Shinichi Minato.Zero-suppressed bdds and their applications[J].International Journal on Software Tools for Technology Transfer,2001,3(2):156-170.
[11] Towhidi F,Lashkari A H,Hosseini R S.Binary decision diagram (BDD)[A].International Conference on Future Computer and Communication[C].Washington:IEEE Computer Society,2009.496-499.
[12] 网址[OL]:http://valgrind.org/
[13] Nicholas Nethercote,Julian Seward.Valgrind:a framework for heavyweight dynamic binary instrumentation[J].ACM SIGPLAN Notices,2007,42(6):89-100.
[14] JØrn Lind-Nielsen.BuDDy:Binary Decision Diagram Package (Version 2.2)[OL].网址:http://vlsicad.eecs.umich.edu/BK/Slots/cache/www.itu.dk/research/buddy/index.html
[15] S Chakravarty.A characterization of binary decision diagrams.IEEE Transactions on Computers,1993,42(2):129-137.
[16] Randal E Bryant.Binary decision diagrams and beyond:enabling technologies for formalverification[A].Proceedings of the 1995 IEEE/ACM International Conference on Computer-aided design[C].Washington:IEEE Computer Society,1995,Page(s):236-243.
[17] Randal E Bryant.Symbolic boolean manipulation with ordered binary-decision diagrams[J].ACM Computing Surveys,1992,24(3):293-318.
[18] Randal E Bryant,Christoph Meinel.Ordered binary decision diagrams[A].Logic Synthesis and Verification[C].US:Springer,2002.654:285-307.
[19] Rolf Drechsler,Detlef Sieling.Binary decision diagrams in theory and practice.International Journal on Software Tools for Technology Transfer[J],2001,3(2):112-136.
[20] Burnim J,Sen K.Heuristics for scalable dynamic test generation[A].Proceedings of the 23rd IEEE/ACM International Conference on Automated Software Engineering[C].Washington:IEEE Computer Society,2008,Page(s):443-446.
[21] Burnim J,Sen K.Heuristics for scalable dynamic test generation[R].Berkeley:Electrical Engineering and Computer Sciences University of California at Berkeley,2008.1-10.
[22] Xie T,Tillmann N,de Halleux J,and Schulte W.Fitness-guided path exploration in dynamic symbolic execution[A].Proceedings of the 39th International IEEE/IFIP Conference on Dependable Systems and Networks[C].Washington:IEEE Computer Society,2009.359-368.
[23] 王颖,杨义先等.基于控制流序位比对的智能Fuzzing测试方法[J].通信学报,2013,34(4):114-121. [LL]WANG Ying,YANG Yi-xian,NIU Xin-xin,GU Li-ze.Smart Fuzzing method based on comparison algorithm of control flow sequences[J].Journal on Communications,2013,34(4):114-121.(in Chinese)
[24] Patrice Godefroid,Michael Y Levin,David Molnar.SAGE:Whitebox Fuzzing for Security Testing[J].Communications of the ACM,2012,55(3):40-44.
[25] 网址[OL]:http://www.sans.org/top25-software-errors/,或http://cwe.mitre.org/top25/
[26] 网址[OL]:http://cwe.mitre.org/top25/archive/2011/2011_onthecusp.html
/
| 〈 |
|
〉 |
