Loop-extended symbolic execution on binary programs

Authors:
Prateek Saxena;Pongsin Poosankam;Stephen McCamant;Dawn Song
Affiliations:
University of California, Berkeley, Berkeley, CA, USA;Carnegie Mellon University, Pittsburgh, PA, USA;University of California, Berkeley, CA, USA;University of California, Berkeley, CA, USA
Venue:
Proceedings of the eighteenth international symposium on Software testing and analysis
Year:
2009

Citing 31
Cited 23

Automatic discovery of linear restraints among variables of a program

POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Discovering affine equalities using random interpretation

POPL '03 Proceedings of the 30th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Inside the Slammer Worm

IEEE Security and Privacy
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Buffer overrun detection using linear programming and static analysis

Proceedings of the 10th ACM conference on Computer and communications security
Testing static analysis tools using exploitable buffer overflows from open source code

Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C

Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
The octagon abstract domain

Higher-Order and Symbolic Computation
Compilers: Principles, Techniques, and Tools (2nd Edition)

Compilers: Principles, Techniques, and Tools (2nd Edition)
EXE: automatically generating inputs of death

Proceedings of the 13th ACM conference on Computer and communications security
Minos: Architectural support for protecting control data

ACM Transactions on Architecture and Code Optimization (TACO)
Compositional dynamic test generation

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Creating Vulnerability Signatures Using Weakest Preconditions

CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Analysis of modular arithmetic

ACM Transactions on Programming Languages and Systems (TOPLAS) - Special Issue ESOP'05
Bouncer: securing software by blocking bad input

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Polyglot: automatic extraction of protocol message format using dynamic binary analysis

Proceedings of the 14th ACM conference on Computer and communications security
Directed test generation using symbolic grammars

Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
Efficient fine-grained binary instrumentationwith applications to taint-tracking

Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization
Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Pentagons: a weakly relational abstract domain for the efficient validation of array accesses

Proceedings of the 2008 ACM symposium on Applied computing
Grammar-based whitebox fuzzing

Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Testing for buffer overflows with length abstraction

ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
DIVINE: discovering variables in executables

VMCAI'07 Proceedings of the 8th international conference on Verification, model checking, and abstract interpretation
A decision procedure for bit-vectors and arrays

CAV'07 Proceedings of the 19th international conference on Computer aided verification
Execution generated test cases: how to make systems code crash itself

SPIN'05 Proceedings of the 12th international conference on Model Checking Software

Measuring channel capacity to distinguish undue influence

Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering

Proceedings of the 16th ACM conference on Computer and communications security
Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Automatic detection of unsafe component loadings

Proceedings of the 19th international symposium on Software testing and analysis
Future of developer testing: building quality in code

Proceedings of the FSE/SDP workshop on Future of software engineering research
Statically-directed dynamic automated test generation

Proceedings of the 2011 International Symposium on Software Testing and Analysis
Automatic partial loop summarization in dynamic test generation

Proceedings of the 2011 International Symposium on Software Testing and Analysis
PSO based pseudo dynamic method for automated test case generation using interpreter

ICSI'11 Proceedings of the Second international conference on Advances in swarm intelligence - Volume Part I
Linear obfuscation to combat symbolic execution

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Efficient loop navigation for symbolic execution

ATVA'11 Proceedings of the 9th international conference on Automated technology for verification and analysis
SimFuzz: Test case similarity directed deep fuzzing

Journal of Systems and Software
Loop invariant symbolic execution for parallel programs

VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation
Abstracting path conditions

Proceedings of the 2012 International Symposium on Software Testing and Analysis
PeerPress: utilizing enemies' P2P strength against them

Proceedings of the 2012 ACM conference on Computer and communications security
Automated concolic testing of smartphone apps

Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Automatic protocol reverse-engineering: Message format extraction and field semantics inference

Computer Networks: The International Journal of Computer and Telecommunications Networking
Segmented symbolic analysis

Proceedings of the 2013 International Conference on Software Engineering
State of the art: Dynamic symbolic execution for automated test generation

Future Generation Computer Systems
An orchestrated survey of methodologies for automated software test case generation

Journal of Systems and Software
MetaSymploit: day-one defense against script-based attacks with security-enhanced symbolic analysis

SEC'13 Proceedings of the 22nd USENIX conference on Security
FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution

SEC'13 Proceedings of the 22nd USENIX conference on Security
Automatic exploit generation

Communications of the ACM
A distributed framework for demand-driven software vulnerability detection

Journal of Systems and Software

Quantified Score

Hi-index	0.02

Visualization

Abstract

Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including security-relevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data dependencies. We introduce loop-extended symbolic execution, a generalization that broadens the coverage of symbolic results in programs with loops. It introduces symbolic variables for the number of times each loop executes, and links these with features of a known input grammar such as variable-length or repeating fields. This allows the symbolic constraints to cover a class of paths that includes different numbers of loop iterations, expressing loop-dependent program values in terms of properties of the input. By performing more reasoning symbolically, instead of by undirected exploration, applications of loop-extended symbolic execution can achieve better results and/or require fewer program executions. To demonstrate our technique, we apply it to the problem of discovering and diagnosing buffer-overflow vulnerabilities in software given only in binary form. Our tool finds vulnerabilities in both a standard benchmark suite and 3 real-world applications, after generating only a handful of candidate inputs, and also diagnoses general vulnerability conditions.