Dynamic typing in a statically-typed language
POPL '89 Proceedings of the 16th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A fast algorithm for finding dominators in a flowgraph
ACM Transactions on Programming Languages and Systems (TOPLAS)
CCured: type-safe retrofitting of legacy code
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Expressing interesting properties of programs in propositional temporal logic
POPL '86 Proceedings of the 13th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
The pitfalls of verifying floating-point computations
ACM Transactions on Programming Languages and Systems (TOPLAS)
Jakstab: A Static Analysis Platform for Binaries
CAV '08 Proceedings of the 20th international conference on Computer Aided Verification
EMSOFT '08 Proceedings of the 8th ACM international conference on Embedded software
Precise pointer reasoning for dynamic test generation
Proceedings of the eighteenth international symposium on Software testing and analysis
Dynamic test generation to find integer bugs in x86 binary linux programs
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Language-based information-flow security
IEEE Journal on Selected Areas in Communications
An introduction to test specification in FQL
HVC'10 Proceedings of the 6th international conference on Hardware and software: verification and testing
Verifying GPU kernels by test amplification
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Automated synthesis of symbolic instruction encodings from I/O samples
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
Automatic detection of floating-point exceptions
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Feedback-directed unit test generation for C/C++ using concolic execution
Proceedings of the 2013 International Conference on Software Engineering
State of the art: Dynamic symbolic execution for automated test generation
Future Generation Computer Systems
Hi-index | 0.00 |
Whitebox fuzzing is a novel form of security testing based on dynamic symbolic execution and constraint solving. Over the last couple of years, whitebox fuzzers have found many new security vulnerabilities (buffer overflows) in Windows and Linux applications, including codecs, image viewers and media players. Those types of applications tend to use floating-point instructions available on modern processors, yet existing whitebox fuzzers and SMT constraint solvers do not handle floating-point arithmetic. Are there new security vulnerabilities lurking in floating-point code? A naive solution would be to extend symbolic execution to floating-point (FP) instructions (months of work), extend SMT solvers to reason about FP constraints (months of work or more), and then face more complex constraints and an even worse path explosion problem. Instead, we propose an alternative approach, based on the rough intuition that FP code should only perform memory safe data-processing of the "payload" of an image or video file, while the non-FP part of the application should deal with buffer allocations and memory address computations, with only the latter being prone to buffer overflows and other security critical bugs. Our approach combines (1) a lightweight local path-insensitive "may" static analysis of FP instructions with (2) a high-precision whole-program path-sensitive "must" dynamic analysis of non-FP instructions. The aim of this combination is to prove memory safety of the FP part of each execution and a form of non-interference between the FP part and the non-FP part with respect to memory address computations. We have implemented our approach using two existing tools for, respectively, static and dynamic x86 binary analysis. We present preliminary results of experiments with standard JPEG, GIF and ANI Windows parsers. For a given test suite of diverse input files, our mixed static/dynamic analysis is able to prove memory safety of FP code in those parsers for a small upfront static analysis cost and a marginal runtime expense compared to regular dynamic symbolic execution.