An empirical study of the reliability of UNIX utilities
Communications of the ACM
Violating Assumptions with Fuzzing
IEEE Security and Privacy
Pin: building customized program analysis tools with dynamic instrumentation
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Cryptography and Network Security (4th Edition)
Cryptography and Network Security (4th Edition)
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Replayer: automatic protocol replay by binary analysis
Proceedings of the 13th ACM conference on Computer and communications security
Static Detection of Vulnerabilities in x86 Executables
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Valgrind: a framework for heavyweight dynamic binary instrumentation
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Creating Vulnerability Signatures Using Weakest Preconditions
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Dytan: a generic dynamic taint analysis framework
Proceedings of the 2007 international symposium on Software testing and analysis
Directed test generation using symbolic grammars
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Structuring 2-way Branches in Binary Executables
COMPSAC '07 Proceedings of the 31st Annual International Computer Software and Applications Conference - Volume 01
Polyglot: automatic extraction of protocol message format using dynamic binary analysis
Proceedings of the 14th ACM conference on Computer and communications security
Flayer: exposing application internals
WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies
Fuzzing: Brute Force Vulnerability Discovery
Fuzzing: Brute Force Vulnerability Discovery
Discoverer: automatic protocol reverse engineering from network traces
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Grammar-based whitebox fuzzing
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
EXE: Automatically Generating Inputs of Death
ACM Transactions on Information and System Security (TISSEC)
Tupni: automatic reverse engineering of input formats
Proceedings of the 15th ACM conference on Computer and communications security
Taint-based directed whitebox fuzzing
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Precise pointer reasoning for dynamic test generation
Proceedings of the eighteenth international symposium on Software testing and analysis
Penumbra: automatically identifying failure-relevant inputs using dynamic tainting
Proceedings of the eighteenth international symposium on Software testing and analysis
Prospex: Protocol Specification Extraction
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Emulating emulation-resistant malware
Proceedings of the 1st ACM workshop on Virtual machine security
WYSINWYX: What you see is not what you eXecute
ACM Transactions on Programming Languages and Systems (TOPLAS)
A forced sampled execution approach to kernel rootkit identification
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
ReFormat: automatic reverse engineering of encrypted messages
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Dynamic test generation to find integer bugs in x86 binary linux programs
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Input generation via decomposition and re-stitching: finding bugs in Malware
Proceedings of the 17th ACM conference on Computer and communications security
Differential Slicing: Identifying Causal Execution Differences for Security Applications
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
SNOOZE: toward a stateful network protocol fuzZEr
ISC'06 Proceedings of the 9th international conference on Information Security
Comparative language fuzz testing: programming languages vs. fat fingers
Proceedings of the ACM 4th annual workshop on Evaluation and usability of programming languages and tools
Hi-index | 0.00 |
Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the “hot bytes” in a well-formed input that are used in security-sensitive operations (e.g., invoking system/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic-execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.