Compiler transformations for high-performance computing
ACM Computing Surveys (CSUR)
Specifying representations of machine instructions
ACM Transactions on Programming Languages and Systems (TOPLAS)
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection
Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Framework for instruction-level tracing and analysis of program executions
Proceedings of the 2nd international conference on Virtual execution environments
Valgrind: a framework for heavyweight dynamic binary instrumentation
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Antfarm: tracking processes in a virtual machine environment
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Random testing for security: blackbox vs. whitebox fuzzing
Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007)
A buffer overflow benchmark for software model checkers
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Hi-index | 0.00 |
Dynamic test generation approach consists of executing a program while gathering symbolic constraints on inputs from predicates encountered in branch statements, and of using a constraint solver to infer new program inputs from previous constraints in order to steer next executions towards new program paths. Variants of this technique have recently been adopted in finding security vulnerabilities in binary level software. However, such existing approaches and tools are not retargetable: on the one hand, they can only find vulnerabilities in the binaries for a specific ISA; on the other hand, they can only find vulnerabilities over a specific OS because the execution trace is totally OS-dependently recorded in these tools. This paper presents a new dynamic test generation technique and a tool, ReTBLDTG, short for ReTargetable Binary-Level Dynamic Test Generation, that implements this technique. Unlike other such techniques, ReTBLDTG can deal with binaries for any ISAs over any OSes. ReTBLDTG is based on the whole system virtual machine that provides OS-independent and fast concrete execution of the target program. And which thread the executing instruction belongs to is OS-independently identified by analyzing the registers' value and hardware events over the virtual machine. Thus, the execution trace is recorded, without knowing the internal structure of the guest OS. At the same time, ReTBLDTG defines a Meta Instruction Set Architecture (MetaISA); ReTBLDTG maps the execution information, which is collected during the binary source code execution, to MetaISA; and symbolic execution, constraint collection and constraint solver operates on MetaISA, thus making these tasks ISA-independent. We have implemented our ReTBLDTG, retargeted it to 32-bit x86, PowerPC and Sparc ISAs, and used it to automatically find the six known bugs in the six benchmarks over Linux and Windows. Our results indicate that our ReTBLDTG can be easily retargeted to any ISA with only a few overheads; and ReTBLDTG can effectively find bugs located deep within large applications over any OS.