A research on control-flow taint information directed symbolic execution

doi:10.3969/j.issn.0253-2778.2016.01.004

Abstract

Abstract: Aiming at generation of test cases covering the potential vulnerable program points and combining generation base Fuzzing, static control flow analysis and static taint analysis, this paper proposes a directed dynamic symbolic execution method. By Fuzzing the test cases which could reach the function containing the vulnerable program points are generated, leading the symbolic execution fast towards the vulnerable functions along the denoted single path; By making a static control-flow analysis and a static taint analyses in the vulnerable functions, the control flow taint eachable slices are calculated directing the multi-path dynamic symbolic execution towards the desired vulnerable program points. Experiments prove effectiveness of the method in mitigating the path explosion problem common in symbolic execution applications and in generating test cases that trigger target vulnerability.

Key words: control flow analysis, taint analysis, directed symbolic execution

CLC Number:

TP18

HUANG Hui, LU Yuliang, LIU Lintao, ZHAO Jun. A research on control-flow taint information directed symbolic execution[J]. Journal of University of Science and Technology of China, 2016, 46(1): 21-27.

References

［1］
Goldfroid P, Klarund N. Sen K. DART: Directed automated random testing[C]// SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM Press, 2005: 213-223.
[2] Godefroid P, Levin M Y, Molnar D. Automated whitebox fuzz testing[C]// Proceedings of Network Distributed Security Symposium. San Diego, USA: The Internet Society, 2008: 151-166.
[3] Brumley D, Hartwig C, Kang M G, et al. BitScope: Automatically dissecting malicious binaries[R] Technical report CMU-CS-07-133, Carnegie Mellon University, 2007.
[4] Pǎsǎreanu C S, Mehlitz P C, Bushnell D H, et al. Combining unit-level symbolic execution and system-level concrete execution for testing NASA software[C]// Proceedings of the 2008 International Symposium on Software Testing and Analysis. Seattle, USA: ACM Press, 2008: 15-26.
[5] Hu C J, Li Z J , Ma J X, et al. File parsing vulnerability detection with symbolic execution[C]// Sixth International Symposium on Theoretical Aspects of Software Engineering. Beijing, China: IEEE Press, 2012: 135-142.
[6] Wang X, Chen H G, Jia Z H, et al. Improving integer security for systems with KINT[C]// Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation. Berkeley, USA: USENIX-Association, 2012: 163-177.
[7] Chipounov V, GeorgescuV, Zamfir C, et al. Selective symbolic execution[C]// Proceedings of the 5th Workshop on Hot Topics in System Dependability. Lisbon, Portugal: ACM Press, 2009: 1-6.
[8] Siddiqui J H, Khurshid S. ParSym: Parallel symbolic execution[C]// 2nd International Conference on Software Technology and Engineering. San Juan, Puerto Rico: IEEE Press, 2010: 405-409.
[9] autodafe-fuzzer framework [EB/OL]. http://sourceforge.net/projects/autodafe/?source=directory[2015-1-31].
[10] BinNavi[EB/OL]. www.zynamics.com/binnavi.html, 2013.
[11] 王金锭, 王嘉捷, 程绍银, 等. 基于统一中间表示的软件漏洞挖掘系统[C]// 第三届信息安全漏洞分析与风险评估大会. 合肥, 2010: 42-52.
[12] Alfred V A, Monica S L, Ravi S. 编译原理[M]. 第2版, 赵建华, 郑滔, 戴新宇译, 北京: 机械工业出版社, 2009.
[13] 崔宝江, 梁晓兵, 王禹, 等. 基于回溯与引导的关键代码区域覆盖的二进制程序测试技术研究[J]. 电子与信息学报, 2012, 34(1): 108-114.
Cui B J, Liang X B, Wang Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics &Information Technology, 2012, 34(1): 108-114.
[14] PEACH FUZZE[EB/OL]. http://peachfuzzer.com/, 2012.
[15] Chipounov V, Kuznetsov V, Candea G. S2E: A platform for in-vivo multi-path analysis of software systems[J]. ACM SIGARCH Computer Architecture News, 2011, 39(1): 265-278.

()
()

[1]	Ma Yulian, Cui Wenquan. An end-to-end multitask method with two targets for high-frequency price movement prediction [J]. Journal of University of Science and Technology of China, 2021, 51(3): 246-258.
[2]	. Differential privacy protection method for deep learning based on WGAN feedback [J]. Journal of University of Science and Technology of China, 2020, 50(8): 1064-1071.
[3]	GAO Xiang, CHEN Li. Group stochastic gradient descent: A tradeoff between straggler and staleness [J]. Journal of University of Science and Technology of China, 2020, 50(8): 1156-1161.
[4]	. UAV target tracking based on visual attention mechanism [J]. Journal of University of Science and Technology of China, 2020, 50(8): 1162-1169.
[5]	WANG Yue, LI Jing. Research on optimization method of convolutional neural network based on visualization [J]. Journal of University of Science and Technology of China, 2020, 50(7): 959-967.
[6]	. Focused loss-based for imbalanced data scenarios integrated classification methods for CGAN [J]. Journal of University of Science and Technology of China, 2020, 50(7): 968-976.
[7]	ZHANG Yikai, PENG Yong, KONG Wanzeng, WEN Yimin. Fuzzy local coordinate concept factorization with graph regularization [J]. Journal of University of Science and Technology of China, 2020, 50(7): 993-1002.
[8]	SU Shoubao, CHEN Qiuxin, WANG Chishe, LI Zhi. Adaptive fractional order particle swarm optimization using swarm activity feedback and mutation operator [J]. Journal of University of Science and Technology of China, 2020, 50(7): 1026-1034.
[9]	SHI Lukui, GUO Linlin, FANG Zizhe, ZHANG Jun. Parallel ISOMAP algorithm based on Spark [J]. Journal of University of Science and Technology of China, 2019, 49(10): 842-850.
[10]	ZHANG Huimin, YANG Ming, LV Jing. Multifeature hyperspectral image classification based on adaptive kernel joint sparse representation [J]. Journal of University of Science and Technology of China, 2018, 48(4): 298-306.
[11]	RAO Qi, YANG Yan*, TENG Fei. Condition recognition of high-speed train based on multi-view weighted clustering ensemble [J]. Journal of University of Science and Technology of China, 2018, 48(1): 35-41.
[12]	ZHANG Hao, WU Jianxin,. Ensemble max-pooling: Is only the maximum activation useful when pooling [J]. Journal of University of Science and Technology of China, 2017, 47(10): 799-807.
[13]	BAN Leiyu, HUO Huan, XU Biao. Discovery of hot regions about crowd activities based on mobility data [J]. Journal of University of Science and Technology of China, 2015, 45(10): 829-835.
[14]	LIN Ziyu, LI Yuqian, LI Can, LAI Yongxuan. PipelineJoin：A new MapReduce-based multi-table join algorithm [J]. Journal of University of Science and Technology of China, 2015, 45(10): 836-845.
[15]	OU Meiying, GU Shengwei, DONG Kexiu. Consensus of second-order multi-agent systems with directed topologies and time-varying delays [J]. Journal of University of Science and Technology of China, 2015, 45(10): 871-880.