Your search keyword '"symbolic execution"' showing total 2,305 results

1. Side-Channel Isn’t Sad Anymore: Towards the Leak-Free Network Stack---From DNS and Beyond

Author

Man, Keyu

Subjects

Computer science, Computer engineering, Information science, cache poisoning, dns, network security, rate limit, side channel, symbolic execution

Abstract

Network side channels have emerged as a notable threat vector in computer security, often bypassing conventional safeguards due to their elusive nature. In such attacks, the attacker leverages unintentionally leaked transformed information to derive the confidential secret on the victim. This research delves into the intricacies of these attacks, with an emphasis on DNS systems. While the vulnerabilities posed by TCP side channels have been somewhat explored, this thesis unveils the broader spectrum, especially emphasizing on UDP and ICMP side channels. The discovered flaws based on temporal and spatial shared resources lead to potent DNS cache poisoning attacks by effectively circumventing ephemeral port randomization defenses, which remains the critical defense of Dan Kaminsky's attack, rendering large portions of the Internet's open resolvers vulnerable. Specifically, 34% of these, including popular public resolvers like Quad 9, were found vulnerable.Given these revelations, the pressing need for a robust, universal and automated detection tool became evident. Addressing this, the research introduces SACD, an automated tool built upon a novel methodology termed under-constrained dynamic symbolic execution. SACD identifies violations of the non-interference property, recognized as the underpinning of network side channels. Without relying on comprehensive prior modeling and domain knowledge, SACD scrutinizes multiple TCP and UDP implementations among Linux, FreeBSD and lwIP, discovering 14 network side channels, including seven previously undetected ones, at a false positive rate of 17.6%. The results reveal serious vulnerabilities, including those that can be used to compromise the previously patched Linux and FreeBSD kernels, making them susceptible to SADDNS attacks or off-path TCP exploits again.Collectively, this thesis aims to enrich our comprehension of network side channels, paving the way for more fortified defenses in the realm of computer network security.

Published

2023

2. Tackling Security Challenges in Operating Systems Using Selective Symbolic Execution

Author

Liu, Yingtong

Subjects

Computer science, fuzzing, Operaring system, race condition, s2e, Security, Symbolic execution

Abstract

Symbolic execution is a widely used program analysis technique to systematically executedifferent program execution paths without requiring concrete inputs. Developed from sym-bolic execution, Selective Symbolic Execution (SSE) is a technique for creating the illusionof full system symbolic execution, while symbolically running only the code that is of interestto the analyst. SSE makes symbolic execution practical for large software like an operatingsystem by alleviating the problem of path explosion.In this thesis, we demonstrate the possibility of using SSE to tackle security challenges inoperating systems. Our first work is Mousse, which is a system for selective symbolic execu-tion of programs with untamed environments. Mousse facilitates testing operating systemservices that are highly coupled with their underlying environment by developing three novelsolutions. Our second work is Macaron, which is the first framework that can automaticallyand reliably reproduce non-deterministic race condition bugs in the operating system kernel.We demonstrate the usefulness of Macaron by using it to reproduce bugs found (but notreproduced) by syzbot, the state-of-the-art continuous kernel fuzzing framework. We buildMacaron using a novel Guided Selective Symbolic Execution (GSSE), static analysis, and adistance-based thread interleaving points scheduling algorithm.

Published

2022

3. Evasion Attacks on Network Intrusion Detection: Investigation, Automation, and Mitigation

Author

Wang, Zhongjie

Subjects

Computer science, Discrepancy, Evasion, NIDS, Symbolic Execution, TCP

Abstract

Stateful network protocols, such as the Transmission Control Protocol (TCP), play a significant role in the modern Internet, taking part in almost every network application running on billions of user devices, including computers, smartphones, IoT devices, vehicles, etc. However, due to inevitable ambiguities in network protocol specifications, discrepancies are prevalent among different network protocol implementations and even different versions of the same implementation. As a result, discrepancies could lead to severe security vulnerabilities. One kind of such vulnerabilities is caused by discrepancies between the network stack of a network intrusion detection system (NIDS) and those of the endhosts. A deliberate attacker could leverage the discrepancies to craft network traffic that will be interpreted differently by the NIDS and the endhosts, and then mount an attack that can bypass the NIDS. Furthermore, due to the statefulness of the network protocol, the attacker can manipulate the state on the NIDS to permanently disable the NIDS on any connection.Our research focuses on the study of discrepancies among TCP implementations of NIDSes and endhosts, towards understanding the exploitation of and defense against vulnerabilities caused by discrepancies. We start first by manually investigating the discrepancies and then move on to automated techniques. More specifically, 1) we first investigate the most powerful censorship firewall on the Internet and discover the discrepancies between its implementation and that of a Linux server, which allows an adversary to evade the firewall; 2) in order to automatically discover such implementation-level discrepancies, we develop a general approach which employs automated testing and symbolic execution techniques to automatically explore the program space of the Linux TCP stack and thereby discover network packets that can evade deep packet inspection used by modern stateful firewalls and intrusion detection systems; 3) we develop a systematic approach to extract comprehensive and high-fidelity models from various versions of the Linux TCP implementation and exhaustively discover all discrepancies between them; we then build a NIDS that incorporates the discovered discrepancies and is immune to all evasion attacks. Ultimately, we seek to develop widely used tools that employ automated testing techniques to significantly improve the effectiveness and efficiency in discovering discrepancies among stateful network protocol implementations and prevent attacks that exploit such discrepancies.

Published

2021

4. Tainting-Assisted and Context-Migrated Symbolic Execution of Android Framework for Vulnerability Discovery and Exploit Generation.

Author

Luo, Lannan, Zeng, Qiang, Cao, Chen, Chen, Kai, Liu, Jian, Liu, Limin, Gao, Neng, Yang, Min, Xing, Xinyu, and Liu, Peng

Subjects

CYBERTERRORISM, COMPUTER software execution, GLOBAL Positioning System, EXECUTIONS & executioners

Abstract

Android Application Framework is an integral and foundational part of the Android system. Each of the two billion (as of 2017) Android devices relies on the system services of Android Framework to manage applications and system resources. Given its critical role, a vulnerability in the framework can be exploited to launch large-scale cyber attacks and cause severe harms to user security and privacy. Recently, many vulnerabilities in Android Framework were exposed, showing that it is indeed vulnerable and exploitable. While there is a large body of studies on Android application analysis, research on Android Framework analysis is very limited. In particular, to our knowledge, there is no prior work that investigates how to enable symbolic execution of the framework, an approach that has proven to be very powerful for vulnerability discovery and exploit generation. We design and build the first system, Centaur, that enables symbolic execution of Android Framework. Due to the middleware nature and technical peculiarities of the framework that impinge on the analysis, many unique challenges arise and are addressed in Centaur. The system has been applied to discovering new vulnerability instances, which can be exploited by recently uncovered attacks against the framework, and to generating PoC exploits. [ABSTRACT FROM AUTHOR]

Published

2020

5. Using Symbolic States to Infer Numerical Invariants

Author

ThanhVu Nguyen, Matthew B. Dwyer, and KimHao Nguyen

Subjects

Theoretical computer science, Computer science, Encoding (memory), Symbolic execution, Software

Published

2022

6. Fuzzing and Symbolic Execution to Identify and Patch Bugs

Author

Salls, Christopher

Subjects

Computer science, Binary Analysis, Computer Security, Fuzzing, Symbolic Execution

Abstract

Our computers, phones, and other smart devices are running a vast and ever increasing amount of software. This provides us with many capabilities that we make use of throughout our everyday lives.However, it also brings with it a large attack surface, wherein vulnerabilities could lie.A single vulnerability in any component could be maliciously exploited to gain access to private information or cause damage.This weakness is compounded by the imbalance between attackers and those who secure software; defenders must eliminate all of the vulnerabilities to have secure software, whereas an attacker may only need one vulnerability to be able to craft an exploit.Of course, all of this software cannot be audited, checked for bugs, and made secure manually; effective automated techniques are needed.One of the most common causes of insecure software is memory corruption vulnerabilities.Memory corruption is frequently found in unsafe languages, such as C and C++, and can take many forms.Currently, the main methods of finding memory corruption are fuzzing and static analysis.However, both of these have major weaknesses that prevent finding many of the bugs present in modern software.The goal of my research is to improve upon the available techniques to make them more capable of finding bugs in real-world programs.To this end, the first work of my PhD identifies a key weakness in fuzzers---that they are impeded by difficult checks, such as string comparisons or magic numbers.With this in mind, we designed a new tool that combines fuzzing with symbolic execution, such that it can now solve for difficult checks and be able to continue fuzzing beyond them.Of course, finding bugs is only one part of the problem. In my next work, I worked on a novel application of symbolic execution to hot-patch vulnerable devices.Many IoT devices are not created with any built-in mechanism to update, and could be an easy target for attackers should a vulnerability be discovered.My research allows such devices to be automatically patched in event that a code execution vulnerability is found, without any support needed from the device itself.In the final two projects of my PhD, I identify fundamental properties of fuzzers and use these to create new paradigms of fuzzing, which can find more vulnerabilities.One work formalizes how fuzzers find new inputs to mutate.Then, using this formalization, I design new strategies for fuzzing, which show improved capabilities for finding bugs.The last work I present here is a new technique for fuzzing JavaScript engines, called \emph{Token-Level Fuzzing}.Instead of mutating individual bytes, Token-Level Fuzzing mutates entire tokens, replacing them with another valid token. Using this technique, we are able to find bugs which no other published fuzzer has found.I hope the techniques presented here can bring automated bug finding a step forward and be further built upon, as we try to eliminate memory corruption vulnerabilities.In this thesis, I show that we can leverage the structure of binary programs and the essential properties of the data which they process to improve the effectiveness of vulnerability discovery based on fuzzing.

Published

2020

7. Zero-Overhead Path Prediction with Progressive Symbolic Execution.

Author

Rutledge, Richard, Sunjae Park, Khan, Haider, Orso, Alessandro, Prvulovic, Milos, and Zajic, Alenka

Subjects

ELECTROMAGNETISM, ARTIFICIAL intelligence, SOFTWARE engineering, COMPUTER science, COMPUTER input-output equipment

Abstract

In previous work, we introduced zero-overhead profiling (ZOP), a technique that leverages the electromagnetic emissions generated by the computer hardware to profile a program without instrumenting it. Although effective, ZOP has several shortcomings: it requires test inputs that achieve extensive code coverage for its training phase; it predicts path profiles instead of complete execution traces; and its predictions can suffer unrecoverable accuracy losses. In this paper, we present zero-overhead path prediction (ZOP-2), an approach that extends ZOP and addresses its limitations. First, ZOP-2 achieves high coverage during training through progressive symbolic execution (PSE)--symbolic execution of increasingly small program fragments. Second, ZOP-2 predicts complete execution traces, rather than path profiles. Finally, ZOP-2 mitigates the problem of path mispredictions by using a stateless approach that can recover from prediction errors. We evaluated our approach on a set of benchmarks with promising results; for the cases considered, (1) ZOP-2 achieved over 90% path prediction accuracy, and (2) PSE covered feasible paths missed by traditional symbolic execution, thus boosting ZOP-2's accuracy. [ABSTRACT FROM AUTHOR]

Published

2019

8. Enhancing Dynamic Symbolic Execution by Automatically Learning Search Heuristics

Author

Seongjoon Hong, Jingyoung Kim, Junhee Lee, Hakjoo Oh, Sooyoung Cha, and Jiseong Bak

Subjects

Class (computer programming), Theoretical computer science, Computer science, Heuristic, Key (cryptography), Code coverage, Concolic testing, Parametric search, Heuristics, Symbolic execution, Software

Abstract

We present a technique to automatically generate search heuristics for dynamic symbolic execution. A key challenge in dynamic symbolic execution is how to effectively explore the program's execution paths to achieve high code coverage in a limited time budget. Dynamic symbolic execution employs a search heuristic to address this challenge, which favors exploring particular types of paths that are most likely to maximize the final coverage. However, manually designing a good search heuristic is nontrivial and typically ends up with suboptimal and unstable outcomes. The goal of this paper is to overcome this shortcoming of dynamic symbolic execution by automatically learning search heuristics. We define a class of search heuristics, namely a parametric search heuristic, and present an algorithm that efficiently finds an optimal heuristic for each subject program. Experimental results with industrial-strength symbolic execution tools (e.g., KLEE) show that our technique can successfully generate search heuristics that significantly outperform existing manually-crafted heuristics in terms of branch coverage and bug-finding.

Published

2022

9. Precise Dynamic Symbolic Execution for Nonuniform Data Access in Smart Contracts

Author

Bin Liang, Jiasheng Jiang, Wei You, and Jianjun Huang

Subjects

Computer science, Distributed computing, Hash function, Integer overflow, Symbolic execution, Operational semantics, Theoretical Computer Science, Addressing mode, Data access, Memory management, Computational Theory and Mathematics, Hardware and Architecture, Software, Integer (computer science)

Abstract

Dynamic symbolic execution (DSE) has been successfully adopted for vulnerability detection in desktop and mobile platforms. Unfortunately, we cannot simply extrapolate those techniques to smart contracts. The major challenge is that smart contracts exhibit a nonuniform data access mode. Other than accessing the data via uniform addresses, smart contracts compromise multiple addressing modes, including flat address mode and key-value mode. More seriously, accessing a key-value table usually involves additional hash operations to obtain the keys. In this paper, we propose a DSE framework to resolve the nonuniform data access in smart contracts. More specifically, we exactly track the symbolic variables with concrete addresses and compute the actual/hash keys for table-like accesses. We also take the symbolic keys into account to distinguish data accesses incidentally with the same concrete keys resulting from artificially generated values. We describe the DSE framework in operational semantics. On top of the framework, we implement an integer overflow detector NOVA and a multi-transactional vulnerability detector MTVD. The experiments show that NOVA outperforms state-of-the-art analysis tools in detecting the integer overflows with much higher precision and recall, 94.2% and 93.0%, respectively. MTVD successfully reports three ether leaking vulnerabilities and one suicidal issue from real-world smart contracts.

Published

2022

10. SigRec: Automatic Recovery of Function Signatures in Smart Contracts

Author

Xiapu Luo, Xiaofeng Wang, Ting Wang, Kezhao Fang, Yufei Zhang, Hongwei Li, Zheyuan He, Ting Chen, Zihao Li, Yan Cheng, Xiaosong Zhang, and Zhu Hang

Subjects

Profiling (computer programming), FOS: Computer and information sciences, Source code, Computer Science - Cryptography and Security, Smart contract, Computer science, media_common.quotation_subject, Fuzz testing, computer.software_genre, Symbolic execution, Signature (logic), Software Engineering (cs.SE), Bytecode, Computer Science - Software Engineering, Data mining, Function (engineering), computer, Cryptography and Security (cs.CR), Software, media_common

Abstract

Millions of smart contracts have been deployed onto Ethereum for providing various services, which can be invoked through their functions. For this purpose, the caller needs to know the function signature of a callee, which includes its function id and parameter types. Such signatures are critical to many applications focusing on smart contracts, e.g., reverse engineering, fuzzing, attack detection, and profiling. Unfortunately, it is challenging to recover the function signatures from contract bytecode, since neither debug information nor type information is present in the bytecode. To address this issue, prior approaches rely on source code, or a collection of known signatures from incomplete databases or incomplete heuristic rules, which, however, are far from adequate and cannot cope with the rapid growth of new contracts. In this paper, we propose a novel solution that leverages how functions are handled by Ethereum virtual machine (EVM) to automatically recover function signatures. In particular, we exploit how smart contracts determine the functions to be invoked to locate and extract function ids, and propose a new approach named type-aware symbolic execution (TASE) that utilizes the semantics of EVM operations on parameters to identify the number and the types of parameters.Moreover, we develop SigRec, a new tool for recovering function signatures from contract bytecode without the need of source code and function signature databases. The extensive experimental results show that SigRec outperforms all existing tools, achieving an unprecedented 98.9% accuracy within 0.07 seconds. We further demonstrate that the recovered function signatures are useful in attack detection, fuzzing and reverse engineering of EVM bytecode.

Published

2023

11. Identifying Program Entropy Characteristics with Symbolic Execution

Author

Dutcher, Audrey Annika

Subjects

Computer science, Model Counting, Symbolic Execution, Vulnerability Discovery

Abstract

The security infrastructure underpinning our society relies on encryption, which relies on the correct generation and use of pseudorandom data. Unfortunately, random data is deceptively hard to generate. Implementation problems in PRNGs and the incorrect usage of generated random data in cryptographic algorithms have led to many issues, including the infamous Debian OpenSSL bug, which exposed millions of systems on the internet to potential compromise due to a mistake that limited the source of randomness during key generation to have 2^15 different seeds (i.e. 15 bits of entropy).It is important to automatically identify if a given program applies a certain cryptographic algorithm or uses its random data correctly.This paper tackles the very first step of this problem by extracting an understanding of how a binary program generates or uses randomness. Specifically, we set the following problem: given a program (or a specific function), can we estimate bounds on the amount of randomness present in the program or function's output by determining bounds on the entropy of this output data? Our technique estimates upper bounds on the entropy of program output through a process of expression reinterpretation and stochastic probability estimation, related to abstract interpretation and model counting.

Published

2019

12. ReMuSSE: A Redundant Mutant Identification Technique Based on Selective Symbolic Execution

Author

Tsong Yueh Chen, Chang-ai Sun, Xinling Guo, and An Fu

Subjects

Identification (information), business.industry, Computer science, Mutant, Pattern recognition, Artificial intelligence, Electrical and Electronic Engineering, Safety, Risk, Reliability and Quality, business, Symbolic execution

Published

2022

13. Automatic Detection, Validation, and Repair of Race Conditions in Interrupt-Driven Embedded Software

Author

Yu Wang, Tingting Yu, Xuandong Li, Linzhang Wang, Fengjuan Gao, and Jianhua Zhao

Subjects

Embedded software, Program analysis, Resource (project management), Computer science, business.industry, Embedded system, Concurrent computing, Static analysis, Interrupt, Symbolic execution, business, Software, Race condition

Abstract

Interrupt-driven programs are widely deployed in safety-critical embedded systems to perform hardware and resource dependent data operation tasks. The frequent use of interrupts in these systems can cause race conditions to occur due to interactions between application tasks and interrupt handlers (or two interrupt handlers). Numerous program analysis and testing techniques have been proposed to detect races in multithreaded programs. Little work, however, has addressed race condition problems related to hardware interrupts. In this paper, we present SDRacer, an automated framework that can detect, validate and repair race conditions in interrupt-driven embedded software. It uses a combination of static analysis and symbolic execution to generate input data for exercising the potential races. It then employs virtual platforms to dynamically validate these races by forcing the interrupts to occur at the potential racing points. Finally, it provides repair candidates to eliminate the detected races. We evaluate SDRacer on nine real-world embedded programs written in C language. The results show that SDRacer can precisely detect and successfully fix race conditions.

Published

2022

14. Explaining Regressions via Alignment Slicing and Mending

Author

Jin Song Dong, Yang Liu, Yun Lin, Haijun Wang, Zijiang Yang, Jun Sun, Qinghua Zheng, and Ting Liu

Subjects

Semantics (computer science), Computer science, media_common.quotation_subject, Root cause, computer.software_genre, Symbolic execution, Software bug, Debugging, Graph (abstract data type), Overhead (computing), Data mining, computer, Software, media_common, TRACE (psycholinguistics)

Abstract

Regression faults, which make working code stop functioning, are often introduced when developers make changes to the software. Many regression fault localization techniques have been proposed. However, issues like inaccuracy and lack of explanation are still obstacles for their practical application. In this work, we propose a trace-based approach to identifying not only where the root cause of a regression bug lies, but also how the defect is propagated to its manifestation as the explanation. In our approach, we keep the trace of original correct version as reference and infer the faulty steps on the trace of regression version so that we can build a causality graph of how the defect is propagated. To this end, we overcomes two technical challenges. First, we align two traces derived from two program versions by extending state-of-the-art trace alignment technique for regression fault with novel relaxation technique. Second, we construct causality graph (i.e., explanation) by adopting a technique called alignment slicing and mending to isolate the failure-inducing changes and explain the failure. Our comparative experiment with the state-of-the-art techniques including dynamic slicing, delta-debugging, and symbolic execution on 24 real-world regressions shows that (1) our approach is more accurate on isolating the failure-inducing changes, (2) the generated explanation requires acceptable manual effort to inspect, and (3) our approach requires lower runtime overhead. In addition, we also conduct an applicability experiment based on Defects4J bug repository, showing the potential limitations of our trace-based approach and providing guidance for its practical use.

Published

2021

15. SpecSafe: detecting cache side channels in a speculative world

Author

Mahmut Kandemir, Danfeng Zhang, Robert Brotzman, and Gang Tan

Subjects

Computer science, business.industry, Speculative execution, Program transformation, Cryptography, Static analysis, Symbolic execution, Computer security, computer.software_genre, Scalability, Side channel attack, Cache, Safety, Risk, Reliability and Quality, business, computer, Software

Abstract

The high-profile Spectre attack and its variants have revealed that speculative execution may leave secret-dependent footprints in the cache, allowing an attacker to learn confidential data. However, existing static side-channel detectors either ignore speculative execution, leading to false negatives, or lack a precise cache model, leading to false positives. In this paper, somewhat surprisingly, we show that it is challenging to develop a speculation-aware static analysis with precise cache models: a combination of existing works does not necessarily catch all cache side channels. Motivated by this observation, we present a new semantic definition of security against cache-based side-channel attacks, called Speculative-Aware noninterference (SANI), which is applicable to a variety of attacks and cache models. We also develop SpecSafe to detect the violations of SANI. Unlike other speculation-aware symbolic executors, SpecSafe employs a novel program transformation so that SANI can be soundly checked by speculation-unaware side-channel detectors. SpecSafe is shown to be both scalable and accurate on a set of moderately sized benchmarks, including commonly used cryptography libraries.

Published

2021

16. Symbolic value-flow static analysis: deep, precise, complete modeling of Ethereum smart contracts

Author

Ilias Tsatiris, Yannis Smaragdakis, Sifis Lagouvardos, Neville Grech, and Konstantinos Triantafyllou

Subjects

Theoretical computer science, Program analysis, Computer science, Semantics (computer science), Completeness (order theory), Path (graph theory), Static analysis, Solver, Safety, Risk, Reliability and Quality, Symbolic execution, Software, Domain (software engineering)

Abstract

We present a static analysis approach that combines concrete values and symbolic expressions. This symbolic value-flow (“symvalic”) analysis models program behavior with high precision, e.g., full path sensitivity. To achieve deep modeling of program semantics, the analysis relies on a symbiotic relationship between a traditional static analysis fixpoint computation and a symbolic solver: the solver does not merely receive a complex “path condition” to solve, but is instead invoked repeatedly (often tens or hundreds of thousands of times), in close cooperation with the flow computation of the analysis. The result of the symvalic analysis architecture is a static modeling of program behavior that is much more complete than symbolic execution, much more precise than conventional static analysis, and domain-agnostic: no special-purpose definition of anti-patterns is necessary in order to compute violations of safety conditions with high precision. We apply the analysis to the domain of Ethereum smart contracts. This domain represents a fundamental challenge for program analysis approaches: despite numerous publications, research work has not been effective at uncovering vulnerabilities of high real-world value. In systematic comparison of symvalic analysis with past tools, we find significantly increased completeness (shown as 83-96% statement coverage and more true error reports) combined with much higher precision, as measured by rate of true positive reports. In terms of real-world impact, since the beginning of 2021, the analysis has resulted in the discovery and disclosure of several critical vulnerabilities, over funds in the many millions of dollars. Six separate bug bounties totaling over $350K have been awarded for these disclosures.

Published

2021

17. Model-Agnostic and Efficient Exploration of Numerical Congestion Control State Space of Real-World TCP Implementations

Author

Sebastian Elbaum, Wei Sun, Di Zhao, and Lisong Xu

Subjects

State variable, Computer Networks and Communications, Computer science, Distributed computing, Random testing, Manual testing, Symbolic execution, Space exploration, Computer Science Applications, Network congestion, Software bug, State space, Electrical and Electronic Engineering, Software

Abstract

The significant impact of TCP congestion control on the Internet highlights the importance of testing congestion control algorithm implementations (CCAIs) in various network environments. Many CCAI testing problems can be solved by exploring the numerical state space of CCAIs, which is defined by a group of numerical (and nonnumerical) state variables of the CCAIs. However, the current practices for automated numerical state space exploration are either limited by the approximate abstract CCAI models or inefficient due to the large space of network environment parameters and the complicated relation between the CCAI states and network environment parameters. In this paper, we propose an automated numerical state space exploration method, called ACT, which leverages the model-agnostic feature of random testing and greatly improves its efficiency by guiding random testing under the feedback iteratively obtained in a test. Our experiments on five representative Linux TCP CCAIs show that ACT can more efficiently explore a large numerical state space than manual testing, undirected random testing, and symbolic execution based testing, while without requiring an abstract CCAI model. ACT detects multiple design and implementation bugs of these Linux TCP CCAIs, including some new bugs not reported before.

Published

2021

18. SIT-SE: A Specification-Based Incremental Testing Method With Symbolic Execution

Author

Rong Wang, Shaoying Liu, and Yuji Sato

Subjects

Correctness, Computer science, Programming language, Hoare logic, Symbolic execution, computer.software_genre, Software bug, Formal specification, Path (graph theory), Concolic testing, Electrical and Electronic Engineering, Safety, Risk, Reliability and Quality, computer, Test data

Abstract

Symbolic execution is a powerful technique for automating software testing to detect many types of errors such as memory errors and assertion violations. However, it encounters the problem of path explosion, and by using only assertions, it still lacks the capability of going deep into checking the functional correctness of a path based on corresponding formal specifications. To address these problems, we propose a specification-based incremental testing method with symbolic execution, called SIT-SE, providing a much more rigorous way to automatically check the functional correctness of all the discovered program paths, by introducing theorems (instead of assertions) for path correctness and branch sequence coverage algorithm for guiding a moderate path exploration. Compared with Hoare logic for proving the correctness of an entire program, a theorem in the SIT-SE is made for verifying the correctness of a program path. The proposed method carefully treats the relationship between a path condition and the specification in a theorem to restrict the monotonous path exploration, whereas traditional concolic testing methods roughly use one test data to determine the path correctness by assertions during long path searching. We use a classic case to demonstrate how the method works and conduct an experiment to evaluate the performance of both the proposed method and the commonly used well-known concolic testing tool KLEE. The experimental results show that our method SIT-SE is effective and outperforms KLEE in detecting faulty paths based on specifications.

Published

2021

19. Dynamic Property Enforcement in Programmable Data Planes

Author

Miguel Neves, Bradley Huffaker, Marinho P. Barcellos, and Kirill Levchenko

Subjects

Correctness, business.industry, Computer Networks and Communications, Computer science, Distributed computing, Throughput, Symbolic execution, Networking hardware, Computer Science Applications, Pipeline transport, Software, Software bug, Scalability, Forwarding plane, Overhead (computing), Latency (engineering), Electrical and Electronic Engineering, business, Enforcement

Abstract

Network programmers can currently deploy an arbitrary set of protocols in forwarding devices through data plane programming languages such as P4. However, as any other type of software, P4 programs are subject to bugs and misconfigurations. Network verification tools have been proposed as a means of ensuring that the network behaves as expected, but these tools frequently face severe scalability issues. In this paper, we argue for a novel approach to this problem. Rather than statically inspecting a network configuration looking for bugs, we propose to enforce networking properties at runtime. To this end, we developed P4box , a system for deploying runtime monitors in programmable data planes. P4box allows programmers to easily express a broad range of properties (both program-specific and network-wide). Moreover, we provide an automated framework based on assertions and symbolic execution for ensuring monitor correctness. Our experiments on a SmartNIC show that P4box monitors represent a small overhead to network devices in terms of latency, throughput and power consumption.

Published

2021

20. GasChecker: Scalable Analysis for Discovering Gas-Inefficient Smart Contracts

Author

Xiaosong Zhang, Xiuzhuo Xiao, Xiaopu Luo, Ting Chen, Jiachi Chen, Hao Zhou, Xiaoqi Li, Zihao Li, and Youzheng Feng

Subjects

Smart contract, Computer science, 05 social sciences, 020207 software engineering, 02 engineering and technology, Load balancing (computing), Symbolic execution, Computer security, computer.software_genre, Computer Science Applications, Human-Computer Interaction, Bytecode, Load management, Resource (project management), 0502 economics and business, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), Programming paradigm, computer, 050203 business & management, Information Systems

Abstract

Ethereum, the largest blockchain for running smart contracts, charges the people who send transactions to deploy or invoke smart contracts for thwarting resource abuse. The amount of transaction fee depends on the size of that contract and the operations executed by that contract. Consequently, smart contracts with inefficient code will waste money. In this article, we propose and develop the first tool, named GasChecker , for automatically identifying gas-inefficient code in smart contracts, and conduct the first empirical study on the prevalence of gas-inefficient code in the deployed smart contracts. More precisely, we first summarize ten gas-inefficient programming patterns and propose a new approach based on symbolic execution (SE) to detect them in the bytecode of smart contracts. To make our approach scalable to analyze millions of smart contracts, we parallelize SE by tailoring it to the MapReduce programming model, and propose a new feedback-based load balancing strategy to effectively utilize cloud resources. Extensive experiments show that GasChecker scales well with the increase of workers. The empirical study demonstrates that lots of real smart contracts contain various inefficient code. Manual investigation demonstrates that only 2.5 percent of discovered gas-inefficient instances are false positives.

Published

2021

21. Software Side-Channel Analysis

Author

Bang, Lucas Adam

Subjects

Computer science, Side Channel, Software Security, Symbolic Execution

Abstract

Software side-channel attacks are able to recover confidential information by observing non-functional computation characteristics of program execution such as elapsed time, amount of allocated memory, or network packet size. The ability to automatically determine the amount of information that a malicious user can gain through side-channel observations allows one to quantitatively assess the security of an application. Since most software that accesses confidential information leaks some amount of information through side channels, it is important to quantify the amount of leakage in order to detect vulnerabilities. In addition, one can prove that a program is vulnerable to side-channel attacks by synthesizing attacks that recover confidential information. In this dissertation, I provide methods for (1) quantifying side-channel vulnerabilities and (2) synthesizing adaptive side-channel attack steps. My approaches advance the state-of-the-art in automatic software side-channel analysis which I summarize as follows. I make use of symbolic execution to extract program constraints that characterize the relationship between secret information, the inputs of a malicious user, and observable program behaviors. By applying model counting constraint solving to these constraints, I compute probabilistic relationships among secrets, attacker inputs, and attacker side-channel observations. These probabilities are used to quantify information leakage for a program by applying methods from the field of quantitative information flow. Moreover, by automatically generating a symbolic expression that quantifies information leakage, I am able to perform numeric maximization over attacker inputs to synthesize optimal attack steps. The sequence of attack steps serves as a proof of exploitability. I give two different automatic attack synthesis techniques: a fully static approach and an online dynamic approach that constructs an attack that takes into account system noise and is able to execute the attack through the network. I demonstrate the effectiveness of my approaches on a set of experimental benchmarks.

Published

2018

22. Information-flow control on ARM and POWER multicore processors

Author

Graeme Smith, Nicholas Coughlin, and Toby Murray

Subjects

Multi-core processor, Correctness, Computer science, business.industry, HOL, 020207 software engineering, 02 engineering and technology, Thread (computing), Symbolic execution, Operational semantics, Theoretical Computer Science, Hardware and Architecture, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Information flow (information theory), business, Software

Abstract

Weak memory models implemented on modern multicore processors are known to affect the correctness of concurrent code. They can also affect whether or not the concurrent code is secure. This is particularly the case in programs where the security levels of variables are value-dependent, i.e., depend on the values of other variables. In this paper, we illustrate how instruction reordering allowed by ARM and POWER multicore processors leads to vulnerabilities in such programs, and present a compositional, flow-sensitive information-flow logic which can be used to detect such vulnerabilities. The logic allows step-local reasoning (one instruction at a time) about a thread’s security by tracking information about dependencies between instructions which guarantee their order of occurrence. Program security can then be established from individual thread security using rely/guarantee reasoning. The logic has been proved sound with respect to existing operational semantics using Isabelle/HOL, and implemented in an automatic symbolic execution tool.

Published

2021

23. Cooperative verifier-based testing with CoVeriTest

Author

Marie-Christine Jakobs and Dirk Beyer

Subjects

Model checking, Computer science, Programming language, 020207 software engineering, 02 engineering and technology, Symbolic execution, computer.software_genre, Software quality, Test (assessment), Predicate abstraction, 020204 information systems, Bounded function, Theory of computation, 0202 electrical engineering, electronic engineering, information engineering, Test suite, computer, Software, Information Systems

Abstract

Testing is a widely applied technique to evaluate software quality, and coverage criteria are often used to assess the adequacy of a generated test suite. However, manually constructing an adequate test suite is typically too expensive, and numerous techniques for automatic test-suite generation were proposed. All of them come with different strengths. To build stronger test-generation tools, different techniques should be combined. In this paper, we study cooperative combinations of verification approaches for test generation, which exchange high-level information. We present CoVeriTest, a hybrid technique for test-suite generation. CoVeriTest iteratively applies different conditional model checkers and allows users to adjust the level of cooperation and to configure individual time limits for each conditional model checker. In our experiments, we systematically study different CoVeriTest cooperation setups, which either use combinations of explicit-state model checking and predicate abstraction, or bounded model checking and symbolic execution. A comparison with state-of-the-art test-generation tools reveals that CoVeriTest achieves higher coverage for many programs (about 15%).

Published

2021

24. The application of hypergroups in symbolic executions and finite automata

Author

Dariush Heidari and Saeed Doostali

Subjects

0209 industrial biotechnology, Theoretical computer science, Finite-state machine, Computer science, 02 engineering and technology, Symbolic execution, Theoretical Computer Science, Set (abstract data type), TheoryofComputation_MATHEMATICALLOGICANDFORMALLANGUAGES, 020901 industrial engineering & automation, Control flow, Infinite loop, 0202 electrical engineering, electronic engineering, information engineering, Computer Science::Programming Languages, Control flow graph, Irreducibility, 020201 artificial intelligence & image processing, Geometry and Topology, Software system, Computer Science::Formal Languages and Automata Theory, Software

Abstract

Symbolic execution is one of the most important testing techniques to ensure the quality of software systems that need to be dependable and reliable. This technique systematically explores the program of the subject system which is represented by an Inter-procedural Control Flow Graph (ICFG). An ICFG is a graph that combines Control Flow Graphs (CFGs) of the program procedures by connecting each CFG with its call nodes. The existence of unreachable CFGs and infinite loops increases the complexity and runtime of a program, while they have no effect on testing the program. In this paper, we present an approach to convert the ICFG of a program to the corresponding finite automaton, called ICFG-automaton. Then, we construct a quasi-ordering hypergroup on the set of states of the ICFG-automaton and prove that the inner irreducibility in hypergroups is equivalent to the connectivity in CFGs. Moreover, we show that if every sub-automaton of an ICFG-automaton is a sub-hypergroup, then the program has an infinite loop. These results identify the parts of a program that should be modified to decrease the complexity of the testing activity.

Published

2021

25. Diversifying Focused Testing for Unit Testing

Author

Paolo Tonella, Federica Sarro, Héctor D. Menéndez, David H. Clark, and Gunel Jahangirova

Subjects

Unit testing, business.industry, Computer science, Random testing, 020207 software engineering, 02 engineering and technology, Symbolic execution, Fault detection and isolation, Software, Computer engineering, Search algorithm, Test set, 0202 electrical engineering, electronic engineering, information engineering, Test suite, 020201 artificial intelligence & image processing, business

Abstract

Software changes constantly, because developers add new features or modifications. This directly affects the effectiveness of the test suite associated with that software, especially when these new modifications are in a specific area that no test case covers. This article tackles the problem of generating a high-quality test suite to cover repeatedly a given point in a program, with the ultimate goal of exposing faults possibly affecting the given program point. Both search-based software testing and constraint solving offer ready, but low-quality, solutions to this: Ideally, a maximally diverse covering test set is required, whereas search and constraint solving tend to generate test sets with biased distributions. Our approach, Diversified Focused Testing (DFT), uses a search strategy inspired by GödelTest. We artificially inject parameters into the code branching conditions and use a bi-objective search algorithm to find diverse inputs by perturbing the injected parameters, while keeping the path conditions still satisfiable. Our results demonstrate that our technique, DFT, is able to cover a desired point in the code at least 90% of the time. Moreover, adding diversity improves the bug detection and the mutation killing abilities of the test suites. We show that DFT achieves better results than focused testing, symbolic execution, and random testing by achieving from 3% to 70% improvement in mutation score and up to 100% improvement in fault detection across 105 software subjects.

Published

2021

26. Software Testing or The Bugs’ Nightmare

Author

Héctor D. Menéndez

Subjects

Computer science, business.industry, Software development, 020207 software engineering, 02 engineering and technology, Fuzz testing, Symbolic execution, Search based testing, Nightmare, Software testing, 0202 electrical engineering, electronic engineering, information engineering, medicine, Automatic test generation, 020201 artificial intelligence & image processing, medicine.symptom, Software engineering, business

Abstract

Software development is not error-free. For decades, bugs –including physical ones– have become a significant development problem requiring major maintenance efforts. Even in some cases, solving bugs led to increment them. One of the main reasons for bug’s prominence is their ability to hide. Finding them is difficult and costly in terms of time and resources. However, software testing made significant progress identifying them by using different strategies that combine knowledge from every single part of the program. This paper humbly reviews some different approaches from software testing that discover bugs automatically and presents some different state-of-the-art methods and tools currently used in this area. It covers three testing strategies: search-based methods, symbolic execution, and fuzzers. It also provides some income about the application of diversity in these areas, and common and future challenges on automatic test generation that still need to be addressed.

Published

2021

27. ContractWard: Automated Vulnerability Detection Models for Ethereum Smart Contracts

Author

Chunhua Su, Hao Wang, Wei Wang, Yidong Li, Jingjing Song, and Guangquan Xu

Subjects

Dependency (UML), Smart contract, Computer Networks and Communications, Computer science, Bigram, Distributed computing, Feature extraction, Large numbers, 020206 networking & telecommunications, 02 engineering and technology, computer.file_format, 021001 nanoscience & nanotechnology, Symbolic execution, Computer Science Applications, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, Executable, Layer (object-oriented design), 0210 nano-technology, computer

Abstract

Smart contracts are decentralized applications running on Blockchain. A very large number of smart contracts has been deployed on Ethereum. Meanwhile, security flaws of contracts have led to huge pecuniary losses and destroyed the ecological stability of contract layer on Blockchain. It is thus an emerging yet crucial issue to effectively and efficiently detect vulnerabilities in contracts. Existing detection methods like Oyente and Securify are mainly based on symbolic execution or analysis. These methods are very time-consuming, as the symbolic execution requires the exploration of all executable paths or the analysis of dependency graphs in a contract. In this work, we propose ContractWard to detect vulnerabilities in smart contracts with machine learning techniques. First, we extract bigram features from simplified operation codes of smart contracts. Second, we employ five machine learning algorithms and two sampling algorithms to build the models. ContractWard is evaluated with 49502 real-world smart contracts running on Ethereum. The experimental results demonstrate the effectiveness and efficiency of ContractWard. The predictive Micro-F1 and Macro-F1 of ContractWard are over 96% and the average detection time is 4 seconds on each smart contract when we use XGBoost for training the models and SMOTETomek for balancing the training sets. © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Published

2021

28. On Characteristics of Symbolic Execution in the Problem of Assessing the Quality of Obfuscating Transformations

Author

Petr D. Borisov and Yury V. Kosolapov

Subjects

Reverse engineering, Scheme (programming language), 021110 strategic, defence & security studies, Theoretical computer science, Computer science, Feature vector, Program comprehension, 0211 other engineering and technologies, Process (computing), 020207 software engineering, Information technology, 02 engineering and technology, T58.5-58.64, Symbolic execution, computer.software_genre, obfuscation, Obfuscation (software), program comprehension, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), program similarity, computer, symbolic execution, computer.programming_language

Abstract

Obfuscation is used to protect programs from analysis and reverse engineering. There are theoretically effective and resistant obfuscation methods, but most of them are not implemented in practice yet. The main reasons are large overhead for the execution of obfuscated code and the limitation of application only to a specific class of programs. On the other hand, a large number of obfuscation methods have been developed that are applied in practice. The existing approaches to the assessment of such obfuscation methods are based mainly on the static characteristics of programs. Therefore, the comprehensive (taking into account the dynamic characteristics of programs) justification of their effectiveness and resistance is a relevant task. It seems that such a justification can be made using machine learning methods, based on feature vectors that describe both static and dynamic characteristics of programs. In this paper, it is proposed to build such a vector on the basis of characteristics of two compared programs: the original and obfuscated, original and deobfuscated, obfuscated and deobfuscated. In order to obtain the dynamic characteristics of the program, a scheme based on a symbolic execution is constructed and presented in this paper. The choice of the symbolic execution is justified by the fact that such characteristics can describe the difficulty of comprehension of the program in dynamic analysis. The paper proposes two implementations of the scheme: extended and simplified. The extended scheme is closer to the process of analyzing a program by an analyst, since it includes the steps of disassembly and translation into intermediate code, while in the simplified scheme these steps are excluded. In order to identify the characteristics of symbolic execution that are suitable for assessing the effectiveness and resistance of obfuscation based on machine learning methods, experiments with the developed schemes were carried out. Based on the obtained results, a set of suitable characteristics is determined.

Published

2021

29. Automatic Vulnerability Detection in Embedded Devices and Firmware

Author

Abdullah Qasem, Paria Shirani, Lingyu Wang, Mourad Debbabi, Basile L. Agba, and Bernard Lebel

Subjects

General Computer Science, Computer science, business.industry, Firmware, 020207 software engineering, Vulnerability detection, 02 engineering and technology, Reuse, Static analysis, Symbolic execution, computer.software_genre, Field (computer science), Theoretical Computer Science, Software, 020204 information systems, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, business, Internet of Things, computer

Abstract

In the era of the internet of things (IoT), software-enabled inter-connected devices are of paramount importance. The embedded systems are very frequently used in both security and privacy-sensitive applications. However, the underlying software (a.k.a. firmware) very often suffers from a wide range of security vulnerabilities, mainly due to their outdated systems or reusing existing vulnerable libraries; which is evident by the surprising rise in the number of attacks against embedded systems. Therefore, to protect those embedded systems, detecting the presence of vulnerabilities in the large pool of embedded devices and their firmware plays a vital role. To this end, there exist several approaches to identify and trigger potential vulnerabilities within deployed embedded systems firmware. In this survey, we provide a comprehensive review of the state-of-the-art proposals, which detect vulnerabilities in embedded systems and firmware images by employing various analysis techniques, including static analysis, dynamic analysis, symbolic execution, and hybrid approaches. Furthermore, we perform both quantitative and qualitative comparisons among the surveyed approaches. Moreover, we devise taxonomies based on the applications of those approaches, the features used in the literature, and the type of the analysis. Finally, we identify the unresolved challenges and discuss possible future directions in this field of research.

Published

2021

30. Specification-Driven Conformance Checking for Virtual/Silicon Devices Using Mutation Testing

Author

Li Lei, Mingsong Chen, Haifeng Gu, Tongquan Wei, Zhang Jianning, and Fei Xie

Subjects

business.industry, Computer science, 02 engineering and technology, Application software, computer.software_genre, Symbolic execution, Conformance checking, 020202 computer hardware & architecture, Theoretical Computer Science, Software, Computational Theory and Mathematics, Hardware and Architecture, Virtual machine, Formal specification, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, Mutation testing, Software system, business, Conformance testing, computer, Implementation

Abstract

Modern software systems, either system or application software, are increasingly being developed on top of virtualized software platforms. They may simply intend to execute on virtual machines or they may be expected to port to physical machines eventually. In either case, the devices, virtual or silicon, in the target virtual or physical machines are expected to conform to the specifications based on which the software systems have been developed. Non-conformance of these devices to the specifications can cause catastrophic failures of the software systems. In this article, we propose a mutation-based framework for effective and efficient conformance checking between virtual/silicon device implementations and their specifications. Based on our defined mutation operators, device specifications can be automatically instrumented with weak mutant-killing constraints to model potential erroneous device behaviors. To kill all feasible mutants, our approach adopts a cooperative symbolic execution mechanism that can efficiently automate the test case generation and conformance checking for virtual/silicon devices. By symbolically executing the instrumented specifications with virtual/silicon device traces obtained from the cooperative execution, our method can accurately measure whether the designs have been sufficiently validated and report the inconsistencies between device specifications and implementations. Comprehensive experiments on two industrial network adapters and their virtual devices demonstrate the effectiveness of our proposed approach in conformance checking for both virtual and silicon devices.

Published

2021

31. Bounded Search Strategies of Concolic Testing for Effective and Efficient Structural Coverage Achievement

Author

Shin Hong and Hansol Choe

Subjects

Theoretical computer science, Computer science, Bounded function, Concolic testing, Symbolic execution

Published

2021

32. Beyond Tests

Author

Gregory J. Duck, Bo Wang, Abhik Roychoudhury, Yingfei Xiong, Ruyi Ji, and Xiang Gao

Subjects

Correctness, Exploit, Computer science, business.industry, 020207 software engineering, Crash, 02 engineering and technology, Overfitting, Machine learning, computer.software_genre, Symbolic execution, Constraint (information theory), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Test suite, Benchmark (computing), Artificial intelligence, business, computer, Software

Abstract

Automated program repair is an emerging technology that seeks to automatically rectify program errors and vulnerabilities. Repair techniques are driven by a correctness criterion that is often in the form of a test suite. Such test-based repair may produce overfitting patches, where the patches produced fail on tests outside the test suite driving the repair. In this work, we present a repair method that fixes program vulnerabilities without the need for a voluminous test suite. Given a vulnerability as evidenced by an exploit, the technique extracts a constraint representing the vulnerability with the help of sanitizers. The extracted constraint serves as a proof obligation that our synthesized patch should satisfy. The proof obligation is met by propagating the extracted constraint to locations that are deemed to be “suitable” fix locations. An implementation of our approach (E xtract F ix ) on top of the KLEE symbolic execution engine shows its efficacy in fixing a wide range of vulnerabilities taken from the ManyBugs benchmark, real-world CVEs and Google’s OSS-Fuzz framework. We believe that our work presents a way forward for the overfitting problem in program repair by generalizing observable hazards/vulnerabilities (as constraint) from a single failing test or exploit.

Published

2021

33. Directed Test Generation for Activation of Security Assertions in RTL Models

Author

Hasini Witharana, Prabhat Mishra, and Yangdi Lyu

Subjects

Model checking, business.industry, Computer science, Assertion, 020206 networking & telecommunications, 02 engineering and technology, Symbolic execution, Computer Graphics and Computer-Aided Design, 020202 computer hardware & architecture, Computer Science Applications, Test (assessment), Software, Runtime error detection, Scalability, 0202 electrical engineering, electronic engineering, information engineering, State space, Electrical and Electronic Engineering, Software engineering, business

Abstract

Assertions are widely used for functional validation as well as coverage analysis for both software and hardware designs. Assertions enable runtime error detection as well as faster localization of errors. While there is a vast literature on both software and hardware assertions for monitoring functional scenarios, there is limited effort in utilizing assertions to monitor System-on-Chip (SoC) security vulnerabilities. We have identified common SoC security vulnerabilities and defined several classes of assertions to enable runtime checking of security vulnerabilities. A major challenge in assertion-based validation is how to activate the security assertions to ensure that they are valid. While existing test generation using model checking is promising, it cannot generate directed tests for large designs due to state space explosion. We propose an automated and scalable mechanism to generate directed tests using a combination of symbolic execution and concrete simulation of RTL models. Experimental results on diverse benchmarks demonstrate that the directed tests are able to activate security assertions non-vacuously.

Published

2021

34. Searching for tainted vulnerabilities in static analysis tool Svace

Subjects

Theoretical computer science, Source code, Computer science, media_common.quotation_subject, Static analysis, Symbolic execution, Call graph, computer.software_genre, Taint checking, Satisfiability modulo theories, False positive paradox, General Earth and Planetary Sciences, Compiler, computer, General Environmental Science, media_common

Abstract

The paper is dedicated to search for taint-based errors in the source code of programs, i.e. errors caused by unsafe use of data obtained from external sources, which could potentially be modified by an attacker. The interprocedural static analyzer Svace was used as a basis. The analyzer searches both for defects in the program and searches for suspicious places where the logic of the program may be violated. The goal is to find as many errors as possible at an acceptable speed and a low level of false positives (< 20-35%). To find errors, Svace with help of modified compiler builds a low-level typed intermediate representation, which is used as an input to the main SvEng analyzer. The analyzer builds a call graph and then performs summary-based analysis. In this analysis, the functions are traversed according to the call graph starting from the leaves. After analyzing the function, its summary is created, which will then be used to analyze the call instructions. The analysis has both high speed and good scalability. Intra-procedural analysis is based on symbolic execution with the union of states at merge points of paths. An SMT solver can be used to filter out infeasible paths for some checkers. In this case, the SMT-solver is called only if there is a suspicion of an error. The analyzer has been expanded to find defects of tainted data using. The checkers are implemented as plugins by using the source-sink scheme. The sources are calls of library functions that receive data from outside the program, as well as the arguments of the main function. Sinks are accessing to arrays, using variables as a step or loop boundary, calling functions that require checked arguments. Checkers covering most of the possible types of vulnerabilities for tainted integers and strings have been implemented. The Juliet project was used to assess the coverage. The false negative rate ranged from 46,31% to 81.17% with a small number of false positives.

Published

2021

35. Deadlock-Guided Testing

Author

Miguel Gomez-Zamalloa and Miguel Isabel

Subjects

General Computer Science, Computer science, Distributed computing, test case generation, 02 engineering and technology, Deadlock analysis, deadlock detection, Software_PROGRAMMINGTECHNIQUES, Symbolic execution, 0202 electrical engineering, electronic engineering, information engineering, Concurrent computing, General Materials Science, Limit (mathematics), Deadlock prevention algorithms, General Engineering, 020207 software engineering, Static analysis, Deadlock, testing, Asynchronous communication, Task analysis, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, verification, lcsh:TK1-9971, symbolic execution

Abstract

Static deadlock analyses might be able to verify the absence of deadlock. However, they are usually not able to detect its presence. Moreover, when a potential deadlock is detected, they provide little (and often no) information that can help the user in finding the source of the anomalous behaviour. This paper proposes a testing methodology that combines static analysis and symbolic execution for effective deadlock detection in asynchronous programs. When the program features a deadlock, our testing methodology provides an effective technique to catch deadlock traces. While if the program does not have deadlock, but the static deadlock analysis inaccurately spotted it, our approach is able to prove deadlock freedom (up to the limit of the performed symbolic exploration).

Published

2021

36. Deep Learning-Based Hybrid Fuzz Testing

Author

Yu Wang, Lingyun Situ, Linzhang Wang, and Fengjuan Gao

Subjects

Computer science, business.industry, Software testing, Deep learning, Hybrid testing, Artificial intelligence, Fuzz testing, Symbolic execution, business, Software engineering

Published

2021

37. Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection

Author

Fayozbek Rustamov, Juhwan Kim, Jihyeon Yu, and Joobeom Yun

Subjects

concolic execution, General Computer Science, business.industry, Computer science, vulnerability, General Engineering, software testing, Fuzz testing, Information security, Symbolic execution, TK1-9971, Software, Hybrid fuzzing, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Component (UML), Key (cryptography), survey, General Materials Science, The Internet, Electrical engineering. Electronics. Nuclear engineering, Heuristics, Software engineering, business, symbolic execution

Abstract

Recently, software testing has become a significant component of information security. The most reliable technique for automated software testing is a fuzzing tool that feeds programs with random test-input and detects software vulnerabilities that are critical to security. Similarly, symbolic execution has gained the most attention as an efficient testing tool for producing smart test-inputs and discovering hard-to-reach bugs using search-based heuristics and compositional approaches. The combination of fuzzing and symbolic execution makes software testing more efficient by mitigating the limitations in each other. Although several studies have been conducted on hybrid fuzzing in recent years, a comprehensive and consistent review of hybrid fuzzing techniques has not been explored. To add coherence to the extensive literature on hybrid fuzzing and to make it reach a large audience, this study provides an overview of key concepts along with the taxonomy of existing hybrid fuzzing tools, problems, and solutions that have been developed in this sphere. It also includes evaluations of the proposed approaches and a number of suggestions for the development of hybrid fuzzing in the future.

Published

2021

38. Gaining trust by tracing security protocols

Author

Hans Svensson, Lars-Åke Fredlund, Clara Benac Earle, and Thomas Arts

Subjects

Handshake, business.industry, Programming language, Computer science, Logic, Interoperability, 020207 software engineering, Erlang (programming language), Cryptography, 02 engineering and technology, Tracing, Cryptographic protocol, Symbolic execution, computer.software_genre, Theoretical Computer Science, Computational Theory and Mathematics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Rewriting, business, computer, Software, computer.programming_language

Abstract

In this article we test an Erlang implementation of the Noise Protocol Framework, using a novel form of white-box testing. We extend interoperability testing of an Erlang enoise implementation against an implementation of Noise in C. Testing typically performs a noise protocol handshake between the two implementations. If successful, then both implementations are somehow compatible. But this does, for example, not detect whether we reuse keys that have to be newly generated. Therefore we extend such operability testing: During the handshake the Erlang noise implementation is traced. The resulting protocol trace is refactored, obtaining as the end result a symbolic description (a functional term) of how key protocol values are constructed using cryptographic operations and keys. Therafter, this symbolic term is compared, using term rewriting, with a symbolic term representing the ideal symbolic execution of the tested noise protocol handshake (i.e., the "semantics" of the handshake). The semantic symbolic term is obtained by executing a symbolic implementation of the noise protocol that we have developed.

Published

2023

39. Automated Patch Transplantation

Author

Shin Hwei Tan, Abhik Roychoudhury, Mingyuan Gao, and Ridwan Shariffdeen

Subjects

Computer science, business.industry, Vulnerability, 020207 software engineering, 02 engineering and technology, Symbolic execution, Transplantation, Workflow, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Dynamic program analysis, Differential testing, Software engineering, business, Implementation

Abstract

Automated program repair is an emerging area that attempts to patch software errors and vulnerabilities. In this article, we formulate and study a problem related to automated repair, namely automated patch transplantation. A patch for an error in a donor program is automatically adapted and inserted into a “similar” target program. We observe that despite standard procedures for vulnerability disclosures and publishing of patches, many un-patched occurrences remain in the wild. One of the main reasons is the fact that various implementations of the same functionality may exist and, hence, published patches need to be modified and adapted. In this article, we therefore propose and implement a workflow for transplanting patches. Our approach centers on identifying patch insertion points, as well as namespaces translation across programs via symbolic execution. Experimental results to eliminate five classes of errors highlight our ability to fix recurring vulnerabilities across various programs through transplantation. We report that in 20 of 24 fixing tasks involving eight application subjects mostly involving file processing programs, we successfully transplanted the patch and validated the transplantation through differential testing. Since the publication of patches make an un-patched implementation more vulnerable, our proposed techniques should serve a long-standing need in practice.

Published

2020

40. A DSL for Resource Checking Using Finite State Automaton-Driven Symbolic Execution

Author

Endre Fülöp and Norbert Pataki

Subjects

Domain-specific language, Finite-state machine, General Computer Science, Programming language, Computer science, 020207 software engineering, QA75.5-76.95, 02 engineering and technology, Static analysis, computer.software_genre, Symbolic execution, Digital subscriber line, Resource (project management), static analysis, domain-specific language, Electronic computers. Computer science, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, clang, finite state automata, computer

Abstract

Static analysis is an essential way to find code smells and bugs. It checks the source code without execution and no test cases are required, therefore its cost is lower than testing. Moreover, static analysis can help in software engineering comprehensively, since static analysis can be used for the validation of code conventions, for measuring software complexity and for executing code refactorings as well. Symbolic execution is a static analysis method where the variables (e.g. input data) are interpreted with symbolic values. Clang Static Analyzer is a powerful symbolic execution engine based on the Clang compiler infrastructure that can be used with C, C++ and Objective-C. Validation of resources’ usage (e.g. files, memory) requires finite state automata (FSA) for modeling the state of resource (e.g. locked or acquired resource). In this paper, we argue for an approach in which automata are in-use during symbolic execution. The generic automaton can be customized for different resources. We present our domain-specific language to define automata in terms of syntactic and semantic rules. We have developed a tool for this approach which parses the automaton and generates Clang Static Analyzer checker that can be used in the symbolic execution engine. We show an example automaton in our domain-specific language and the usage of generated checker.

Published

2020

41. Abstract Contract Synthesis and Verification in the Symbolic 𝕂 Framework

Author

Daniel Pardo, María Alpuente, and Alicia Villanueva

Subjects

Ejecución simbólica, Symbolic execution, Computer science, Deductive verification, Contrato, Contract inference, Inference, Execució simbòlica, computer.software_genre, Theoretical Computer Science, Contracte, Deductive, Abstract subsumption, Subsumpció, Abstract, Deductiva, Inferencia, Algebra and Number Theory, Subsunción, Programming language, Verification, Verificación, Abstracta, Subsumption, Inferència, Work (electrical), Computational Theory and Mathematics, The Symbolic, Contract, Verificació, computer, LENGUAJES Y SISTEMAS INFORMATICOS, Information Systems

Abstract

[EN] In this article, we propose a symbolic technique that can be used for automatically inferring software contracts from programs that are written in a non-trivial fragment of C, called KernelC, that supports pointer-based structures and heap manipulation. Starting from the semantic definition of KernelC in the K semantic framework, we enrich the symbolic execution facilities recently provided by K with novel capabilities for contract synthesis that are based on abstract subsumption. Roughly speaking, we define an abstract symbolic technique that axiomatically explains the execution of any (modifier) C function by using other (observer) routines in the same program. We implemented our technique in the automated tool KindSpec 2.1, which generates logical axioms that express pre- and postcondition assertions which define the precise input/output behavior of the C routines. Thanks to the integrated support for symbolic execution and deductive verification provided by K, some synthesized axioms that cannot be guaranteed to be correct by construction due to abstraction can finally be verified in our framework with little effort., This work has been partially supported by the EU (FEDER) and Spanish MINECO under grant TIN2015-69175-C4-1-R, and and TIN2013-45732-C4-1-P, and by Generalitat Valenciana PROMETEOII/2015/013. Daniel Pardo was supported by FPU-ME grant FPU14/01830.

Published

2020

42. Tainting-Assisted and Context-Migrated Symbolic Execution of Android Framework for Vulnerability Discovery and Exploit Generation

Author

Qiang Zeng, Min Yang, Limin Liu, Lannan Luo, Jian Liu, Peng Liu, Neng Gao, Kai Chen, Xinyu Xing, and Chen Cao

Subjects

Exploit, Computer Networks and Communications, Computer science, business.industry, Mobile computing, Vulnerability, 020206 networking & telecommunications, 02 engineering and technology, Symbolic execution, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Global Positioning System, Electrical and Electronic Engineering, Android (operating system), business, computer, Software, Vulnerability discovery

Abstract

Android Application Framework is an integral and foundational part of the Android system. Each of the two billion (as of 2017) Android devices relies on the system services of Android Framework to manage applications and system resources. Given its critical role, a vulnerability in the framework can be exploited to launch large-scale cyber attacks and cause severe harms to user security and privacy. Recently, many vulnerabilities in Android Framework were exposed, showing that it is indeed vulnerable and exploitable. While there is a large body of studies on Android application analysis, research on Android Framework analysis is very limited. In particular, to our knowledge, there is no prior work that investigates how to enable symbolic execution of the framework, an approach that has proven to be very powerful for vulnerability discovery and exploit generation. We design and build the first system, Centaur , that enables symbolic execution of Android Framework. Due to the middleware nature and technical peculiarities of the framework that impinge on the analysis, many unique challenges arise and are addressed in Centaur . The system has been applied to discovering new vulnerability instances, which can be exploited by recently uncovered attacks against the framework, and to generating PoC exploits.

Published

2020

43. On the Automatic Analysis of the Practical Resistance of Obfuscating Transformations

Author

Yury V. Kosolapov and Petr Dmitrievich Borisov

Subjects

021110 strategic, defence & security studies, Theoretical computer science, Degree (graph theory), Computer science, 0211 other engineering and technologies, 02 engineering and technology, Symbolic execution, Control flow, Similarity (network science), Control and Systems Engineering, Signal Processing, 0202 electrical engineering, electronic engineering, information engineering, Control flow graph, 020201 artificial intelligence & image processing, Adjacency matrix, Hamming code, Software, Block (data storage)

Abstract

A method is developed for assessing the practical persistence of obfuscating transformations of programs. The method is based on the calculation of the similarity index for the original, obfuscated, and deobfuscated programs. Candidates are proposed for the similarity indices, which are based on such program characteristics as the control flow graph, symbolic execution time, and degree of coverage for symbolic execution. The control flow graph is considered the basis for building other candidates for program similarity indicators. On its basis, a new candidate is proposed for the similarity index, which, when calculated, finds the Hamming distances between the adjacency matrices of the control flow graphs of the compared programs. A scheme for estimating (analyzing) the persistence of obfuscating transformations is constructed. According to this scheme, the characteristics of the original, obfuscated, and deobfuscated programs are calculated and compared in accordance with the chosen comparison model. In particular, the developed scheme is suitable for comparing programs based on similarity indices. This paper develops and implements one of the key units of the constructed scheme, which is a block for obtaining the program characteristics compiled for the x86/x86_64 architecture. The developed unit allows finding the control flow graph, the time for symbolic execution, and the degree of coverage for symbolic execution. Selected results of operation of the constructed block are provided.

Published

2020

44. A Formal Model for Detecting Bugs by Symbolic Execution of Programs

Author

A. Yu. Gerasimov, Alexander Novikov, and Daniil O. Kuts

Subjects

Programming language, Computer science, Process (computing), 020207 software engineering, 0102 computer and information sciences, 02 engineering and technology, Static analysis, Symbolic execution, computer.software_genre, 01 natural sciences, Field (computer science), Domain (software engineering), Set (abstract data type), Program analysis, 010201 computation theory & mathematics, Software security assurance, 0202 electrical engineering, electronic engineering, information engineering, computer, Software

Abstract

Automatic detection of bugs in programs is an extremely important direction of current research and development in the field of program reliability and security assurance. Earlier studies covered, methods for program analysis that combine the dynamic symbolic execution, randomized testing, and static analysis. In this paper, a formal model for detecting bugs using the symbolic execution of programs and its implementation for detecting the buffer bounds violation is presented. A formal model of the program symbolic execution is described, and a theorem on detecting a bug on the basis of the violation of the operation domain is formulated and proved. An implementation of the buffer bounds violation analyzer in the process of symbolic program execution is described, and the application of the implemented prototype for analyzing a set of programs in Debian Linux is presented. The experiments confirm the actionability of the proposed method.

Published

2020

45. Formulog: Datalog for SMT-based static analysis

Author

Stephen Chong, Aaron Bembenek, and Michael Greenberg

Subjects

Model checking, Functional programming, Computer science, Programming language, Static analysis, Symbolic execution, computer.software_genre, Datalog, Formal specification, Satisfiability modulo theories, Safety, Risk, Reliability and Quality, computer, Software, Logic programming, computer.programming_language

Abstract

Satisfiability modulo theories (SMT) solving has become a critical part of many static analyses, including symbolic execution, refinement type checking, and model checking. We propose Formulog, a domain-specific language that makes it possible to write a range of SMT-based static analyses in a way that is both close to their formal specifications and amenable to high-level optimizations and efficient evaluation. Formulog extends the logic programming language Datalog with a first-order functional language and mechanisms for representing and reasoning about SMT formulas; a novel type system supports the construction of expressive formulas, while ensuring that neither normal evaluation nor SMT solving goes wrong. Our case studies demonstrate that a range of SMT-based analyses can naturally and concisely be encoded in Formulog, and that — thanks to this encoding — high-level Datalog-style optimizations can be automatically and advantageously applied to these analyses.

Published

2020

46. Exposing cache timing side-channel leaks through out-of-order symbolic execution

Author

Yueqi Chen, Shengjian Guo, Yueqiang Cheng, Peng Li, Zhiqiang Zuo, Huibo Wang, Jiyong Yu, and Meng Wu

Subjects

Out-of-order execution, Program analysis, Computer science, Pipeline (computing), Speculative execution, Optimizing compiler, Program transformation, Cache, Parallel computing, Safety, Risk, Reliability and Quality, Symbolic execution, Software

Abstract

As one of the fundamental optimizations in modern processors, the out-of-order execution boosts the pipeline throughput by executing independent instructions in parallel rather than in their program orders. However, due to the side effects introduced by such microarchitectural optimization to the CPU cache, secret-critical applications may suffer from timing side-channel leaks. This paper presents a symbolic execution-based technique, named SymO 3 , for exposing cache timing leaks under the context of out-of-order execution. SymO 3 proposes new components that address the modeling, reduction, and reasoning challenges of accommodating program analysis to the software code out-of-order analysis. We implemented SymO 3 upon KLEE and conducted three evaluations on it. Experimental results show that SymO 3 successfully uncovers a set of cache timing leaks in five real-world programs. Also, SymO 3 finds that, in general, program transformation from compiler optimizations shrink the surface to timing leaks. Furthermore, augmented with a speculative execution modeling, SymO 3 identifies five more leaky programs based on the compound analysis.

Published

2020

47. Benchmarking the Capability of Symbolic Execution Tools with Logic Bombs

Author

Hui Xu, Yangfan Zhou, Zirui Zhao, and Michael R. Lyu

Subjects

021110 strategic, defence & security studies, Computer science, Process (engineering), Logic bomb, Semantics (computer science), business.industry, 0211 other engineering and technologies, 02 engineering and technology, Benchmarking, Symbolic execution, Program analysis, Benchmark (computing), The Symbolic, Electrical and Electronic Engineering, Software engineering, business

Abstract

Symbolic execution has become an indispensable technique for software testing and program analysis. However, since several symbolic execution tools are presently available off-the-shelf, there is a need for a practical benchmarking approach. This paper introduces a fresh approach that can help benchmark symbolic execution tools in a fine-grained and efficient manner. The approach evaluates the performance of such tools against known challenges faced by general symbolic execution techniques, e.g., floating-point numbers and symbolic memories. We first survey related papers and systematize the challenges of symbolic execution. We extract 12 distinct challenges from the literature and categorize them into two categories: symbolic-reasoning challenges and path-explosion challenges . Next, we develop a dataset of logic bombs and a framework for benchmarking symbolic execution tools automatically. For each challenge, our dataset contains several logic bombs, each addressing a specific challenging problem. Triggering one or more logic bombs confirms that the symbolic execution tool in question is able to handle the corresponding problem. Real-world experiments with three popular symbolic execution tools, namely, KLEE, angr, and Triton have shown that our approach can reveal the capabilities and limitations of the tools in handling specific issues accurately and efficiently. The benchmarking process generally takes only a few dozens of minutes to evaluate a tool. We have released our dataset on GitHub as open source, with an aim to better facilitate the community to conduct future work on benchmarking symbolic execution tools.

Published

2020

48. Improved Loop Execution Modeling in the Clang Static Analyzer

Author

Peter Szecsi, Zoltán Porkoláb, and Gábor Horváth

Subjects

0209 industrial biotechnology, Loop (graph theory), Information Systems and Management, Source code, Computer science, media_common.quotation_subject, 0102 computer and information sciences, 02 engineering and technology, Parallel computing, Management Science and Operations Research, Static analysis, Symbolic execution, 01 natural sciences, Theoretical Computer Science, 020901 industrial engineering & automation, Constant (computer programming), 010201 computation theory & mathematics, Computer Science (miscellaneous), Code (cryptography), Computer Vision and Pattern Recognition, Loop modeling, Electrical and Electronic Engineering, Heuristics, Software, media_common

Abstract

The LLVM Clang Static Analyzer is a source code analysis tool which aims to find bugs in C, C++, and Objective-C programs using symbolic execution, i.e. it simulates the possible execution paths of the code. Currently the simulation of the loops is somewhat naive (but efficient), unrolling the loops a predefined constant number of times. However, this approach can result in a loss of coverage in various cases. This study aims to introduce two alternative approaches which can extend the current method and can be applied simultaneously: (1) determining loops worth to fully unroll with applied heuristics, and (2) using a widening mechanism to simulate an arbitrary number of iteration steps. These methods were evaluated on numerous open source projects, and proved to increase coverage in most of the cases. This work also laid the infrastructure for future loop modeling improvements.

Published

2020

49. Report on the Differential Testing of Static Analyzers

Author

Gábor Horváth, Reka Nikolett Kovacs, and Peter Szecsi

Subjects

Information Systems and Management, Source code, Computer science, business.industry, Heuristic, media_common.quotation_subject, 020207 software engineering, 02 engineering and technology, Fuzz testing, Management Science and Operations Research, Static analysis, Symbolic execution, Theoretical Computer Science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Computer Science (miscellaneous), Test suite, Computer Vision and Pattern Recognition, Software system, Electrical and Electronic Engineering, Software engineering, business, Software, Language construct, media_common

Abstract

Program faults, best known as bugs, are practically unavoidable in today's ever growing software systems. One increasingly popular way of eliminating them, besides tests, dynamic analysis, and fuzzing, is using static analysis based bug-finding tools. Such tools are capable of finding surprisingly sophisticated bugs automatically by inspecting the source code. Their analysis is usually both unsound and incomplete, but still very useful in practice, as they can find non-trivial problems in a reasonable time (e.g. within hours, for an industrial project) without human intervention. Because the problems that static analyzers try to solve are hard, usually intractable, they use various approximations that need to be fine-tuned in order to grant a good user experience (i.e. as many interesting bugs with as few distracting false alarms as possible). For each newly introduced heuristic, this normally happens by performing differential testing of the analyzer on a lot of widely used open source software projects that are known to use related language constructs extensively. In practice, this process is ad hoc, error-prone, poorly reproducible and its results are hard to share. We present a set of tools that aim to support the work of static analyzer developers by making differential testing easier. Our framework includes tools for automatic test suite selection, automated differential experiments, coverage information of increased granularity, statistics collection, metric calculations, and visualizations, all resulting in a convenient, shareable HTML report.

Published

2020

50. Evaluating Synthetic Bugs

Author

Tim Leek, Brendan Dolan-Gavitt, Joshua Bundt, Andrew Fasano, and William Robertson

Subjects

FOS: Computer and information sciences, Root (linguistics), Computer Science - Cryptography and Security, business.industry, Computer science, CPU time, 020207 software engineering, 02 engineering and technology, Fuzz testing, Symbolic execution, Machine learning, computer.software_genre, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Artificial intelligence, business, computer, Cryptography and Security (cs.CR)

Abstract

Fuzz testing has been used to find bugs in programs since the 1990s, but despite decades of dedicated research, there is still no consensus on which fuzzing techniques work best. One reason for this is the paucity of ground truth: bugs in real programs with known root causes and triggering inputs are difficult to collect at a meaningful scale. Bug injection technologies that add synthetic bugs into real programs seem to offer a solution, but the differences in finding these synthetic bugs versus organic bugs have not previously been explored at a large scale. Using over 80 years of CPU time, we ran eight fuzzers across 20 targets from the Rode0day bug-finding competition and the LAVA-M corpus. Experiments were standardized with respect to compute resources and metrics gathered. These experiments show differences in fuzzer performance as well as the impact of various configuration options. For instance, it is clear that integrating symbolic execution with mutational fuzzing is very effective and that using dictionaries improves performance. Other conclusions are less clear-cut; for example, no one fuzzer beat all others on all tests. It is noteworthy that no fuzzer found any organic bugs (i.e., one reported in a CVE), despite 50 such bugs being available for discovery in the fuzzing corpus. A close analysis of results revealed a possible explanation: a dramatic difference between where synthetic and organic bugs live with respect to the ''main path'' discovered by fuzzers. We find that recent updates to bug injection systems have made synthetic bugs more difficult to discover, but they are still significantly easier to find than organic bugs in our target programs. Finally, this study identifies flaws in bug injection techniques and suggests a number of axes along which synthetic bugs should be improved., Comment: 15 pages

Published

2022