• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.1039-1048
• /
• 2019

Symbolic execution, an automatic search method for vulnerability verification, has been technically improved over the last few years. However, it is still not practical to analyze the program using only the symbolic execution itself. One of the biggest reasons is that because of the path explosion problem that occurs during program analysis, there is not enough memory, and you can not find the solution of all paths in the program using symbolic execution. Thus, it is practical for the analyst to construct a path for symbolic execution to a target with vulnerability rather than solving all paths. In this paper, we propose a static analysis - based backward CFG(Control Flow Graph) generation technique that can be used in symbolic execution for program analysis. With the creation of a backward CFG, an analyst can select potential vulnerable points, and the backward path generated from that point can be used for future symbolic execution. We conducted experiments with Linux binaries(x86), and indeed showed that potential vulnerability selection and backward CFG path generation were possible in a variety of binary situations.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.811-820
• /
• 2017

Software automatic technology research recently focuses not only on generating a single path test-case, but also on finding an optimized path to reach the vulnerability through various test-cases. Although Dynamic Symbolic Execution (DSE) technology is popular among these automatic technologies, most DSE technology researches apply only to Linux binaries or specific modules themselves. However, most software are vulnerable based on input files. Therefore, this paper proposes an input file based dynamic symbolic execution method for software vulnerability verification. As a result of applying it to three kinds of actual binary software, it was possible to create a test-case effectively reaching the corresponding point through the proposed method. This demonstrates that DSE technology can be used to automate the analysis of actual software.

• Journal of the Korea Society of Computer and Information
• /
• v.26 no.2
• /
• pp.1-9
• /
• 2021

In this paper, we extend a generic library framework based on the state monad to exploit deterministic parallelism in a purely functional language Haskell and provide benchmarks for the extended features on a multicore machine. Although purely functional programs are known to be well-suited to exploit parallelism, unintended squential data dependencies could prohibit effective parallelism. Symbolic execution programs usually implement fresh name generation in order to prevent confusion between variables in different scope with the same name. Such implementations are often based on squential state management, working against parallelism. We provide reusable primitives to help developing parallel symbolic execution programs with unbound-genercis, a generic name-binding library for Haskell, avoiding sequential dependencies in fresh name generation. Our parallel extension does not modify the internal implementation of the unbound-generics library, having zero possibility of degrading existing serial implementations of symbolic execution based on unbound-genecrics. Therefore, our extension can be applied only to the parts of source code that need parallel speedup.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.3
• /
• pp.437-444
• /
• 2014

In this paper, we introduce a Graph based Binary Code Execution Path Exploration Platform. In the graph, a node is defined as a conditional branch instruction, and an edge is defined as the other instructions. We implemented prototype of the proposed method and works well on real binary code. Experimental results show proposed method correctly explores execution path of target binary code. We expect our method can help Software Assurance, Secure Programming, and Malware Analysis more correct and efficient.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.803-810
• /
• 2017

Recently, social security problems have been caused by the development of the software industry, and a variety of automation techniques have been used to verify software stability. In this paper, we propose a method of automatically detecting a use-after-free vulnerability on Windows system calls using dynamic symbolic execution, one of the software testing methods. First, a static analysis based pattern search is performed to select a target point. Based on the detected pattern points, we apply an induced path search technique that blocks branching to areas outside of interest. Through this, we overcome limitations of existing dynamic symbolic performance technology and verify whether vulnerability exists at actual target point. As a result of applying the proposed method to the Windows system call, it is confirmed that the use-after-free vulnerability, which had previously to be manually analyzed, can be detected by the proposed automation technique.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.14 no.9
• /
• pp.3885-3906
• /
• 2020

Hybrid fuzzing which combines fuzzing and concolic execution, has proved its ability to achieve higher code coverage and therefore find more bugs. However, current hybrid fuzzers usually suffer from inefficiency and poor scalability when applied to complex, real-world program testing. We observed that the performance bottleneck is the inefficient cooperation between the fuzzer and concolic executor and the slow symbolic emulation. In this paper, we propose a novel solution named EPfuzzer to improve hybrid fuzzing. EPfuzzer implements two key ideas: 1) only the hardest-to-reach branch will be prioritized for concolic execution to avoid generating uninteresting inputs; and 2) only input bytes relevant to the target branch to be flipped will be symbolized to reduce the overhead of the symbolic emulation. With these optimizations, EPfuzzer can be efficiently targeted to the hardest-to-reach branch. We evaluated EPfuzzer with three sets of programs: five real-world applications and two popular benchmarks (LAVA-M and the Google Fuzzer Test Suite). The evaluation results showed that EPfuzzer was much more efficient and scalable than the state-of-the-art concolic execution engine (QSYM). EPfuzzer was able to find more bugs and achieve better code coverage. In addition, we discovered seven previously unknown security bugs in five real-world programs and reported them to the vendors.

• The Transactions of the Korean Institute of Electrical Engineers P
• /
• v.65 no.4
• /
• pp.242-249
• /
• 2016

The railway system is being converted to the computer system from the existing mechanical device, and the dependency on software is being increased rapidly. Though the size and degree of complexity of software for railway system are slower than the development speed of hardware, it is expected that the size will be grown bigger gradually and the degree of complexity will be increased also. Accordingly, the validation of reliability and safety of embedded software for railway system was started to become influential as the important issue. Accordingly, various software test and validation activities are highly recommended in the international standards related railway software. In this paper, we presented a software coding analysis tool using symbolic execution for railway system, and presented its result of implementation.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2017.11a
• /
• pp.648-651
• /
• 2017

프로그램의 코드에 있어서 실행되지 않은 영역은 미지의 영역으로써 각종 에러와 오류의 잠재적 가능성을 지니고 있다. 개발자는 이러한 영역을 모두 검증, 테스팅 해봐야 이후 프로그램의 실행에서 예상치 못한 치명적 오류들에 대응할 수 있을 것이다. 우리는 본 논문에서 소프트웨어 테스팅의 두 가지 기법에 대하여 소개를 하고 이 두 가지를 이용하여 미실행된 영역을 실행시킬 수 있는 방법론을 제안하고자 한다. 실험에서 JaCoCo와 SPF를 사용하여 방법론을 적용하였고 이를 통하여 미실행 영역이 커버되는 테스트 케이스를 자동으로 얻어 낼 수 있었다.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2020.05a
• /
• pp.582-584
• /
• 2020

기호 실행 (symbolic execution)은 프로그램을 특정 상태로 구동하는 입력 값을 찾는 코드 분석기법이다. 이를 사용하면 자동화 소프트웨어 테스트 기법인 퍼징 (fuzzing)을 훨씬 효율적으로 사용하여 더 많은 보안 취약점을 찾을 수 있지만, 기호 실행의 한계점으로 인하여 쉽게 적용할 수 없었다. 이를 해결하기 위해 인공 지능을 활용한 방법을 소개하겠다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.4
• /
• pp.919-928
• /
• 2018

Out-Of-Bounds (OOB) is one of the most powerful vulnerabilities in heap memory. The OOB vulnerability allows an attacker to exploit unauthorized access to confidential information by tricking the length of the array and reading or writing memory of that length. In this paper, we propose a method to automatically detect OOB vulnerabilities in heap memory using dynamic symbol execution and shadow memory table. First, a shadow memory table is constructed by hooking heap memory allocation and release function. Then, when a memory access occurs, it is judged whether OOB can occur by referencing the shadow memory, and a test case for causing a crash is automatically generated if there is a possibility of occurrence. Using the proposed method, if a weak block search is successful, it is possible to generate a test case that induces an OOB. In addition, unlike traditional dynamic symbol execution, exploitation of vulnerabilities is possible without setting clear target points.