• Title/Summary/Keyword: Symbolic Execution

Search Result 34, Processing Time 0.037 seconds

Static Analysis Based on Backward Control Flow Graph Generation Method Model for Program Analysis (프로그램 분석을 위한 정적분석 기반 역추적 제어흐름그래프 생성 방안 모델)

  • Park, Sunghyun;Kim, Yeonsu;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.5
    • /
    • pp.1039-1048
    • /
    • 2019
  • Symbolic execution, an automatic search method for vulnerability verification, has been technically improved over the last few years. However, it is still not practical to analyze the program using only the symbolic execution itself. One of the biggest reasons is that because of the path explosion problem that occurs during program analysis, there is not enough memory, and you can not find the solution of all paths in the program using symbolic execution. Thus, it is practical for the analyst to construct a path for symbolic execution to a target with vulnerability rather than solving all paths. In this paper, we propose a static analysis - based backward CFG(Control Flow Graph) generation technique that can be used in symbolic execution for program analysis. With the creation of a backward CFG, an analyst can select potential vulnerable points, and the backward path generated from that point can be used for future symbolic execution. We conducted experiments with Linux binaries(x86), and indeed showed that potential vulnerability selection and backward CFG path generation were possible in a variety of binary situations.

Input File Based Dynamic Symbolic Execution Method for Software Safety Verification (소프트웨어 안전성 검증을 위한 입력 파일 기반 동적 기호 실행 방법)

  • Park, Sunghyun;Kang, Sangyong;Kim, Hwisung;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.811-820
    • /
    • 2017
  • Software automatic technology research recently focuses not only on generating a single path test-case, but also on finding an optimized path to reach the vulnerability through various test-cases. Although Dynamic Symbolic Execution (DSE) technology is popular among these automatic technologies, most DSE technology researches apply only to Linux binaries or specific modules themselves. However, most software are vulnerable based on input files. Therefore, this paper proposes an input file based dynamic symbolic execution method for software vulnerability verification. As a result of applying it to three kinds of actual binary software, it was possible to create a test-case effectively reaching the corresponding point through the proposed method. This demonstrates that DSE technology can be used to automate the analysis of actual software.

Deterministic Parallelism for Symbolic Execution Programs based on a Name-Freshness Monad Library

  • Ahn, Ki Yung
    • Journal of the Korea Society of Computer and Information
    • /
    • v.26 no.2
    • /
    • pp.1-9
    • /
    • 2021
  • In this paper, we extend a generic library framework based on the state monad to exploit deterministic parallelism in a purely functional language Haskell and provide benchmarks for the extended features on a multicore machine. Although purely functional programs are known to be well-suited to exploit parallelism, unintended squential data dependencies could prohibit effective parallelism. Symbolic execution programs usually implement fresh name generation in order to prevent confusion between variables in different scope with the same name. Such implementations are often based on squential state management, working against parallelism. We provide reusable primitives to help developing parallel symbolic execution programs with unbound-genercis, a generic name-binding library for Haskell, avoiding sequential dependencies in fresh name generation. Our parallel extension does not modify the internal implementation of the unbound-generics library, having zero possibility of degrading existing serial implementations of symbolic execution based on unbound-genecrics. Therefore, our extension can be applied only to the parts of source code that need parallel speedup.

Graph based Binary Code Execution Path Exploration Platform for Dynamic Symbolic Execution (동적 기호 실행을 이용한 그래프 기반 바이너리 코드 실행 경로 탐색 플랫폼)

  • Kang, Byeongho;Im, Eul Gyu
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.3
    • /
    • pp.437-444
    • /
    • 2014
  • In this paper, we introduce a Graph based Binary Code Execution Path Exploration Platform. In the graph, a node is defined as a conditional branch instruction, and an edge is defined as the other instructions. We implemented prototype of the proposed method and works well on real binary code. Experimental results show proposed method correctly explores execution path of target binary code. We expect our method can help Software Assurance, Secure Programming, and Malware Analysis more correct and efficient.

Automated Method for Detecting Use-After-Free Vulnerability of Windows System Calls Using Dynamic Symbolic Execution (동적 기호 실행을 이용한 윈도우 시스템 콜 Use-After-Free 취약점 자동 탐지 방법)

  • Kang, Sangyong;Lee, Gwonwang;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.4
    • /
    • pp.803-810
    • /
    • 2017
  • Recently, social security problems have been caused by the development of the software industry, and a variety of automation techniques have been used to verify software stability. In this paper, we propose a method of automatically detecting a use-after-free vulnerability on Windows system calls using dynamic symbolic execution, one of the software testing methods. First, a static analysis based pattern search is performed to select a target point. Based on the detected pattern points, we apply an induced path search technique that blocks branching to areas outside of interest. Through this, we overcome limitations of existing dynamic symbolic performance technology and verify whether vulnerability exists at actual target point. As a result of applying the proposed method to the Windows system call, it is confirmed that the use-after-free vulnerability, which had previously to be manually analyzed, can be detected by the proposed automation technique.

EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization

  • Wang, Yunchao;Wu, Zehui;Wei, Qiang;Wang, Qingxian
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.14 no.9
    • /
    • pp.3885-3906
    • /
    • 2020
  • Hybrid fuzzing which combines fuzzing and concolic execution, has proved its ability to achieve higher code coverage and therefore find more bugs. However, current hybrid fuzzers usually suffer from inefficiency and poor scalability when applied to complex, real-world program testing. We observed that the performance bottleneck is the inefficient cooperation between the fuzzer and concolic executor and the slow symbolic emulation. In this paper, we propose a novel solution named EPfuzzer to improve hybrid fuzzing. EPfuzzer implements two key ideas: 1) only the hardest-to-reach branch will be prioritized for concolic execution to avoid generating uninteresting inputs; and 2) only input bytes relevant to the target branch to be flipped will be symbolized to reduce the overhead of the symbolic emulation. With these optimizations, EPfuzzer can be efficiently targeted to the hardest-to-reach branch. We evaluated EPfuzzer with three sets of programs: five real-world applications and two popular benchmarks (LAVA-M and the Google Fuzzer Test Suite). The evaluation results showed that EPfuzzer was much more efficient and scalable than the state-of-the-art concolic execution engine (QSYM). EPfuzzer was able to find more bugs and achieve better code coverage. In addition, we discovered seven previously unknown security bugs in five real-world programs and reported them to the vendors.

Railway Software Analysis Tool using Symbolic Execution Method (심볼릭 수행 방법을 이용한 철도 소프트웨어 코드분석 도구제안)

  • Jo, Hyun-Jeong;Hwang, Jong-Gyu;Shin, Duck-Ho
    • The Transactions of the Korean Institute of Electrical Engineers P
    • /
    • v.65 no.4
    • /
    • pp.242-249
    • /
    • 2016
  • The railway system is being converted to the computer system from the existing mechanical device, and the dependency on software is being increased rapidly. Though the size and degree of complexity of software for railway system are slower than the development speed of hardware, it is expected that the size will be grown bigger gradually and the degree of complexity will be increased also. Accordingly, the validation of reliability and safety of embedded software for railway system was started to become influential as the important issue. Accordingly, various software test and validation activities are highly recommended in the international standards related railway software. In this paper, we presented a software coding analysis tool using symbolic execution for railway system, and presented its result of implementation.

Code Coverage Improvement through Symbolic Execution (Symbolic Execution을 통한 Code Coverage의 향상)

  • Kim, Jin-Hyun;Park, Sun-Woo;Park, Yongsu
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2017.11a
    • /
    • pp.648-651
    • /
    • 2017
  • 프로그램의 코드에 있어서 실행되지 않은 영역은 미지의 영역으로써 각종 에러와 오류의 잠재적 가능성을 지니고 있다. 개발자는 이러한 영역을 모두 검증, 테스팅 해봐야 이후 프로그램의 실행에서 예상치 못한 치명적 오류들에 대응할 수 있을 것이다. 우리는 본 논문에서 소프트웨어 테스팅의 두 가지 기법에 대하여 소개를 하고 이 두 가지를 이용하여 미실행된 영역을 실행시킬 수 있는 방법론을 제안하고자 한다. 실험에서 JaCoCo와 SPF를 사용하여 방법론을 적용하였고 이를 통하여 미실행 영역이 커버되는 테스트 케이스를 자동으로 얻어 낼 수 있었다.

A Study on the Application of Artificial Intelligence in Symbolic Execution: Usage in fuzzing and vulnerability detection (기호 실행에서의 인공 지능 적용에 대한 연구: 퍼징과 취약점 탐지에서의 활용)

  • Ha, Whoi Ree;Ahn, Sunwoo;Kim, Hyunjun;Paek, Yunheung
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2020.05a
    • /
    • pp.582-584
    • /
    • 2020
  • 기호 실행 (symbolic execution)은 프로그램을 특정 상태로 구동하는 입력 값을 찾는 코드 분석기법이다. 이를 사용하면 자동화 소프트웨어 테스트 기법인 퍼징 (fuzzing)을 훨씬 효율적으로 사용하여 더 많은 보안 취약점을 찾을 수 있지만, 기호 실행의 한계점으로 인하여 쉽게 적용할 수 없었다. 이를 해결하기 위해 인공 지능을 활용한 방법을 소개하겠다.

Automated Method for Detecting OOB Vulnerability of Heap Memory Using Dynamic Symbolic Execution (동적 기호 실행을 이용한 힙 메모리 OOB 취약점 자동 탐지 방법)

  • Kang, Sangyong;Park, Sunghyun;Noh, Bongnam
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.4
    • /
    • pp.919-928
    • /
    • 2018
  • Out-Of-Bounds (OOB) is one of the most powerful vulnerabilities in heap memory. The OOB vulnerability allows an attacker to exploit unauthorized access to confidential information by tricking the length of the array and reading or writing memory of that length. In this paper, we propose a method to automatically detect OOB vulnerabilities in heap memory using dynamic symbol execution and shadow memory table. First, a shadow memory table is constructed by hooking heap memory allocation and release function. Then, when a memory access occurs, it is judged whether OOB can occur by referencing the shadow memory, and a test case for causing a crash is automatically generated if there is a possibility of occurrence. Using the proposed method, if a weak block search is successful, it is possible to generate a test case that induces an OOB. In addition, unlike traditional dynamic symbol execution, exploitation of vulnerabilities is possible without setting clear target points.