CRAXfuzz: Target-Aware Symbolic Fuzz Testing

2015 IEEE 39th Annual International Computers, Software & Applications Conference

&5$;IX]]7DUJHW$ZDUH6\PEROLF)X]]7HVWLQJ  6KLK.XQ+XDQJ‚Á +VLDQJ&KXQJÁ &KDR&KXQ@ 'HIHFWLYH SURJUDPV PD\ EH ZLWK VHFXULW\ YXOQHUDELOLWLHV DQG S2E > @ DUH WZR ODUJHVFDOH V\PEROLF WHVWLQJ VXFK DV EXIIHU RYHUIORZV LQWHJHU RYHUIORZV XQFRQWUROOHG SODWIRUPV BitBlaze XVHV TEMU >@ ZKLOH S2E FKRRVHV IRUPDW VWULQJV DQG FRPPDQG LQMHFWLRQV $Q DWWDFNHU FDQ KLEE>@ DVWKHV\PEROLFH[HFXWLRQHQJLQH:HEXLOGRXU H[SORLW WKHVH YXOQHUDELOLWLHV E\ IHHGLQJ SURSHUO\ GHVLJQDWHG IUDPHZRUNEDVHGRQS2E LQSXWILOHVDQGWDNHFRQWURORIWKHYLFWLP VV\VWHPV6HFXULW\  SDWFKHV DUH LVVXHG IRU DSSOLFDWLRQV RQ :LQGRZV /LQX[ RU 1 input (int x) WKHRSHUDWLRQV\VWHPWRVROYHWKHVHSUREOHPV>@ 2 while( x > 0 ) ,Q RUGHU WR UHGXFH VRIWZDUH EXJV WHVWLQJ WHFKQLTXHV DUH 3 { ... } SURSRVHG 7KH UHFHQW XVHG WHFKQLTXH WR GLVFRYHU WKHVH  VHFXULW\UHODWHG EXJV LV IX]] WHVWLQJ RU FDOOHG IX]]LQJ >@ )LJXUH6\PEROLF([HFXWLRQ3DWK([SORVLRQ([DPSOH ZKLFK KDV EHHQ SURYHQ HIIHFWLYHO\ LQ ILQGLQJ EXJV DQG 8QIRUWXQDWHO\ SDWK H[SORVLRQ LV D VHYHUH SUREOHP RI VHFXULW\ YXOQHUDELOLWLHV LQ ODUJH VRIWZDUH DSSOLFDWLRQV 7KH V\PEROLF H[HFXWLRQ $OWKRXJK V\PEROLF H[HFXWLRQ FRXOG LGHDEHKLQGIX]]LQJLVYHU\VLPSOH)LUVWZHJHQHUDWHLQSXWV FRYHU PRVW RI WKH SURJUDP SDWKV WKH QXPEHU RI IHDVLEOH IHGWRWKHSURJUDPWREHWHVWHG,IH[FHSWLRQVDUHUDLVHGDQG SDWKV LQD SURJUDP JURZVH[SRQHQWLDOO\ZLWKDQLQFUHDVH RI RIWHQUHVXOWLQDFUDVKDSRWHQWLDOVHFXULW\LVVXHLVGHWHFWHG SURJUDPVL]HRUZLWKDORRSLWHUDWLRQ>@)LJXUHVKRZVDQ $JUHDWQXPEHURIVHYHUHVRIWZDUHYXOQHUDELOLWLHVKDYHEHHQ UHYHDOHG E\ IX]]LQJ WHFKQLTXHV DQG UHODWHG UHVHDUFKHV >@  )RU H[DPSOH WKH CVE (Common Vulnerabilities and 1 http://cve.mitre.org/ 0730-3157/15 $31.00 © 2015 IEEE DOI 10.1109/COMPSAC.2015.99

460

H[DPSOH RI ORRS SDWK H[SORVLRQ ,I WKH LQSXW YDULDEOH x LV V\PEROLF V\PEROLF H[HFXWRU ZLOO WU\ WR HPXODWH DOO SRVVLELOLWLHVWKDWVDWLVILHG³x > 0´DQGUXQWKHFRUUHVSRQGLQJ SDWKV0RVWSDUWVRIWKHRSHUDWLRQVDUHUHGXQGDQW &RQFROLF WHVWLQJ >@ FDQ VSHHG XS V\PEROLF H[HFXWLRQ E\ JLYLQJ WKH SURJUDP DQ LQLWLDO LQSXW VR LW FDQ IROORZ WKH LQSXW GHHSHU LQ WKH FRGH CUTE >@ LV DQ LQVWDQFH RI FRQFROLFH[HFXWLRQ$OWHUQDWLYHO\LWLVDQRWKHUSRVVLEOHZD\ WR LPSURYH SDWK VHOHFWLRQ DOJRULWKPV Malburg and Fraser >@ SURSRVHG VKRUWHVWGLVWDQFH DQG FDOOFKDLQEDFNZDUG DV WZR KHXULVWLFV IRU SDWKILQGLQJ ZKLOH STrigger >@ XVHG D ZHLJKWHG VHDUFK DOJRULWKP EDVHG RQ WKH FRQWURO IORZ JUDSK &)*  $QRWKHU DSSURDFK LV WR FRQWURO V\PEROLF SDWK VSDFH E\ VHOHFWLQJ LQSXW E\WHV Spat >@ DSSOLHV WKHLU SDUWLDO V\PEROLFH[HFXWLRQWKDWWUDFNVRQO\DSUHIL[RIWKHLQSXWGDWD 2WKHU UHVHDUFKHUV FKRRVH WR VKRUWHQ H[HFXWLRQ WLPH E\ SDUDOOHOLQJ UXQQLQJ >@ RU E\ FXWWLQJ SDWKV WR EH H[SORUHG LQWRSLHFHV>@ ,Q WKLV SDSHU ZH SURSRVHG D WDUJHWDZDUH V\PEROLF H[HFXWLRQ IUDPHZRUN IRU IX]] WHVWLQJ 2XU ZRUN FDQ ILQG EXJVFDXVHGE\VSHFLILHGOLEUDU\ IXQFWLRQVDQGSURYHLWLQ D VKRUWWLPH:HJHQHUDWHDSURRIRIFRQFHSWH[SORLWLQVWHDGRI RQO\ D FUDVK LQSXW 8QOLNH WUDGLWLRQDO IX]]HUV WR JHQHUDWH FUDVK LQSXW ZH WKLQN FUDVKHV DUH QRW QHHGHG LI ZH KDYH HQRXJK LQIRUPDWLRQ WR SURGXFH H[SORLWV :H IXUWKHU UHGXFH VRIWZDUH WHVWLQJ DQG V\PEROLF H[HFXWLRQ WLPH 7KH SULPDU\ FRQWULEXWLRQVRIRXUZRUNDUHGHVFULEHGLQWKHIROORZLQJ z :H LQWURGXFH D WHFKQLTXH WR KRRN WDUJHW IXQFWLRQV LQ VWDQGDUGOLEUDULHVVXFKDVmallocstrcpyDQGprintf:H GHILQH DQG JHQHUDOL]H WKHVH VHQVLWLYH SRLQWV DQG WHVW ZKHWKHU WKHUH DUH SRWHQWLDO YXOQHUDELOLWLHV DQG WKHQ JHQHUDWH D SURRIRIFRQFHSW H[SORLW E\ VROYLQJ FRQVWUDLQWVIXUWKHU z :HLQWURGXFHDPHWKRGWRLGHQWLI\KRWE\WHVRIILOHVDQG REWDLQWKHLUUHODWLRQVWRKHDGHUVDQGWHFKQLTXHVWRVSHHG XS V\PEROLF H[HFXWLRQ E\ GURSSLQJ XQQHFHVVDU\ SDWK FRQVWUDLQWVRUXVLQJDGDSWLYHV\PEROLFLQSXWV z :H HYDOXDWH WKH HIIHFWLYHQHVV RI RXU PHWKRG E\ DSSO\LQJ RXU PHWKRGV RQ H[LVWLQJ &9( YXOQHUDEOH VRIWZDUH :H DOVR SURYLGH FDVH VWXGLHV WR VKRZ WKH EHQHILWRIRXUZRUN

V\PEROLF H[HFXWLRQ WR VHDUFK IRU KRRNHG IXQFWLRQV DQG UHFRUG FRQVWUDLQWV EHWZHHQ SURJUDP LQSXWV DQG IXQFWLRQ DUJXPHQWV 6\PEROLF H[HFXWLRQ XVHV V\PEROLF YDOXHV LQVWHDG RI FRQFUHWH GDWD RQ SURJUDP LQSXWV $Q LQWHUSUHWHU H[HFXWHV DVVXPLQJ YDOXHV UDWKHU WKDQ REWDLQLQJ WKHP IURP DFWXDO LQSXWV XQOLNH QRUPDO SURJUDP H[HFXWLRQV ,Q WKLV ZD\ LW OHDUQV UHODWLRQV LQ WHUPV RI WKRVH V\PEROV IRU H[SUHVVLRQV DQGYDULDEOHVZKHQDUULYLQJWKHWDUJHWORFDWLRQDQGWKHSDWK FRQVWUDLQWVIRUUHDFKLQJWKLVSRVLWLRQLVDOVROHDUQHG>@:H FDQ VROYH WKHVH FRQVWUDLQWV RI HDFK FRQGLWLRQDO EUDQFK E\ D GHFLVLRQSURFHGXUHRUDFRQVWUDLQWVROYHUVXFKDVSTP>@ RUZ3>@,IDVROXWLRQH[LVWVZHFRXOGILQGDQHZSURJUDP SDWK 1 2 3 4 5 6

x = read() x = 2 * x if ( x > 6 ) return 3 * x else return 0



)LJXUH6\PEROLF([HFXWLRQ7HVWLQJ3URJUDP

&RQVLGHU WKH SURJUDP VKRZV LQ )LJXUH  ZKLFK UHDGV D YDOXH DQG UHWXUQV D YDOXH RI VL[ WLPHV x LI WKH LQSXW x LV JUHDWHUWKDQDQGUHWXUQVHOVH:KHQDV\PEROLFH[HFXWRU UXQVWKLVSURJUDPLWGRHVQRW KDYH DFRQFUHWHYDOXH IRU WKH LQSXWYDOXHLHWKHUHVXOWUHDGIURPOLQH$OWHUQDWLYHO\WKH H[HFXWRU DVVLJQV WKLV SURJUDP D V\PERO s WR WKH FRQFUHWH YDOXH 7KHQ VWDWHPHQW ³x = read()´ DVVLJQV s WR SURJUDP YDULDEOHx,QOLQHWKHVWDWHPHQW³x = 2 * x´DVVLJQV 2 * sWR x7KHQH[WVWDWHPHQWLQOLQH KDV WZRFRQGLWLRQV WKHWUXH EUDQFK DQG WKH IDOVH EUDQFK ZKLFK GHSHQG RQ RXU LQSXW YDOXH s 7KH H[HFXWRU DVVRFLDWHV WKH FRQVWUDLQW ³  V ! ´ ZLWK WKH WUXH EUDQFK DQG WKH SURJUDP UHWXUQV 3 * x LI DQG RQO\LI³2 * s > 6´LVWUXH,WFRPELQHVWKHFRQVWUDLQWV³NOT (2 * s > 6)´ ZLWK WKH IDOVH EUDQFK ZKLFK QHJDWHV WKH WUXH EUDQFKDVDQHZSDWKDQGUHWXUQVIURPWKHSURJUDP1RWH WKDW WKH UHWXUQHG YDOXH ³3 * x´ LQ OLQH  ZDV VXEVWLWXWHG E\ V\PEROLF YDOXH³3 * 2 * s´ ZKLFK LV NQRZQ DV WKH UHWXUQ DUJXPHQWH[SUHVVLRQDQGWKDW³2 * s > 6´DQG³NOT (2 * s > 6)´DUHWZRGLIIHUHQWSDWKFRQVWUDLQWV$VVXPHZHVSHFLI\WKH ³UHWXUQ 3 * x´ LQ OLQH  WR EH H[HFXWHG ZH FDQ XVH D FRQVWUDLQWVROYHUWRGHWHUPLQHDYDOXHWRPDNH³2 * s == 6´ WUXH ,I ZH LQVWUXFW WKH SURJUDP WR UHWXUQ  IXUWKHU ZH VKRXOGDOVRUHVWULFWH[SUHVVLRQ³3 * 2 * s´WREHWRZKLFK DFRQVWUDLQW³3 * 2 * s == 24´VKRXOGEHDGGHG.&RPELQLQJ WZRFRQVWUDLQWVZHZLOOJHW³2 * s > 6´DQG³3 * 2 * s == 24´6ROYH WKHDERYHFRQVWUDLQWV DQG ZH ZLOOJHWDYDOXHRI LQSXW [ WR IRUFH WKLV SURJUDP WR UHWXUQ  WKH UHVXOW ZH H[SHFW

,, %$&.*5281' ,QWKLVVHFWLRQZHJLYHDWHFKQLFDORYHUYLHZRIV\PEROLF H[HFXWLRQ LWV RSWLPL]DWLRQ DQG WKH V\PEROLF HQJLQH ZH FKRRVH:HDOVRLQWURGXFHWKHPHWKRGWRKRRNIXQFWLRQVDQG SURYLGHVRPHYXOQHUDEOHVLWXDWLRQVDVRXUIX]]LQJWDUJHWV A. 6\PEROLF ([HFXWLRQ 6\PEROLF H[HFXWLRQ LV D G\QDPLF VRIWZDUH DQDO\VLV WHFKQLTXHWKDWDQDO\]HVDSURJUDPSDWKE\SDWKZKLFKLVDQ DGYDQWDJH RYHU DQDO\]LQJ D SURJUDP LQSXWE\LQSXW VXFK DV WUDGLWLRQDOIX]]WHVWLQJPHWKRGV,IWZRLQSXWVWDNHWKHVDPH SDWK WKURXJK WKH SURJUDP WKH WHVWLQJ E\ PHDQV RI WKH SDWK ZLOOVDYHPRUHWLPHWKDQWKDWE\PHDQVRIWKHLQSXWV:KHQ H[SORULQJ SDWKV V\PEROLF H[HFXWRU DOVR JDWKHUV FRUUHVSRQGLQJFRQVWUDLQWV:HWKHUHIRUHNQRZKRZWRJHWWR WKLVSDWKDQGDUHDEOHWRPRGLI\WKHPWRILWRXUUHTXLUHPHQW D FUDVK VLWXDWLRQ IRU H[DPSOH ,Q RXU DSSURDFK ZH XVH

B. 6\PEROLF ([HFXWLRQ 2SWLPL]DWLRQ :H XVH VHYHUDO WHFKQLTXHV WR RSWLPL]H RXU V\PEROLF H[HFXWLRQ 1) Adaptive-Input Symbolic Execution 3URJUDP LQSXWV WR PDNH V\PEROLF DUH RIWHQ YHU\ ODUJH )RUH[DPSOHD³.doc´GRFXPHQWLVDQLQSXWILOHIRUMicrosoft WordDQGWKRVHGRFXPHQWVPD\EHPLOOLRQVRIE\WHVLQVL]H

461

,QVXFKDFDVHUXQQLQJDFRPSOHWHV\PEROLFH[HFXWLRQPD\ WDNHKRXUVRUGD\VZKLFKLVXQDFFHSWDEOH 7R LPSURYH WKLV VLWXDWLRQ DQ DGDSWLYH LQSXW EDVHG PHWKRG ZKLFK V\PEROL]HV RQO\ SDUWV RI LQSXW VSDFH KDV EHHQ SURSRVHG DQG YHULILHG +RZHYHU ZKLFK SDUW RI WKH LQSXW LV PRUH LPSRUWDQW LV D TXHVWLRQ :H EHOLHYH WKDW WKH KHDGHU SDUW RI DQ LQSXW PD\ JDLQ PRUH EHQHILWV LQ WHUP RI H[HFXWLRQ HIILFLHQF\ GXH WR WKH LQIOXHQFH RI LPSRUWDQW GDWD VWUXFWXUHV:HDOVRIRXQGWKDWLWLVPRUHHIILFLHQWWRVSOLWDQ LQSXWLQWRVHJPHQWVWKDQWRWHVWDZKROHLQSXWLQWKHFRQFHSW RIGLYLGHDQGFRQTXHU:HHYDOXDWHWKHVHLQ6HFWLRQ,9& 2) Concolic Execution 7KH PDLQ LGHD RI FRQFROLF H[HFXWLRQ LV UXQQLQJ WKH WHVWLQJ SURJUDP V\PEROLFDOO\ ZLWK D FRQFUHWH LQSXW ,W FDQ IROORZWKLVLQSXWJRLQJGHHSHULQWRWKHFRGH,QVRPHFDVHV ZH GRQ¶W ZDQW WR EH EORFNHG E\ DQ\ LQWHJULW\ FKHFNLQJ IXQFWLRQV DQG H[LW WRR HDUO\ $ ZHOOIRUPHG LQSXW ZKLFK XVXDOO\SURGXFHVDJRRGFRGHFRYHUDJHFRXOGKHOSXVVWD\LQ WKH GHHSHU SRUWLRQ RI WKH FRGH E\ H[WHQGLQJ WKLV SURJUDP WUDFH 7KH HIILFLHQF\ RI WKLV WHFKQLTXH KDV EHHQ SURYHG E\ WKRVHWRROVVXFKDVKLEE>@ 3) Null-Constraint Single-Path Concolic Execution 6RPHWLPHVRQHZHOOIRUPHGLQSXWFRXOGSURYLGHHQRXJK LQIRUPDWLRQ:HZDQWWRDYRLGRXUFRQFROLFH[HFXWLRQEHLQJ ORVWLQWKHFRGHRUVWXFNLQDORRSVRZHGLVDEOHWKHIRUNLQJ SURFHVVIRUSURGXFLQJQHZEUDQFKHVWRIRFXVRQRQHSURJUDP WUDFH:HQDPHWKLVVNLOOVLQJOHSDWKFRQFROLFH[HFXWLRQ ,Q D VLQJOHSDWK FRQFROLF H[HFXWLRQ JDWKHULQJ SDWK FRQVWUDLQWV LV QRW UHTXLUHG EHFDXVH RQO\ RQH FRQFUHWH SDWK ZLOO EH H[HFXWHG $VVXPLQJ WKDW ZH ZDQW RQO\ V\PEROLF H[SUHVVLRQV RU D WDLQWOLNH >@ IXQFWLRQDOLW\ WKHVH FRQVWUDLQWV FRXOG EH GURSSHG ,I ZH ZDQW WR UHGXFH WHVWLQJ LQSXWVSDFHWKLVWHFKQLTXHLVDOVRDJRRGFKRLFH:HFDOOWKLV QXOOFRQVWUDLQW VLQJOHSDWK FRQFROLF H[HFXWLRQ 7KH HIILFLHQF\ LPSURYHPHQW RI QXOOFRQVWUDLQW ZLOO EH VKRZQ LQ 6HFWLRQ,9' C. 6( S2E >@ LV D ZKROHV\VWHP V\PEROLFH[HFXWLRQEDVHG DXWRPDWHG SDWK H[SORUHU ZLWK PRGXODU SDWK DQDO\]HUV 7KH H[SORUHU H[SDQGV DOO WKH SDWKV LQ ZKLFK ZH DUH LQWHUHVWHG DQGWKHDQDO\]HUORRNVIRUEXJVRIHDFKVXFKSDWKRUVLPSO\ FROOHFWVLQIRUPDWLRQ 7KHSURWRW\SHRIWKLVSODWIRUPUHXVHVSDUWVRIWKHQEMU YLUWXDO PDFKLQH >@ WKH KLEE V\PEROLF H[HFXWLRQ HQJLQH >@DQGLLVMWRROFKDLQ>@,WFDQH[HFXWHDQ\JXHVW26V WKDWUXQVRQDQx86RU$50 &38 S2E H[SORUHV SDWKV E\ UXQQLQJ WKH WDUJHW V\VWHP LPDJH DQG VHOHFWLYHO\ H[HFXWLQJ VPDOO SDUWV RI LW V\PEROLFDOO\ 'HSHQGLQJ RQ ZKLFK VHJPHQW RI FRGH ZH GHVLUHG WKH FRUUHVSRQGLQJ V\VWHP¶V PDFKLQH LQVWUXFWLRQV DUH G\QDPLFDOO\ WUDQVODWHG ZLWKLQ WKH YLUWXDO PDFKLQH LQWR DQ LQWHUPHGLDWH UHSUHVHQWDWLRQ VXLWDEOH IRU V\PEROLF H[HFXWLRQ ZKLOHWKHUHVWDUHWUDQVODWHGWRKRVWLQVWUXFWLRQVHWDVQRUPDO ELQDU\WUDQVODWLRQ%HFDXVHDOORIWKHV\PEROLFDQGFRQFUHWH H[HFXWLRQVDUHGRQHRXWVLGHWKHJXHVWPDFKLQHDIXOOV\VWHP 26VOLEUDULHVDSSOLFDWLRQVHWF WHVWLQJIRUWKHJXHVWV\VWHP FRXOGEHDSSOLHG

S2E XVHV QEMU¶V G\QDPLF ELQDU\ WUDQVODWRU '%7  WR WUDQVODWH WKH LQVWUXFWLRQV WKDW GHSHQG RQ V\PEROLF GDWD WR LLVM DQG GLVSDWFK WKHP WR KLEE ,Q WKLV ZD\ XVHUV FDQ WHVW DQ\ ELQDU\ FRGHV WKDW UXQ LQ WKH JXHVW 26 ZLWKRXW DQ\ VRXUFH:HXVHS2EDVRXUV\PEROLFH[HFXWLRQHQJLQH D. Vulnerable Situations 7KH Top 25 Most Dangerous Software Errors >@ OLVWV WKH PRVW ZLGHVSUHDG DQG FULWLFDO HUURUV WKDW FDQ OHDG WR VHULRXV YXOQHUDELOLWLHV LQ VRIWZDUH :H SLFN XS IRXU FDVHV ZKLFK DUH RIWHQ VHHQ LQ C SURJUDPV DV RXU IX]]LQJ WDUJHW VLWXDWLRQV 1) Buffer Overflow %XIIHU RYHUIORZ LV DQ LPSRUWDQW DQG SHUVLVWHQW VHFXULW\ SUREOHP DQG FRXQWV IRU DSSUR[LPDWHO\ KDOI RI DOO VHFXULW\ YXOQHUDELOLWLHV LQ UHFHQW \HDUV >@ 7KLV SUREOHP RFFXUV ZKHQPRUHGDWDDUHZULWWHQWRDEXIIHUWKDQLWFDQKROG7KH H[FHVVLYHGDWDLVZULWWHQWRWKHDGMDFHQWPHPRU\RYHUZULWLQJ WKH FRQWHQWV LQFOXGLQJ UHWXUQHG DGGUHVVHV LQ WKH VWDFN PHPRU\ 0DQ\ PHPRU\EDVHG IXQFWLRQV LQ WKH VWDQGDUG OLEUDU\DUHSURQHWRFDXVHEXIIHURYHUIORZV 2) Integer Security ,QWHJHU VHFXULW\ LVD JHQHULF QDPH RI LQWHJHU HUURUV VXFK DV RYHUIORZ XQGHUIORZ DQG VLJQHGXQVLJQHG FRQYHUVLRQ HUURUVCVE-2002-0639RIOpenSSHDQGCVE-2010-2753RI Firefox DUH WZR UHSUHVHQWDWLYH LQWHJHU YXOQHUDELOLWLHV 0DQ\ LQWHJHU RYHUIORZ YXOQHUDELOLWLHV DUH FORVHO\ UHODWHG WR PHPRU\DOORFDWLRQIXQFWLRQV>@,IDQLQWHJHULQSXWLVXVHG WRUHVWULFWDPHPRU\PDQLSXODWLRQZLWKRXWH[KDXVWLYHFKHFNV PHPRU\ YLRODWLRQ HUURUV FRXOG RFFXU 7DNH malloc DV DQ H[DPSOH ,I WKH VL]H DUJXPHQW RYHUIORZV WKH RSHUDWLQJ V\VWHP ZLOO DOORFDWH OHVV PHPRU\ VSDFH WKDQ WKH SURJUDP ZDQWVWKDQDKHDSRYHUIORZZRXOGKDSSHQ 3) Uncontrolled Format String $IRUPDWVWULQJLVDQASCIIVWULQJWKDWFRQWDLQVWH[WDQG IRUPDW SDUDPHWHUV :KHQ D IRUPDW IXQFWLRQ printf IRU H[DPSOH HYDOXDWHV WKH IRUPDW VWULQJ LW DFFHVVHV WKH H[WUD SDUDPHWHUVJLYHQWRWKHIXQFWLRQ+RZHYHUWKHUHLVDVSHFLDO IRUPDWSDUDPHWHULQANSI CFDOOHGµ%n¶ZKLFKFDQZULWHWKH QXPEHU RI E\WHV SULQWHG WR WKH VSHFLILF PHPRU\ %HFDXVH SDUDPHWHUV DQG RWKHU LPSRUWDQW SURJUDP GDWD DUH DOO VWRUHG RQ WKH VWDFN LI WKH IRUPDW VWULQJ FDQ EH FRQWUROOHG E\ DWWDFNHUVWKH\FDQRYHUZULWHUHWXUQHGDGGUHVVHVRURWKHUGDWD >@ 4) Command Injection  /LNHIRUPDWVWULQJLIDQXQFRQWUROOHGLQSXWVWULQJLV GLUHFWO\ SDVVHG WR DQ 26 H[HFXWLRQ V\VWHP FDOO RU D VKHOO H[HFXWLRQ IXQFWLRQ DWWDFNHUV FDQ HDVLO\ H[HFXWH V\VWHP FRPPDQGVE\LQMHFWLQJPDOLFLRXVVWULQJVLQWRWKHLQSXW E. DLL Injection '// LQMHFWLRQ LV D WHFKQLTXH XVHG IRU UXQQLQJ FRGH ZLWKLQ WKH DGGUHVV VSDFH RI DQRWKHU SURFHVV E\ IRUFLQJ LW WR ORDG D G\QDPLFOLQN OLEUDU\ '//  >@ 7KH LQMHFWHG FRGH FDQKRRNWKHV\VWHPRUOLEUDU\FDOOVVXFKDVsystemRUmalloc, ZLWKRXW PRGLI\LQJ DQ\ H[LVWLQJ SURJUDPV :H FRXOG LQWHUUXSW SURJUDPV E\ WKH LQMHFWHG FRGH DQG DQDO\]H WKH V\PEROLF UHODWLRQVKLS EHWZHHQ DUJXPHQWV DQG LQSXWV

462

%HVLGHV VWDQGDUG OLEUDULHV ZH FDQ DOVR KRRN WKLUGSDUW\ OLEUDULHV.7KHIXQFWLRQVZHKRRNDUHVKRZQLQ7$%/(,į 

Sample Inputs

7$%/(,/,672)',6&29(5('6(16,7,9()81&7,216

Sensitive Functions IUHDG UHDG PHPVHW PHPFS\ VWUFS\ VWUQFS\ V\VORJ YISULQWI YVQSULQWI

Sensitive Arguments /HQJWK /HQJWK /HQJWK 6RXUFHOHQJWK 6RXUFH 6RXUFHOHQJWK )RUPDW )RUPDW )RUPDWOHQJWK

VSULQWI ISULQWI V\VWHP H[HFIDPLO\ UHDOORF PDOORF

)RUPDW )RUPDW &RPPDQG 3DWKILOH  6L]H 6L]H

GenerateOne Input

Vulnerable Situations ,QWHJHU%XIIHU2YHUIORZ ,QWHJHU%XIIHU2YHUIORZ ,QWHJHU%XIIHU2YHUIORZ ,QWHJHU%XIIHU2YHUIORZ %XIIHU2YHUIORZ ,QWHJHU%XIIHU2YHUIORZ )RUPDW6WULQJ )RUPDW6WULQJ )RUPDW6WULQJ,QWHJHU%XIIHU 2YHUIORZ )RUPDW6WULQJ%XIIHU2YHUIORZ )RUPDW6WULQJ &RPPDQG,QMHFWLRQ &RPPDQG,QMHFWLRQ ,QWHJHU%XIIHU2YHUIORZ ,QWHJHU%XIIHU2YHUIORZ

)LJXUH7UDGLWLRQDO)X]]HU$UFKLWHFWXUH2YHUYLHZ

8QOLNHWUDGLWLRQDOIX]]HUVJHQHUDWLQJFUDVKLQSXWVVKRZQ LQ)LJXUH RXUZRUNCRAXfuzzJHQHUDWHVSURRIRIFRQFHSW 32&  H[SORLW LQVWHDG $ SURJUDP FUDVKHV EHFDXVH LWV LQVWUXFWLRQSRLQWHU(,3LVFRUUXSWHGDQGLQDQDEQRUPDOVWDWH +DFNHUV ZDQW WR ILQG FUDVKHV EHFDXVH LI (,3 LV PRGLILHG GXULQJSURJUDPH[HFXWLRQWKH\PD\KDYHFKDQFHVWRFRQWURO WKHSURJUDPE\FKDQJLQJ(,3WRWKHVKHOOFRGHDGGUHVV,IZH KDYHVRPH ZD\VWRRYHUZULWHWKH UHWXUQHGDGGUHVVLH (,3 RQ WKH VWDFN WR FRQWURO WKH SURJUDP D FUDVK VLWXDWLRQ LV QRW QHFHVVDU\)RUH[DPSOHLQDQXQFRQWUROOHGIRUPDWVWULQJFDVH WKHDELOLW\RIJHQHUDWLQJDFUDVKLVVWLOOHDVLHUWKDQJHQHUDWLQJ DQ H[SORLW ,Q D FRPPDQG LQMHFWLRQ RU D 64/ LQMHFWLRQ SUREOHP FUDVKLQJ D SURJUDP LV QRW HYHQ RI RXU SULPDU\ FRQVLGHUDWLRQ 7KDW LV WKH FRQFHSW RI 32& JHQHUDWLRQ UHGXFLQJ WKH VWHS RI ILQGLQJ FUDVKHV DQG IRFXVLQJ RQ ZDWFKLQJ VHQVLWLYH IXQFWLRQV WKDW PD\ GLUHFWO\ RU LQGLUHFWO\ DIIHFWSURJUDPH[HFXWLRQ  2

http://www.kernel.org/doc/manpages/online/pages/man8/ld

linux.so.8.html http://gcc.gnu.org/onlinedocs/gcc4.3.2/gcc/CodeGen

Options.html#CodeGenOptions http://gcc.gnu.org/onlinedocs/gcc4.3.2/gcc/LinkOptions.html#Link

Options 5

Crash Input Found

True



,,, 0(7+2'

4

TestIfIt Crashes

False:GenerateAnother

 2Q/LQX[RURWKHU8QL[OLNH26 DUELWUDU\OLEUDULHVFDQ EH OLQNHG WR RQH¶V FXVWRP OLEUDU\ E\ VHWWLQJ WKH LD_PRELOADHQYLURQPHQWYDULDEOH6XFKDOLEUDU\FDQEH FUHDWHG ZLWK GCC E\ FRPSLOLQJ ZLWK -fPIC RSWLRQ  DQG OLQNHGZLWK-sharedRSWLRQ2Q:LQGRZVWKHUHDUHPXOWLSOH ZD\V WR GR WKLV RQH RI ZKLFK LV WKH KRRNLQJ FDOO SetWindowsHookEx 2XU ZRUN IRFXVHV RQ /LQX[ SODWIRUP DQGLVHDV\WRH[WHQG

3

Executefrom theInput

http://msdn.microsoft.com/enus/library/ms644990.aspx

463

7KHUHDUHIRXUVWDJHVLQRXUIX]]LQJIUDPHZRUNtest case acquisition target searching proof-of-concept generation DQG verification 7KH DUFKLWHFWXUH RYHUYLHZ LV VKRZQ LQ )LJXUH,QWHVWFDVHDFTXLVLWLRQZHDFTXLUHWHVWFDVHVIURP WUDGLWLRQDO IX]]HUV WKH SXEOLF UHSRVLWRULHV VSHFLILFDWLRQV RI WKHSURJUDP RUDSDWKH[SORUDWLRQZKLFKZLOOEH PHUJHGWR V\PEROLF H[HFXWLRQ LQ WKH QH[W VWDJH ,Q WDUJHW VHDUFKLQJ VWDJHZHXVHDQXOOFRQVWUDLQWVLQJOHSDWKFRQFROLFH[HFXWLRQ PHWKRGWRVHDUFKIRURXUWDUJHWIXQFWLRQV,Q32&JHQHUDWLRQ ZHJHQHUDWHLQSXWVWKDWZRXOGFUDVKWKHSURJUDPRUDIIHFWWKH VHQVLWLYH DUJXPHQWV DQG WKHQ UXQ LW DJDLQ WR YHULI\ LQ WKH ILQDOVWHS 7R PDNH RXU SURSRVHG PHWKRGV FOHDU DQG HDV\ WR XQGHUVWDQG ZH XVH DQ RSHQVRXUFH VRIWZDUH XMail >@ WR H[SODLQWKHPLQ6HFWLRQ,,,(DQGDGHWDLOHGFRPSDULVRQRI WUDGLWLRQDOIX]]HUVZLWKRXUZRUNLVSURYLGHG$WWKHHQGRI WKLVVHFWLRQZHZLOOVKRZWKHLPSOHPHQWDWLRQGHWDLOVRIKRZ ZHEXLOGRXUWDUJHWDZDUHV\PEROLFH[HFXWLRQIUDPHZRUNRQ S2ELQFOXGLQJPRGXOHVDQGLPSOHPHQWHGVHQVLWLYHIXQFWLRQV

False:TryAnotherFunction

Sample Inputs

HookFunctions

NotFound

TestCase Acquisition

Found

CalculatePOCs fromthe Expressions

RunAgainto Verify

True

POC Resuls

False:TryAnotherSolution

Target Searching

POC Generation

Verification

)LJXUH7DUJHW$ZDUH6\PEROLF([HFXWLRQ)UDPHZRUN2YHUYLHZ



A. Test Case Acquisition 7RWHVWDSURJUDPDVDPSOHLQSXWLVQHHGHGDVDVHHGWR LQGXFW WKH PXWDWLRQ 2WKHUZLVH LW ZLOO FRVW WRR PXFK WR JHQHUDWH LQSXWV IURP QRWKLQJ 7KHUH DUH PXOWLSOH ZD\V WR DFTXLUH WHVW FDVHV 'RZQORDGLQJ LQSXWV IURP WKH ,QWHUQHW RU PDQXIDFWXULQJDQHZRQHIURPWKHVSHFVDUHVWUDLJKWIRUZDUG PHWKRGV ,I WKHVH VDPSOHV FDQQRW VDWLVI\ WKH UHTXLUHPHQWV ZH FDQ JHQHUDWH PRUH RI WKHP E\ WUDGLWLRQDO IX]]LQJ RU V\PEROLFH[HFXWLRQ$FFRUGLQJWRRXUH[SHULHQFHVDUHJXODU LQSXW LV XVXDOO\ JRRG HQRXJK WR ILQG VHULRXV EXJV :H ZLOO GHPRQVWUDWHLWLQŔŦŤŵŪŰůġŊŗ

VHULHV RI WUDQVIRUPDWLRQ EHWZHHQ EHLQJ UHDG DV LQSXW DQG WULJJHULQJDSRWHQWLDOYXOQHUDELOLW\)RUH[DPSOHLQ)LJXUH WKH DUJXPHQW malloc LQ OLQH  KDV EHHQ SDVVHG WR WZR WUDQVIRUPDWLRQIXQFWLRQVf(x) = x + 1DQGf(x) = 2 * x2QFH DVHQVLWLYHVLWXDWLRQKDVEHHQFRQILUPHGZHFDQJHQHUDWHWKH SURRIRIFRQFHSW 32&  H[SORLW ZKLFK LV DQ HYLGHQFH WKDW ZHDOUHDG\KDYHWKHDELOLW\WRH[SORLWWKLVSURJUDP7R ILQG WKH LQSXW WKDW PDNHV WKH YDULDEOH WR EH D FHUWDLQ YDOXH ZH QHHGWRVROYHWKHLQYHUVHRIWKHWUDQVIRUPDWLRQIXQFWLRQV,Q )LJXUHZHFDQVHWTransformation Function F03(x) WREHD FRQVWDQW YDOXH C ZKLFK ZH ZDQW WKH VHQVLWLYH DUJXPHQW WR EH 8VH D FRQVWUDLQWVROYHU VXFK DV STP >@ WR VROYH HTXDWLRQF03(x) = C,HJ.ILQGWKHUHVXOWVRIF03-1(C)7KLV LVRQHRIIXQFWLRQDOLWLHVRIV\PEROLFH[HFXWLRQ1RWHWKDWLQ WKHQXOOFRQVWUDLQWV\PEROLFH[HFXWLRQZHGRQRWUHFRUGDQ\ SDWKFRQVWUDLQWVZKLFKPHDQVWKHUHVXOWVPD\QRWEHIHDVLEOH EXW HIILFLHQW  :H ZLOO GLVFXVV DERXW WKLV LQ 6HFWLRQ ,,,' DQGLQ6HFWLRQ,9 $FFRUGLQJ WR WKH SURSHUWLHV RI HDFK VHQVLWLYH VLWXDWLRQ ZHFDQFODVVLI\WKHSUREOHPVLQWRGHVLJQDWHGW\SHVDVIROORZV 1) Formats in Format Functions ,IDIRUPDWDUJXPHQWLQIRUPDWIXQFWLRQVprinfDQGsyslog IRUH[DPSOHLVV\PEROLFZKLFKPHDQVLWFDQEHDIIHFWHGE\ LQSXWE\WHVWKHUHLVDKLJKSRVVLELOLW\WKDWDIRUPDWVWULQJEXJ PD\H[LVWLQWKHWHVWLQJSURJUDP,IWKHGHYHORSHUVKDYHQRW FKHFNHG WKH FRQYHUVLRQ VSHFLILFDWLRQ FKDUDFWHU ³%´ RU UHVWULFWHGWKHOHQJWKRIWKHLQSXWVDWWDFNHUVPD\H[SORLWWKLV SURJUDP E\ D ZHOOGHVLJQHG LQSXW WKDW FRQWDLQV VKHOO FRGHV DQGWKHFRQYHUVLRQVSHFLILHU³Q´>@ 2) Commands in Execution Functions &RPPDQG DUJXPHQWV LQ H[HFXWLRQ IXQFWLRQV VXFK DV system DQG exec DUH VHQVLWLYH WRR ,I D FRPPDQG VHJPHQW SDVVHV WR WKHVH IXQFWLRQV ZLWKRXW EHLQJ FKHFNHG DWWDFNHUV FRXOGXVH³&&´³;´RU³&´DVFRQMXQFWLRQVRIQRUPDODQG PDOLFLRXVFRPPDQGVRUGLUHFWO\LQMHFWDPDOLFLRXVELQDU\WR KDFNWKLVV\VWHP 3) Sources in Memory Copy Functions ,IWKHVRXUFHDUJXPHQWLQ PHPRU\FRS\IXQFWLRQFDQ EH DIIHFWHG E\ LQSXW E\WHV WKHUH LV D FKDQFH IRU KDFNHUV WR JHQHUDWH EXIIHU RYHUIORZV LQ RXU WHVWLQJ SURJUDP E\ LQFUHDVLQJ WKH OHQJWK RI RXU WDLQWHG LQSXW E\WHV $OWKRXJK VRPH PHPRU\ IXQFWLRQV XVH D VL]H DUJXPHQW WR UHVWULFW VL]H RIEXIIHUVWREHFRSLHGGHYHORSHUVRIWHQIRUJHWWRFKHFNWKH GHVWLQDWLRQ EXIIHU VL]H RU WKH HQG RI VWULQJ FKDUDFWHU ³\0´ /RWVRIEXIIHURYHUIORZYXOQHUDELOLWLHVKDYHEHHQUHYHDOHGE\ CVEPHQWLRQHGDVDERYHDQGZHZLOOGHPRQVWUDWHVRPHRI WKHP LQ 6HFWLRQ ,9 Str(n)cpy read DQG memset DUH WKUHH IXQFWLRQVZKLFKEHORQJWRWKLVW\SH 4) Lengths in Memory Copy Functions 6LPLODU WR VRXUFHV LQ PHPRU\ IXQFWLRQV FRQWUROOLQJ WKH OHQJWK RI WKH IXQFWLRQ LV PRUH LQWXLWLYH :LWKRXW SURSHU FKHFNLQJ D EXIIHU RYHUIORZ LV HDV\ WR KDSSHQ LI WKH OHQJWK DUJXPHQWDQGEXIIHUVL]HLVLQFRQVLVWHQW 5) Sizes in Memory Allocation functions ,I D VL]H DUJXPHQW LQ PHPRU\ DOORFDWLRQ IXQFWLRQV LV V\PEROLF WKHUH PD\ EH DQ LQWHJHU RYHUIORZ LQ RXU WHVWLQJ SURJUDP ,I ZH PDNH WKH VL]H DQ LQWHJHU  RYHUIORZ WKH RSHUDWLQJ V\VWHP ZLOO DOORFDWH OHVV PHPRU\ VSDFH WKDQ WKH

6LQJOH3DWK &RQFROLF([HFXWLRQ

TargetFound

Complete ProgramTrace



)LJXUH7DUJHW6HDUFKLQJ2YHUYLHZ

B. Target Searching :H XVH V\PEROLF H[HFXWLRQ WR H[SORUH SDWKV DQG VHDUFK IRU RXU WDUJHW IXQFWLRQV $ VFKHPDWLF GLDJUDP RI WKLV H[HFXWLRQ LV VKRZQ LQ )LJXUH  7KH PHWKRG RI QXOO FRQVWUDLQW VLQJOHSDWK FRQFROLF H[HFXWLRQ KDV EHHQ LQWURGXFHGLQ6HFWLRQ,,%:HZDQWWRFKHFNZKHWKHUWKHUH LVDQ\VHQVLWLYHIXQFWLRQZKRVHDUJXPHQWVDUHDOVRV\PEROLF RU QRW E\ KRRNLQJ WKH VWDQGDUG OLEUDULHV 7KH WHFKQLTXHV RI KRZ WR KRRN D IXQFWLRQ FDOO KDV EHHQ GLVFXVVHG LQ 6HFWLRQ ,,( :H FKHFN HYHU\ IXQFWLRQ LW KRRNHG DQG LWV DUJXPHQWV ZKLOH H[HFXWLQJ WKH SURJUDP 7KH KRRNHG IXQFWLRQV RU WKH WDUJHW IXQFWLRQV ZH FKRVH DUH XVXDOO\ GDQJHURXV DQG PD\ FDXVH YXOQHUDELOLWLHV ,I DQ DUJXPHQW HJ DQ LQSXW RI D IXQFWLRQKDVEHHQGHWHFWHGV\PEROLFOXFNLO\ZHKDYHIRXQG WKH IUDJLOH SDUW RI WKLV SURJUDP 7KH LQSXW E\WHV FRUUHVSRQGLQJWRWKHV\PEROLFDUJXPHQWDUHFDOOHGhot bytes ZKLFKPHDQVWKHVHE\WHVFDQGLUHFWO\LQIOXHQFHWKLVVHQVLWLYH IXQFWLRQ DQG KDYH D JRRG FKDQFH WR H[SORLW 0RUH GLVFXVVLRQV RI KRW E\WHV ZLOO EH PDGH LQ6HFWLRQ ,9% :H FDQ DOVR SULQW FDOO VWDFNV RI WKH SURJUDP WR KHOS GHYHORSHUV GHEXJJLQJ

1 x = read() 2 x = x + 1 3 malloc( 2 * x )



)LJXUH7UDQVIRUPDWLRQ)XQFWLRQ([DPSOH

Program Input

Tranfo. Func.F01(x)

Variable1

Transformation FunctionF12(x)

Variable2

Transformation FunctionF23(x)

Sensitive Argument

TransformationFunctionF 03(x) InverseTransformationFunctionF031(x)

 )LJXUH7UDQVIRUPDWLRQ5HODWLRQVLQ3URJUDP([HFXWLRQ

C. Proof-of-Concept Exploit Generation 7KHVHQVLWLYHVLWXDWLRQLVDIRUPXODLQWHUPVRIV\PEROLF LQIRUPDWLRQ ,Q D ODUJH SURJUDP D YDOXH RIWHQ XQGHUJRHV D

464

SURJUDP QHHGV DQG LW PD\ XVH WKH PHPRU\ RXW RI WKH ERXQGDU\ LQ WKH KHDS ZKLFK FDXVHV D KHDSEDVHG EXIIHU RYHUIORZHJmalloc(0xFFFFFFFF)

)LJXUH)XQFWLRQ$GGUHVV)URP$W3WULQ6HQG0DLOFSSLQ;0DLO

:H ORRN LQWR WKH VRXUFH FRGH LQ )LJXUH  WR FRQILUP RXU JXHVV ,Q OLQH  VWUQFS\ FRSLHV D VWULQJ ZKLFK LV UHDG IURP WKH OHWWHU WR D IL[HG VL]H DUUD\ UHDG WKH FRPSOHWH VRXUFH FRGH DQG \RX ZLOO NQRZ  1RZ ZH NQRZ WKH UHFHLYHU¶VDGGUHVVZLOOEHFRSLHGWRDFHUWDLQEXIIHU7KDWLV DEXIIHURYHUIORZVXVSHFW:HXVHWKHH[SUHVVLRQVVKRZQLQ )LJXUH  ZKLFK PHUHO\ H[WHQG E\WH WR ZRUG  JDWKHUHG EHIRUH DQG RXU EXIIHU RYHUIORZ KHXULVWLFV WR GHFLGH D ORQJ UHFHLYHU¶VDGGUHVVILHOG7KHQILOOLWEDFNWRWKHLQSXWDQGUXQ LW DJDLQ $ VHJPHQWDWLRQ IDXOW H[FHSWLRQ ZLOO EH UDLVHG DQG WKDWYHULILHVRXUUHVXOW

D. Verification $IWHUJHQHUDWLQJDQHZLQSXWZLWKRXWSDWKFRQVWUDLQWVZH QHHG WR FKHFN LI WKH LQSXW LV IHDVLEOH :H GR WKLV E\ UH UXQQLQJ WKH SURJUDP ZLWK WKH QHZ LQSXW DQG FKHFNLQJ ZKHWKHU WKH VHQVLWLYH DUJXPHQW LV UHZULWWHQ RU QRW ,I WKH DQVZHULV\HVZHKDYHDOPRVWFRQILUPHGWKDWZHFDQFKDQJH WKH VHQVLWLYH DUJXPHQW WR DQ DUELWUDU\ YDOXH LQFOXGLQJ DQ H[SORLW :H FDOO WKH JHQHUDWHG LQSXW D SURRIRIFRQFHSW H[SORLWEHFDXVHZHKDYHSURYHGWKDW WKHUHLVDYXOQHUDELOLW\ DQG H[SODLQHG KRZ WR PDQLSXODWH LW LQ WKLV VLWXDWLRQ ,I WKH DQVZHULVQRZKLFKPHDQVWKHLQSXWPD\QRWEHIHDVLEOHGXH WR WKH FKDQJLQJ RI WKH SURJUDP¶V UXQQLQJ SDWK ZH QHHG WR DGG VRPH SDWK FRQVWUDLQWV RU FKDQJH WKH SUHYLRXVO\ XVHG YDOXH WR FDOFXODWH D QHZ LQSXW 2QFH QR LQSXW FDQ EH JHQHUDWHG ZH KDYH WR JR EDFN WR WKH ILUVW VWHS DFTXLULQJ D QHZVDPSOHLQSXW

(Concatw32(Extractw824N0:(SExtw32N1:(Readw80x20INPUT))) (Concatw24(Extractw816N0)(Concatw16(Extractw88N0)N1))) (Concatw32(Extractw824N0:(SExtw32N1:(Readw80x21INPUT))) (Concatw24(Extractw816N0)(Concatw16(Extractw88N0)N1))) (Concatw32(Extractw824N0:(SExtw32N1:(Readw80x22INPUT))) (Concatw24(Extractw816N0)(Concatw16(Extractw88N0)N1))) )LJXUH6WUQFS\$UJXPHQW([SUHVVLRQVRI,1387LQ;0DLO

E. Example: ;0DLO XMail >@ LV D OLJKWZHLJKW HPDLO VHUYHU LQ FRPSDULVRQ ZLWK WUDGLWLRQDO PDLO VHUYHUV ,Q  D VWDFNEDVHG EXIIHU RYHUIORZ YXOQHUDELOLW\ LQ PRGXOH sendmail LQ XMail KDV EHHQ UHYHDOHG DQG QXPEHUHG CVE-2005-2943 ,Q WKLV EXJ UHPRWH DWWDFNHUV FDQ H[HFXWH DUELWUDU\ FRGH YLD FUDIWLQJ WKH VSHFLILFILHOGLQDQHPDLOOHWWHU 

+RZHYHULIZHWXUQRYHUWKLVZRUNWRWUDGLWLRQDOIX]]HUV WKH\KDYHWRPXWDWHWKHLQSXWPDLOIURPE\WHWRE\WHZKLFK KDV D ODUJH WLPH FRPSOH[LW\ RI O(2n) (YHQ LI ZH NQRZ WKH IRUPDW RI WKH OHWWHU ZKLFK LV KDUG WR EH IRUPXOL]HG ZH FDQQRW JXDUDQWHH WKDW WKH PXWDWHG LQSXWV FRXOG FRYHU WKH SUREOHPDWLFFRGH7KHFRPSDULVRQRIWUDGLWLRQDOIX]]HUVZLWK RXUZRUNLVOLVWHGLQ7DEOH,,

1 From: [email protected] 2 To: [email protected] 3 Subject: A Target-Aware Symbolic Execution Framework for Fuzz Testing 4  5 This is an XMail test letter 6

7$%/(,,&203$5,62162)75$',7,21$/)8==(56:,7+&5$;)8==

)LJXUH6DPSOH(PDLOZLWK(QYHORSHVIRU;0DLO

Traditional Fuzzers

Traditional Symbolic Fuzzers

How to Find

([FHSWLRQV FUDVKHV  *HQHUDWHLQSXWV

([FHSWLRQV FUDVKHV  ([SORUHSDWKV

How to Verify

'HEXJJLQJWRROV

'HEXJJLQJWRROV

Targets

)LJXUHVKRZVDVDPSOHHPDLOZHFRPPRQO\XVHGLQRXU GDLO\OLIH7KLVRULJLQDOHPDLOFRQWDLQVIRXUILHOGVLQFOXGLQJ VHQGHU UHFHLYHU VXEMHFW DQG ERG\ ZKLFK WKH PDLO WUDQVIHU DJHQW07$ DFWXDOO\GHOLYHUV:HPDNHWKLVHPDLOV\PEROLF DQGSLSHLWLQWRRXUWHVWLQJSURJUDP,QWDUJHWVHDUFKLQJVWDJH ZH IRXQG D VHQVLWLYH IXQFWLRQ strncpy KDV EHHQ KRRNHG DQG LWV VRXUFHVWULQJ DUJXPHQW LV V\PEROLF )URP WUDFNLQJ WKH V\PEROLF LQIRUPDWLRQ WKLV DUJXPHQW LV GLUHFWO\ DIIHFWHG E\ E\WHV IURP [ WR [ DQG WKH FRUUHVSRQGLQJ VWULQJ LV ³[email protected]´ WKH UHFHLYHU¶V HPDLO DGGUHVV ZKLFKZHPDUNHGJUD\LQ)LJXUHDQGFDOOHGhot bytes  341 static char const *AddressFromAtPtr (char const *pszAt, char const *pszBase, char *pszAddress) 342 { 344 char const *pszStart = pszAt; 351 char const *pszEnd = pszAt + 1; … 355 int iAddrLength = (int) (pszEnd - pszStart); 357 strncpy(pszAddress, pszStart, iAddrLength);  358 pszAddress[iAddrLength] = '\0'; 359 360 return (pszEnd); 362 }



Seed Inputs How to Generate New Inputs Hit Rate of an Input to Reach a Target Result Types How to Generate Results Results Generation time When to Generate Results Results Accuracy Aware of Constraints and Expressions



465

CRAXfuzz

6HQVLWLYH IXQFWLRQV +RRNIXQFWLRQV &KHFNKRRNHG IXQFWLRQV ([LVWLQJLQSXWV

([LVWLQJLQSXWV

;

0XWDWHVHHG LQSXWV

6ROYHSDWK FRQVWUDLQWV

2QO\RQHLQSXW

9HU\ORZ

/RZ

+LJKKRRNHG IXQFVDUH HDVLHUWRILQG 

&UDVKLQSXWV

&UDVKLQSXWV

0XWDWHVHHG LQSXWV

6ROYHSDWK FRQVWUDLQWV

)DVW

6ORZ

32&([SORLWV 6ROYHFRQVWUDLQWV IURP H[SUHVVLRQV )DVW

%HIRUHH[HFXWLRQ

$IWHUWDUJHWV EHLQJIRXQG

$IWHUWDUJHWV EHLQJIRXQG

9HU\KLJK

1RWWRRKLJK FRQIOLFWLYH FRQVWUDLQWV 

+LJKLJQRUHG SDWK FRQVWUDLQWV 

1R

debug_level) 1104 return; 1105 1107 easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); 1108 va_start(ap, fmt); 1109 vfprintf(stderr, fmt2, ap); 1110 va_end(ap); 1111 efree(fmt2);



)LJXUH3DUWVRI6XGR&RGH

1) Sudo-1.8.0 SudoLVDFRPPRQO\XVHGV\VWHPXWLOLW\WKDWFDQH[HFXWH D FRPPDQG DV DQRWKHU XVHU HVSHFLDOO\ DGPLQLVWUDWRU 7KHUHIRUH VHFXULW\ LVVXHV RI sudo DUH GHHSO\ FRQFHUQHG DERXW ,Q OLQH  DQG OLQH  LQ )LJXUH  WKHUH LV D IRUPDW VWULQJ IXQFWLRQ ZKLFK WDNHV LWV SURJUDP QDPH DV IRUPDW DUJXPHQW ZKLFK LV DQ XQFRQWUROOHG IRUPDW VWULQJ SUREOHP$VSURJUDPQDPHLVRQHRIWKHSURJUDPH[HFXWLRQ DUJXPHQWV ZKLFK LV DOVR SURJUDP LQSXWV V\PEROLF LQIRUPDWLRQFDQEHLQWHUFHSWHGLQvfprintfZLWKSURSHUVDPSOH LQSXWV7KHVHVDPSOHLQSXWVFDQEHGHULYHGIURPWKHPDQXDO SDJH-D IODJ IRU H[DPSOH7KLV YXOQHUDELOLW\LV&9(  In tif_dirread.c: (Simpilified) cp = (char*)malloc(nstrips * sizeof (uint32)) )LJXUH3DUWVRI7LIIFRGH



2) 7LII ,QWHJHURYHUIORZLQWKHTIFFFetchStripThingIXQFWLRQLQ tif_dirread.c IRU libtiff 3.6.1 DOORZV UHPRWH DWWDFNHUV WR H[HFXWH DUELWUDU\ FRGH YLD D 7,)) ILOH ZLWK WKH STRIPOFFSETS IODJ DQG D ODUJH QXPEHU RI VWULSV ZKLFK FDXVHVD]HURE\WHRUDVPDOOE\WHVEXIIHUWREHDOORFDWHGDQG OHDGV WR D KHDSEDVHG EXIIHU RYHUIORZ 7KLV YXOQHUDELOLW\ LV UHJLVWHUHGDV&9(  SymbExpression malloc_size – (Shl w32 (Extract w32 0 (UDiv w64 (ZExt w64 (Add w32 (w32 0xffffffff) (Add w32 N0:(ReadLSB w32 0x72 v0_file_0)(ReadLSB w32 0x2a v0_file_0)))) (ZExt w64 N0)))(w32 0x2)) SymbExpression malloc size - Value: 0xc  )LJXUH5HSRUWRI0DOORFRI7LII([HFXWLRQ



7KHVHQVLWLYHIXQFWLRQmallocZHKDYHIRXQGLVVKRZQLQ )LJXUH  9DULDEOH nstrips GHQRWHV WKH QXPEHU RI VWULSV RI WKH 7,)) ILOH :H ZDQW WR PDNH H[SUHVVLRQ ³nstrips * sizeof(uint32)´ WR RYHUIORZ DV ]HUR RU D VPDOO YDOXH 7KHUH DUH PDQ\ WUDQVIRUPDWLRQV IURP SURJUDP VWDUW WR WKH WDUJHW IXQFWLRQ +RZHYHU WKH WUDQVIRUPDWLRQ IXQFWLRQV RI nstrips

 http://www.exploitdb.com/

9

10

http://osvdb.org/

469

YDULDEOH DUH WRR KDUG WR EH IRXQG RXW E\ H\HV :H FDQ XVH CRAXfuzzWRGRWKLV7KHUHSRUWLVVKRZQLQ)LJXUH7KLV UHSRUWVKRZVWKHUHVXOWVRIH[HFXWLQJ7,))OLEUDU\E\IHHGLQJ WKH  .% ILOH ZH KDYH GRZQORDGHG IURP WKH ,QWHUQHW DQG LQWURGXFHG EHIRUH 7KH UHVXOWV FDQ EH VLPSOLILHG WR WKLV HTXDWLRQ

HQJLQHV DQG KHXULVWLFV WKH\ XVH VRXUFH FRGH LV QHHGHG DQG WKHWHVWLQJWRROVDUHQRWSODWIRUPLQGHSHQGHQW ,I UHVHDUFKHUV ZDQW WR PRGLI\ RXU IUDPHZRUN WR FUHDWH UHDOH[SORLWVLWLVHDV\WRLPSOHPHQWE\UHSODFLQJ32&ZLWK VKHOOFRGH6KHOOFRGHLVPDFKLQHRU26GHSHQGHQWDQGPRUH FRPSOLFDWHG WR EH JHQHUDWHG DXWRPDWLFDOO\ DQG WKDW¶V ZK\ RXU ZRUN GHOHJDWH WKLV VWHS WR RWKHU WRROV AEG >@ DQG RWKHUUHVHDUFKHV>@DUHGHGLFDWHGWRWKLVILHOG +RZHYHU WKHUH DUH VHYHUDO OLPLWDWLRQV LQ WKH FXUUHQW LPSOHPHQWDWLRQ RI CRAXfuzz )LUVW WKH ODFN RI IORDWLQJ VXSSRUW RI KLEE LV D ELJ SUREOHP WR WHVW SURJUDPV ZLWK IORDWLQJSRLQWRSHUDWLRQV,WZLOOWHUPLQDWHS2ELI FRXQWHULQJ WKLV VLWXDWLRQ :H FDQ XVH DGDSWLYHLQSXW WHFKQLTXH WR VWUDWHJLFDOO\DYRLGWKLVLPSOHPHQWDWLRQSUREOHP6HFRQGGXH WR WKH FRPSOH[ SDWK FRQVWUDLQWV DQG WKH QDWXUDO SURSHUW\ RI KDVKIXQFWLRQVFKHFNVXPFU\SWRJUDSKLFRSHUDWLRQRUGLJLWDO VLJQDWXUH ZKLFK DUH GHVLJQHG WR SURWHFW DJDLQVW GDWD DOWHUDWLRQ DUH QRW UHFRPPHQGHG EHLQJ WHVWHG E\ RXU ZRUN TaintScope >@ KDV D JUHDW VXFFHVV RQ FKHFNVXP UHFRQVWUXFWLRQ ,W LV SRVVLEOH WR FRPELQH WKHVH PRGXOHV 7KLUG RXU VHDUFKLQJ PHFKDQLVP LV EDVHG RQ KRRNLQJ IXQFWLRQV,IZHZDQWWRILQGDYXOQHUDELOLW\WKDWLVQRWUHODWHG WRIXQFWLRQV)LJXUH WKH'//LQMHFWLRQIUDPHZRUNGRHV QRWZRUNDQ\PRUH6RPHQHZPHFKDQLVPVPXVWEHIRXQGWR JHQHUDOL]H WKLV VLWXDWLRQ +RZHYHU ZLWK YXOQHUDELOLWLHV WKDW DUH UHODWHG WR IXQFWLRQV VXFK DV 3+3 64/ OLEUDULHV CRAXfuzzZRUNVSUHWW\ZHOO,WLVDOVRSRVVLEOHWRKRRN&38 UHJLVWHU (,3 WR ILQG WKH FRQGLWLRQ RI FUDVK )RUWK SDWK FRQVWUDLQWV VHOHFWLRQ LV DOVR D FKDOOHQJH :KDW SDWK FRQVWUDLQWVWRSLFNLVD6DWLV¿DELOLW\6$7 SUREOHPZKLFKLV YHU\KDUG>@,WZRXOGWDNHJUHDWHIIRUWVWRGRLWZHOO7KH ODVW ZHDN SRLQW LV KRZ WR UHWULHYH D VDPSOH LQSXW WKDW FDQ OHDG XV WR WKH EXJ ,Q PRVW FDVHV UHJXODU LQSXWV FDQQRW EH H[HFXWHG LQWR WKH SUREOHPDWLF FRGH GXH WR WKH LPSHUIHFW RI XQLW WHVW FDVHV :H PXVW JHQHUDWH VXFK LQSXWV RXUVHOYHV &RQWUROIORZJUDSK&)* DQGFDOOJUDSKDUHJRRGPHGLXPV IRU XVH >@ :H FDQ XVH VKRUWHVWSDWK DOJRULWKPV WR ILQG D SDWKWRWKHVHQVLWLYHIXQFWLRQDQGJHQHUDWHWKHFRUUHVSRQGLQJ LQSXW OLNH STrigger >@ 7KHUH DUH DOVR ORWV RI WHVW FDVH JHQHUDWLRQUHVHDUFKHVWRKHOSXVFUHDWLQJLQSXWV>@  1 while(n--) 2 str[n] = 0; 

0xC = (A+B-1)/B*4 where A is INPUT[0x2A] and B is INPUT[0x72]. 7KDWPHDQVWKH[$WKE\WHDQG[WKE\WHRIRXULQSXW FDQPDNHWKLVmalloc¶VVL]HDUJXPHQWEHWKHYDOXHRI[&,I ZH VHW WKLV VL]H DUJXPHQW WR EH ]HUR RU D VPDOO YDOXH DQG VROYH D VHW RI LQWHJHU RYHUIORZ DQVZHU RI A DQG B D KHDS RYHUIORZ SUREOHP PD\ RFFXU :H JHW WKH DQVZHU WKDW A HTXDOV WR [ DQG B HTXDOV WR [ E\ VROYLQJ HTXDWLRQ ³(A+B-1)/B*4=0” :H WKHQRYHUZULWHWKHP WRWKH RULJLQDO LQSXW DQG UXQ LW DJDLQ WR YHULI\ ,W FUDVKHV DQG WKH YDOXH RI VL]H DUJXPHQW KDV EHHQ FKDQJHG 7KLV SURYHV WKDW ZHFDQILQGDZD\WRFRQWUROWKHKHDSRYHUIORZRItiff-3.6.1 WR FDXVH WKH SURJUDP EXIIHU RYHUIORZ E\ IHHGLQJ D QRUPDO LQSXWGRZQORDGHGIURPWKH,QWHUQHW  9

&21&/86,21

,Q WKLV SDSHU ZH SUHVHQW CRAXfuzz D WDUJHWDZDUH GLUHFWHG ZKROHV\VWHP V\PEROLF IX]]LQJ IUDPHZRUN %\ XVLQJ OLEUDULHV KRRNLQJ DQG KRW E\WHV LGHQWLILFDWLRQ WHFKQLTXHV CRAXfuzz FDQ ORFDWH VHQVLWLYH SDUWV RI WKH SURJUDP DIWHU EHLQJ IHG D UHJXODU LQSXW DQG JHQHUDWH WKH FRUUHVSRQGLQJ 32& H[SORLW HIILFLHQWO\ CRAXfuzz FDQ GUDPDWLFDOO\ UHGXFH WKH WHVWLQJ VSDFH FRPSDUHG ZLWK WUDGLWLRQDO IX]]HUV DQG ILQG FRQGLWLRQV WKH\ DUH QRW DEOH WR UHDFKKHOSLQJGHYHORSHUVWRILQGWKHVHFXULW\YXOQHUDELOLWLHV DQGWRIL[WKHPLQDVKRUWWLPH)RUFDVHVZKRVHVRXUFHFRGHV DUHDYDLODEOHLWLVDOVRSRVVLEOHWRXVHGHEXJLQIRUPDWLRQWR SULQWRXWWKHFDOOVWDFNWUDFHDQGRWKHULQIRUPDWLRQ:HKDYH DSSOLHGCRAXfuzzWRSUHYLRXVO\NQRZQLVVXHVRIGLIIHUHQW VHFXULW\ W\SHV ([SHULPHQWDO UHVXOWV VKRZ WKDW LW FDQ DFFXUDWHO\ORFDWHWKHVHQVLWLYHSDUWVDQGJUHDWO\LPSURYHWKH HIIHFWLYHQHVVRIIX]]WHVWLQJ TaintScope >@ ZKLFK LQVSLUHV XV SURYLGHG WKH FRQFHSW RIILQGLQJKRWE\WHVE\G\QDPLFWDLQWDQDO\VLV+RZHYHURXU PHWKRGV DUH HDVLHU DQG PRUH VWUDLJKWIRUZDUG E\ WDNLQJ DGYDQWDJHVRIWKHSURSHUW\RIV\PEROLFH[HFXWLRQSplat>@ GHILQHV D EXIIHU RYHUIORZ VLWXDWLRQ DQG Catchconv >@ GHILQHVDQLQWHJHUFRQYHUVLRQHUURUVLWXDWLRQZKLOHIntScope >@GHILQHVDQLQWHJHURYHUIORZVLWXDWLRQDQGSaxena, P., et al.>@GHILQHVDORRSH[WHQGHGVLWXDWLRQ$WWKHDSSOLFDWLRQ OHYHO NICE >@ PRGHOV 2SHQ)ORZ DSSOLFDWLRQV WR ILQG QHWZRUN EXJV ,Q VSLWH RI WKDW DOO RI WKHP PHUHO\ IRFXV RQ RQHVSHFLILFFRQGLWLRQDQGLWLVKDUGWRJHQHUDOL]HWKHWDUJHWV Caselden, D., et al. >@ McCamant, S., et al. >@ DQG STrigger >@ LQWURGXFHG YXOQHUDELOLW\FRQGLWLRQEDVHG RU WULJJHUFRQGLWLRQEDVHG WHVW FDVH JHQHUDWLRQ PHWKRGV UHVSHFWLYHO\1HYHUWKHOHVVEHFDXVHRIWKHGLIIHUHQWV\PEROLF

)LJXUH9XOQHUDELOLW\1RW5HODWHGWR)XQFWLRQV([DPSOH

$&.12:/('*0(17 7KLV ZRUN ZDV VXSSRUWHG LQ SDUW E\ WKH 0LQLVWU\ RI 6FLHQFH DQG 7HFKQRORJ\ ( DQG  (  DQG 7HOHFRPPXQLFDWLRQ /DERUDWRULHV &KXQJKZD7HOHFRP&R/WG7/*  5()(5(1&(6  [1]

[2]

470

W. A. Arbaugh, W. L. Fithen, and J. McHugh, "Windows of vulnerability:Acasestudyanalysis,"Computer,vol.33,pp.52 59,2000. B.P.Miller,L.Fredriksen,andB.So,"Anempiricalstudyofthe

[3] [4]

[5] [6] [7]

[8] [9]

[10] [11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19] [20]

[21]

[22] 

reliability of UNIX utilities," Communications of the ACM, vol. 33,pp.3244,1990. M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerabilitydiscovery:PearsonEducation,2007. T.Wang,T.Wei, G.Gu,andW.Zou, "TaintScope:Achecksum awaredirectedfuzzingtoolforautomaticsoftwarevulnerability detection," in Security and Privacy (SP), 2010 IEEE Symposium on,2010,pp.497512. S. Hocevar. (2011). zzuf—multipurpose fuzzer. Available: http://caca.zoy.org/wiki/zzuf M. Eddington. (2011). Peach fuzzing platform. Available: http://peachfuzzer.com/ M. Woo, S. K. Cha, S. Gottlieb, and D. Brumley, "Scheduling blackboxmutationalfuzzing,"inProceedingsofthe2013ACM SIGSAC conference on Computer & communications security, 2013,pp.511522. J. C. King, "Symbolic execution and program testing," CommunicationsoftheACM,vol.19,pp.385394,1976. E. J. Schwartz, T. Avgerinos, and D. Brumley, "All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)," in Security and Privacy (SP), 2010 IEEE Symposium on, 2010, pp. 317331. P. Godefroid, M. Y. Levin, and D. A. Molnar, "Automated WhiteboxFuzzTesting,"inNDSS,2008,pp.151166. D.Molnar,X.C.Li,andD.A.Wagner,"Dynamictestgeneration to find integer bugs in x86 binary linux programs," in Proceedings of the 18th conference on USENIX security symposium,2009,pp.6782. D.Song,D.Brumley,H.Yin,J.Caballero,I.Jager,M.G.Kang,et al.,"BitBlaze:Anewapproachtocomputersecurityviabinary analysis," in Information systems security, ed: Springer, 2008, pp.125. C.Miller,J.Caballero,N.M.Johnson,M.G.Kang,S.McCamant, P.Poosankam,etal.,"CrashanalysiswithBitBlaze,"atBlackHat USA,2010. V.Chipounov,V.Kuznetsov,andG.Candea,"S2E:Aplatformfor invivomultipathanalysisofsoftwaresystems,"ACMSIGARCH ComputerArchitectureNews,vol.39,pp.265278,2011. V.Chipounov,V.Kuznetsov,andG.Candea,"Thes2eplatform: Design, implementation, and applications," ACM Transactions onComputerSystems(TOCS),vol.30,p.2,2012. C. Cadar, D. Dunbar, and D. R. Engler, "KLEE: Unassisted and Automatic Generation of HighCoverage Tests for Complex SystemsPrograms,"inOSDI,2008,pp.209224. S. Anand, P. Godefroid, and N. Tillmann, "Demanddriven compositionalsymbolicexecution,"inToolsandAlgorithmsfor theConstructionandAnalysisofSystems,ed:Springer,2008,pp. 367381. K.Sen,"Concolictesting,"inProceedingsofthetwentysecond IEEE/ACM international conference on Automated software engineering,2007,pp.571572. K. Sen, D. Marinov, and G. Agha, CUTE: a concolic unit testing engineforCvol.30:ACM,2005. J. Malburg and G. Fraser, "Combining searchbased and constraintbased testing," in Proceedings of the 2011 26th IEEE/ACM International Conference on Automated Software Engineering,2011,pp.436439. J.Liu,Q.Wei,Q.x.Wang,andT.Guo,"Triggerconditionbased test generation for finding security bugs," in Systems and Informatics(ICSAI),2012InternationalConferenceon,2012,pp. 11061110. R.G. Xu, P. Godefroid, and R. Majumdar, "Testing for buffer

471

[23]

[24]

[25] [26]

[27]

[28]

[29]

[30]

[31]

[32]

[33] [34] [35] [36] [37]

[38]

[39]

[40] [41]

[42] [43]

overflowswithlengthabstraction,"inProceedingsofthe2008 internationalsymposiumonSoftwaretestingandanalysis,2008, pp.2738. M. Staats and C. Psreanu, "Parallel symbolic execution for structural test generation," in Proceedings of the 19th internationalsymposiumonSoftwaretestingandanalysis,2010, pp.183194. D.Caselden,A.Bazhanyuk,M.Payer,L.Szekeres,S.McCamant, andD.Song,"Transformationawareexploitgenerationusinga HICFG,"UniversityofCalifornia,Berkeley,Tech.Rep.UCB/EECS 201385,2013. V. Ganesh and D. L. Dill, "A decision procedure for bitvectors andarrays,"inComputerAidedVerification,2007,pp.519531. L. De Moura and N. Bjørner, "Z3: An efficient SMT solver," in Tools and Algorithms for the Construction and Analysis of Systems,ed:Springer,2008,pp.337340. J.NewsomeandD.Song,"Dynamictaintanalysisforautomatic detection, analysis, and signature generation of exploits on commoditysoftware,"2005. F.Bellard,"QEMU,aFastandPortableDynamicTranslator,"in USENIXAnnualTechnicalConference,FREENIXTrack,2005,pp. 4146. C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Code Generation and Optimization, 2004. CGO 2004. International Symposiumon,2004,pp.7586. B.Martin,M.Brown,A.Paller,D.Kirby,andS.Christey,"2011 CWE/SANSTop25MostDangerousSoftwareErrors,"Common WeaknessEnumeration,vol.7515,2011. C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, "Buffer overflows: Attacks and defenses for the vulnerability of the decade," in DARPA Information Survivability Conference and Exposition,2000.DISCEX'00.Proceedings,2000,pp.119129. T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using SymbolicExecution,"inNDSS,2009. T.Newsham,"Formatstringattacks,"ed,2000. J.Shewmaker,"Analyzingdllinjection,"GSMPresentation,2006. D.Libenzi.XMail.Available:http://www.xmailserver.org/ M.Canini,D.Venzano,P.Peresini,D.Kostic,andJ.Rexford,"A NICEwaytotestOpenFlowapplications,"NSDI,Apr,2012. D. A. Molnar and D. Wagner, "Catchconv: Symbolic execution andruntimetypeinferenceforintegerconversionerrors,"UC BerkeleyEECS,2007. P. Saxena, P. Poosankam, S. McCamant, and D. Song, "Loop extended symbolic execution on binary programs," in Proceedings of the eighteenth international symposium on Softwaretestingandanalysis,2009,pp.225236. S.McCamant,M.Payer,D.Caselden,A.Bazhanyuk,andD.Song, "Transformationaware symbolic execution for system test generation," Tech. Rep. UCB/EECS2013125, University of California,Berkeley(Jun2013)2013. T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley, "AEG: AutomaticExploitGeneration,"inNDSS,2011,pp.5966. S. Heelan, "Automatic generation of control flow hijacking exploitsforsoftwarevulnerabilities,"UniversityofOxford,MSc ComputerScienceDissertation,2009. J. Vanegue, S. Heelan,and R. Rolles, "SMTSolvers in Software Security,"inWOOT,2012,pp.8596. J. Röler, G. Fraser, A. Zeller, and A. Orso, "Isolating failure causes through test case generation," in Proceedings of the 2012InternationalSymposiumonSoftwareTestingandAnalysis, 2012,pp.309319.