dynamic test genera on to find integer bugs in x86 binary
play

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux - PowerPoint PPT Presentation

Aug 25, 2023 •334 likes •480 views

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner Security Bugs Common 6,515 vulnerabili/es reported in 2007 Major vendors : Adobe, Apple, MicrosoN Plus many more

  1. Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner

  2. Security Bugs Common • 6,515 vulnerabili/es reported in 2007 – Major vendors : Adobe, Apple, MicrosoN … – Plus many more – web.nvd.nist.gov/view/vuln/sta/s/cs • Each one means patch, QA’ing, releasing

  3. Find Bug Report Bug Write Bug Fix Bug The “Bug Cycle”

  4. Find Bug Report Bug Write Bug Fix Bug The “Bug Cycle”

  5. Technique : Fuzz Testing Miller, Fredriksen, and So, “An Empirical Study of the Reliability of UNIX Utilities” http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html

  6. Integer Bugs • #2 cause of vendor advisories in 2006 • Underflow/Overflow • Value conversions • Signed/Unsigned conversion bugs • Poor fit with tradi/onal run/me, sta/c analysis – Sta/c analysis: false posi/ves – Run/me analysis: “benign” overflow problem

  7. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }

  8. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { What if x == -1 ? if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }

  9. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { -1 > 800? No! if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }

  10. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else copy_bytes( unsigned int x,... { copy_bytes(x,src, dst); } }

  11. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else copy_bytes( unsigned int x,... { copy_bytes(x,src, dst); } Copy a few more than 800 bytes..! }

  12. Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } Bug pattern : treat value x as signed, else then as unsigned or vice versa { copy_bytes(x,src, dst); } }

  13. Unknown / Top Signed Unsigned Potential Bug /Bot

  14. Unknown / Top Signed Unsigned Potential Bug /Bot Idea: 1. Keep track of type for every tainted program value 2. Use solver to force values with type “Bot” to equal -1 New algorithm: infer types over long binary traces.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides
Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and

Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and

1 Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and Shan Lu 2 What are concurrency bugs Synchroniza-on mistakes in mul--threaded programs 3 What are concurrency bugs Synchroniza-on

826 views • 65 slides
This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at http://www.cse.iitd.ernet.in/~sbansal/talks/btkernel.pptx 1 Firstly, what is Dynamic Binary Translation and what is it used for. Dynamic Binary Translation or DBT is the

617 views • 49 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
A a:INTEGER b:INTEGER B C c:INTEGER D d:INTEGER Figure 1: Class Inheritance Hierarchy 1 2

A a:INTEGER b:INTEGER B C c:INTEGER D d:INTEGER Figure 1: Class Inheritance Hierarchy 1 2

EECS3311 Software Design Fall 2018 Static Types, Expectations, Dynamic Types, and Type Casts Chen-Wei Wang Contents 1 Inheritance Hierarchy 1 2 Static Types (at Compile Time) Define Expected Usages 2 3 Dynamic Types (at Runtime) 2 4

198 views • 5 slides
Bugs / Insekten int I = 0; i++; void

Bugs / Insekten int I = 0; i++; void

Bugs / Insekten int I = 0; i++; void foo() { do(); c = a + b ; } int get() { return fo(); } close(); Test 1 Test 2 Test 3 Test 4 Test 5 Selektierte Tests System Alle Tests [s]

661 views • 50 slides
Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Order Statistics on Binary Trees Goal: find the k th element (in order) of a binary tree where

Order Statistics on Binary Trees Goal: find the k th element (in order) of a binary tree where

Order Statistics on Binary Trees Goal: find the k th element (in order) of a binary tree where 1 <= k <= N Why? Find the median: k = n/2, or k = n/2 and n/2 Find quartiles: k = n/4, n/2, 3n/4 t 7 t.size()

194 views • 7 slides
Genera&ng a power set Given a set of elements, would

Genera&ng a power set Given a set of elements, would

Genera&ng a power set Given a set of elements, would like to find set of all subsets [1, 2, 3] Leads to [], [1], [2], [3],

310 views • 8 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Datatracker Testing Making the users happy by catching bugs Contents How test coverage

Datatracker Testing Making the users happy by catching bugs Contents How test coverage

Datatracker Testing Making the users happy by catching bugs Contents How test coverage has changed Catching data corruption Finding user points of pain Dead code removal Chasing the holy grail of full test coverage What

549 views • 27 slides
i radix point (binary point) assumed to be to the right of i 0 the rightmost digit.

i radix point (binary point) assumed to be to the right of i 0 the rightmost digit.

Number Systems Binary: Computer Arithmetic Hexadecimal: Word Size: (Fixed) number of bits used to represent a number School of Computer Science G51CSA School of Computer Science G51CSA 1 2 Integer Representation Non Negative Integer

391 views • 5 slides
Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness < p . of many positive integers Smooth integer: integer > y . with no prime divisors y

475 views • 8 slides
Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When

Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When

Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When we talked about closure properties of regular languages, it was useful to be able to jump between RE and DFA representations. Similarly, CFGs

998 views • 22 slides
The Samaritans (Acts 8:5-12) Simon the Sorcerer (Acts 8:13) The Ethiopian Eunuch (Acts

The Samaritans (Acts 8:5-12) Simon the Sorcerer (Acts 8:13) The Ethiopian Eunuch (Acts

The Samaritans (Acts 8:5-12) Simon the Sorcerer (Acts 8:13) The Ethiopian Eunuch (Acts 8:26-39) Saul the Persecutor (Acts 9:1-19) Cornelius the Gentile (Acts 10:1-48) A Crisis (Acts 16:25-29) A Crisis (Acts

533 views • 12 slides
Taking a systems perspective to improve the quality of instruction Paul Cobb and Erin Henrick,

Taking a systems perspective to improve the quality of instruction Paul Cobb and Erin Henrick,

Welcome! Please sit with your team . Taking a systems perspective to improve the quality of instruction Paul Cobb and Erin Henrick, Vanderbilt University Kara Jackson, University of Washington Agenda Monday May 14 Tuesday May 15 10 am

836 views • 65 slides
Human-Robot Interaction through Natural Language Dialogue Ozan zdemir University of Hamburg

Human-Robot Interaction through Natural Language Dialogue Ozan zdemir University of Hamburg

MIN Faculty Department of Informatics Human-Robot Interaction through Natural Language Dialogue Ozan zdemir University of Hamburg Faculty of Mathematics, Informatics and Natural Sciences Department of Informatics Technical Aspects of

888 views • 24 slides
Heterogeneous Granularity Systems Muhao Chen 1 , Shi Gao 1 , X. Sean Wang 2 Department Of Computer

Heterogeneous Granularity Systems Muhao Chen 1 , Shi Gao 1 , X. Sean Wang 2 Department Of Computer

Converting Spatiotemporal Data Among Heterogeneous Granularity Systems Muhao Chen 1 , Shi Gao 1 , X. Sean Wang 2 Department Of Computer Science, University Of California Los Angeles 1 School Of Computer Science, Fudan University 2 Spatiotemporal

675 views • 31 slides
COMS 4160: Problems on Transformations and OpenGL Ravi Ramamoorthi 1. Write the homogeneous 4x4

COMS 4160: Problems on Transformations and OpenGL Ravi Ramamoorthi 1. Write the homogeneous 4x4

COMS 4160: Problems on Transformations and OpenGL Ravi Ramamoorthi 1. Write the homogeneous 4x4 matrices for the following transforms: Translate by +5 units in the X direction Rotate by 30 degrees about the X axis The rotation,

757 views • 5 slides
S2S ASR Advanced issues Tight coupling Tight coupling ASR should output N ASR should

S2S ASR Advanced issues Tight coupling Tight coupling ASR should output N ASR should

S2S ASR Advanced issues Tight coupling Tight coupling ASR should output N ASR should output N- -best best Translated all (lattice) Translated all (lattice) Choose best translation Choose best translation

425 views • 21 slides
Representations with Instance Normalization Ju-Chieh Chou , Hung-yi Lee, Interspeech 2019. Outline

Representations with Instance Normalization Ju-Chieh Chou , Hung-yi Lee, Interspeech 2019. Outline

One-shot Voice Conversion by Separating Speaker and Content Representations with Instance Normalization Ju-Chieh Chou , Hung-yi Lee, Interspeech 2019. Outline 1. Introduction 2. Proposed Approach Model Experiments 3. Conclusion Outline

544 views • 19 slides

More recommend