Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux - - PowerPoint PPT Presentation

dynamic test genera on to find integer bugs in x86 binary
SMART_READER_LITE
LIVE PREVIEW

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux - - PowerPoint PPT Presentation

Aug 25, 2023 334 likes •483 views

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner Security Bugs Common 6,515 vulnerabili/es reported in 2007 Major vendors : Adobe, Apple, MicrosoN Plus many more

slide-1
SLIDE 1

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs

David Molnar Xue Cong Li David Wagner

slide-2
SLIDE 2

Security Bugs Common

  • 6,515 vulnerabili/es reported in 2007

– Major vendors : Adobe, Apple, MicrosoN … – Plus many more

– web.nvd.nist.gov/view/vuln/sta/s/cs

  • Each one means patch, QA’ing, releasing
slide-3
SLIDE 3

Write Bug Find Bug Report Bug Fix Bug

The “Bug Cycle”

slide-4
SLIDE 4

Write Bug Find Bug Report Bug Fix Bug

The “Bug Cycle”

slide-5
SLIDE 5

Technique : Fuzz Testing

Miller, Fredriksen, and So, “An Empirical Study of the Reliability of UNIX Utilities” http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html

slide-6
SLIDE 6

Integer Bugs

  • #2 cause of vendor advisories in 2006
  • Underflow/Overflow
  • Value conversions
  • Signed/Unsigned conversion bugs
  • Poor fit with tradi/onal run/me, sta/c

analysis

– Sta/c analysis: false posi/ves – Run/me analysis: “benign” overflow problem

slide-7
SLIDE 7

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

slide-8
SLIDE 8

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

What if x == -1 ?

slide-9
SLIDE 9

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

  • 1 > 800? No!
slide-10
SLIDE 10

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

copy_bytes(unsigned int x,...

slide-11
SLIDE 11

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

copy_bytes(unsigned int x,... Copy a few more than 800 bytes..!

slide-12
SLIDE 12

Signed/Unsigned Conversion

void bad(int x,char * src,char * dst)‏ { if (x > 800)‏ { return; } else { copy_bytes(x,src, dst); } }

Bug pattern: treat value x as signed, then as unsigned or vice versa

slide-13
SLIDE 13

Unknown / Top Signed Unsigned Potential Bug /Bot

slide-14
SLIDE 14

Unknown / Top Signed Unsigned Potential Bug /Bot

Idea:

  • 1. Keep track of type for every tainted program value
  • 2. Use solver to force values with type “Bot” to equal -1

New algorithm: infer types over long binary traces.