An Evolutionary Computing Approach for Hunting Buffer Overflow Vulnerabilities: A Case of Aiming in Dim Light

We propose an approach in the form of a light weight smart fuzzer to generate string based inputs to detect buffer overflow vulnerability in C code. The approach is based on an evolutionary algorithm which is a combination of genetic algorithm and evolutionary strategies. In this preliminary work we focus on the problem that there are constraints on string inputs that must be satisfied in order to reach the vulnerable statement in the code and we have very little or no knowledge about them. Unlike other similar approaches, our approach is able to generate such inputs without knowing these constraints explicitly. It learns these constraints automatically while generating inputs dynamically by executing the vulnerable program. We provide few empirical results on a benchmarking dataset-Verisec suite of programs.

[1]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[2]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Timo Mantere,et al.  Evolutionary software engineering, a review , 2005, Appl. Soft Comput..

[4]  Marie-Laure Potet,et al.  Taint Dependency Sequences: A Characterization of Insecure Execution Paths Based on Input-Sensitive Cause Sequences , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[5]  Giuliano Antoniol,et al.  Detecting buffer overflow via automatic test input data generation , 2008, Comput. Oper. Res..

[6]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[7]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[8]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[9]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Thomas W. Reps,et al.  The Use of Program Profiling for Software Testing , 1997, GI Jahrestagung.

[11]  Jared D. DeMott The Evolving Art of Fuzzing , 2006 .

[12]  Wasif Afzal,et al.  A systematic review of search-based testing for non-functional system properties , 2009, Inf. Softw. Technol..

[13]  A. E. Eiben,et al.  Introduction to Evolutionary Computing , 2003, Natural Computing Series.

[14]  A. Eiben Evolutionary algorithms and constraint satisfaction: definitions, survey, methodology, and research directions , 2001 .

[15]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[16]  Dawson R. Engler,et al.  EXE: A system for automatically generating inputs of death using symbolic execution , 2006, CCS 2006.

[17]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[18]  Bruno Marre,et al.  PathCrawler: Automatic Generation of Path Tests by Combining Static and Dynamic Analysis , 2005, EDCC.

[19]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[20]  Thomas Ball,et al.  What's in a region?: or computing control dependence regions in near-linear time for reducible control flow , 1993, LOPL.

[21]  Wu Gang,et al.  Vulnerability Analysis for X86 Executables Using Genetic Algorithm and Fuzzing , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[22]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[23]  Enrique Alba,et al.  Software Testing with Evolutionary Strategies , 2005, RISE.

[24]  Thomas Ball,et al.  The concept of dynamic analysis , 1999, ESEC/FSE-7.

[25]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[26]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[27]  Fang Yu,et al.  Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[28]  Giuliano Antoniol,et al.  Improving network applications security: a new heuristic to generate stress testing data , 2005, GECCO '05.