A Survey of Software Dynamic Analysis Methods
Pages 90 - 114
Abstract
Abstract
A review of software dynamic analysis methods is presented, mainly focusing on the methods supported by tools targeted on software security verification and applicable to system software. Fuzzing, runtime verification and dynamic symbolic execution techniques are considered in detail. Dynamic taint data analysis methods and tools are excluded since gathering technical details on them is complicated. The review of fuzzing and dynamic symbolic execution is focused mostly on the techniques to solve various problems that arise during operation of the tools rather than the particular tools that amount to a number greater than 100. In addition, the fuzzing counteraction techniques are considered.
References
[1]
Ozkan-Okay M., Samet R., Aslan Ö., and Gupta D. A comprehensive systematic literature review on intrusion detection systems IEEE Access 2021 9 157727-157760
[2]
Santos, L., Rabadao, C., and Gonçalves, R., Intrusion detection systems in Internet of Things: A literature review, Proc. of 13th Iberian Conference on Information Systems and Technologies (CISTI), Caceres, Spain, 2018, pp. 1–7.
[3]
Zhu H., Hall P. A. V., and May J. H. R. Software unit test coverage and adequacy ACM Computing Surveys 1997 29 366-427
[4]
Sutton M., Greene A., and Amini P. Fuzzing: Brute Force Vulnerability Discovery 2007 Boston Addison-Wesley
[5]
Newsome, J., and Song, D., Dynamic taint analysis for Automatic detection, analysis, and signature generation of exploits on commodity software, Proc. of Network and Distributed System Security Simposium, 2005.
[6]
Schwartz, E. J., Avgerinos, T., and Brumley, D., All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask), Proc. of IEEE Symposium on Security and Privacy, 2010, pp. 317–331.
[7]
Wang, T., Wei, T., Gu, G., and Zou, W., TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection, Proc. of IEEE Symposium on Security and Privacy, 2010, pp. 497–512.
[8]
Miller B. P., Fredriksen L., and So B. An empirical study of the reliability of UNIX utilities Communications of the ACM 1990 33 32-44
[9]
The Cyber Grand Challenge. https://blogs.grammatech.com/the-cyber-grand-challenge. Accessed June 13, 2023.
[10]
Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Krügel, C., and Vigna, G., Driller: Augmenting fuzzing through selective symbolic execution, Proc. of Network and Distributed System Security Symposium, 2016.
[11]
Goodman P. and Dinaburg A. The past, present, and future of Cyberdyne IEEE Security & Privacy 2018 16 61-69
[12]
Cisco Secure Development Lifecycle. https://www.cisco.com/c/en/us/about/trust-center/technology-built-in-security.html#~trustworthysolutionsfeatures. Accessed June 13, 2023.
[13]
Chromium Security. URL: https://www.chromium.org/Home/chromium-security/bugs/ (дocтyп 13.06.2023)
[14]
Clusterfuzz. Chrome Fuzzing Infrastructure. https://code.google.com/archive/p/clusterfuzz/. Accessed June 13, 2023.
[15]
Aizatsky, M., Serebryany, K., Chang, O., Arya, A., and Whittaker, M., Announcing OSS-Fuzz: Continuous fuzzing for open source software. Google Open Source Blog, 2016. https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html. Accessed June 13, 2023.
[16]
Microsoft Security Development Lifecycle. https://www.microsoft.com/en-us/securityengineering/sdl/practices. Accessed June 13, 2023.
[17]
Bounimova, E., Godefroid, P., and Molnar, D., Billions and billions of constraints: Whitebox fuzz testing in production, Proc. of 35th International Conference on Software Engineering (ICSE), San Francisco, USA, 2013, pp. 122–131.
[18]
Fuzzing Survey. https://fuzzing-survey.org/. Accessed June 15, 2023.
[19]
Rathaus N. and Evron G. Open Source Fuzzing Tools 2007 Oxford Syngress
[20]
Takanen A., DeMott J. D., Miller C., and Kettunen A. Fuzzing for Software Security Testing and Quality Assurance 2018 Norwood Artech House
[21]
Li, J., Zhao, B., and Zhang, C., Fuzzing: a Survey, Cybersecurity, 2018, no. 1.
[22]
Chen C., Cui B., Ma J., Wu R., Guo J., and Liu W. A systematic review of fuzzing techniques Computers & Security 2018 75 118-137
[23]
Manes V. J. M., Han H., Han C., Cha S. K., Egele M., Schwartz E. J., and Woo M. The art, science, and engineering of fuzzing: A survey IEEE Transactions on Software Engineering 2021 47 2312-2331
[24]
Liang H., Pei X., Jia X., Shen W., and Zhang J. Fuzzing: state of the art IEEE Transactions on Reliability 2018 67 1199-1218
[25]
Vishnyakov, A. V., Error detection in the binary code by methods of dynamic symbolic execution, Cand. Sci. (Phys. Math.) Dissertation, Moscow: ISP RAS, 2022.
[26]
Fioraldi, A., Maier, D. C., Zhang, D., and Balzarotti, D., LibAFL: a framework to build modular and reusable fuzzers, Proc of ACM SIGSAC Conference on Computer and Communication Security, 2022, pp. 1051–1065.
[27]
Luk C.-K., Cohn R., Muth R., Patil H., Klauser A., Lowney G., Wallace S., Reddi V. J., and Hazelwood K. Pin: building customized program analysis tools with dynamic instrumentation ACM SIGPLAN Notices 2005 40 190-200
[28]
Bellard, F., QEMU, a fast and portable dynamic translator, Proc. of ATEC’05, USENIX Annual Technical Conference, 2005, pp. 41-46.
[29]
Dyninst. https://dyninst.org/dyninst. Accessed December 5, 2023.
[30]
Dyninst GitHub. https://github.com/dyninst/dyninst. Accessed December 5, 2023.
[31]
Bruening, D. L., Efficient, transparent, and comprehensive runtime code manipulation, Ph.D. Thesis, Boston: Massachusetts Institute of Technology, 2004.
[32]
DynamoRIO. https://github.com/DynamoRIO/dynamorio. Accessed December 5, 2023.
[33]
Zalewski, M., American Fuzzy Lop. https://github.com/mirrorer/afl. Accessed June 14, 2023.
[34]
AFL, supported by Google. https://github.com/google/AFL. Accessed June 19, 2023.
[35]
Oleksiuk, D., IOCTL Fuzzer. https://github.com/Cr4sh/ioctlfuzzer. Accessed June 14, 2023.
[36]
Chen, J., Diao, W., Zhao, Q., Zuo, C., Lin, Z., Wang, X., Lau, W. C., Sun, M., Yang, R., and Zhang, K., IoTFuzzer: discovering memory corruptions in IoT through app-based fuzzing, Proc. of the Network and Distributed System Security Symposium, 2018.
[37]
Babić, D., Bucur, S., Chen, Y., Ivančić, F., King, T., Kusano, M., Lemieux, C., Szekeres, L., and Wang, W., FUDGE: fuzz driver generation at scale, Proc. of 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019, pp. 975–985.
[38]
Ispoglou, K. K., Austin, D., Mohan, V., and Payer, M., FuzzGen: automatic fuzzer generation, Proc. of 29th USENIX Security Symposium, 2020, pp. 2271–2287.
[39]
Zhang, M., Liu, J., Ma, F., Zhang, H., and Jiang, Y., IntelliGen: automatic driver synthesis for fuzz testing, Proc. of IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, 2021, pp. 318–327. https://arxiv.org/abs/2103.00862.
[40]
GRR. https://github.com/lifting-bits/grr. Accessed June 14, 2023.
[41]
LibFuzzer – a Library for Coverage-guided Fuzz Testing. https://llvm.org/docs/LibFuzzer.html. Accessed June 14, 2023.
[42]
Swiecki, R., and Gröbert, F., Honggfuzz. https://github.com/google/honggfuzz. Accessed June 16, 2023.
[43]
Sen, K., Effective random testing of concurrent programs, Proc. of 22th IEEE/ACM International Conference on Automated Software Engineering, 2007, pp. 323–332.
[44]
Joshi P., Park C.-S., Sen K., and Naik M. A randomized dynamic program analysis technique for detecting real deadlocks ACM SIGPLAN Notices 2009 44 110-120
[45]
Lai, Z., Cheung, S., and Chan, W., Detecting atomic-set serializability violations in multithreaded programs through active randomized testing, Proc. of 32nd ACM/IEEE International Conference on Software Engineering, 2010, vol. 1, pp. 235–244.
[46]
Cai, Y. and Chan, W. K., MagicFuzzer: Scalable deadlock detection for large-scale applications, Proc. of 34th International Conference on Software Engineering (ICSE), Zurich, Switzerland, 2012, pp. 606–616.
[47]
Samak, M., Ramanathan, M. K., and Jagannathan, S., Synthesizing racy tests, Proc. of 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2015, pp. 175–185.
[48]
Ganesh, V., Leek, T., and Rinard, M., Taint-based directed whitebox fuzzing, Proc. of 31st International Conference on Software Engineering (ICSE’09), 2009, pp. 474–484.
[49]
Haller, I., Slowinska, A., Neugschwandtner, M., and Bos, H., Dowsing for overflows: a guided fuzzer to find buffer boundary violations, Proc. of 22nd USENIX Security Symposium, 2013, pp. 49–64.
[50]
Ma, L., Artho, C., Zhang, C., Sato, H., Gmeiner, J., and Ramler, R., GRT: Program-analysis-guided random testing, Proc. of 30th IEEE/ACM International Conference on Automated Software Engineering, 2015, pp. 212–223.
[51]
Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., and Bos, H., VUzzer: Application-aware evolutionary fuzzing, Proc. of Network and Distributed System Security Symposium, 2017.
[52]
Peng, H., Shoshitaishvili, Y., and Payer, M., T-Fuzz: Fuzzing by program transformation, Proc. of IEEE Symposium on Security and Privacy, 2018, pp. 697–710.
[53]
FFmpeg Repository. http://samples.ffmpeg.org/. Accessed June 16, 2023.
[54]
CERT BFF. https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=507974. Accessed June 15, 2023.
[55]
Householder, A. D. and Foote, J., Probability-based parameter selection for black-box fuzz testing, SEI Technical Note, CMU/SEI-2012-TN-019, 2012.
[56]
Woo, M., Cha, S. K., Gottlieb, S., and Brumley, D., Scheduling black-box mutational fuzzing, Proc. of ACM SIGSAC Conference on Computer & Communications Security (CCS '13), 2013, pp. 511–522.
[57]
Böhme, M., Pham, V.-T., and Roychoudhury, A., Coverage-based greybox fuzzing as Markov chain, Proc. of ACM SIGSAC Conference on Computer and Communications Security (CCS '16), 2016, pp. 1032–1043.
[58]
Syzkaller – kernel fuzzer. https://github.com/google/syzkaller. Accessed June 15, 2023.
[59]
Vyukov, D., go-fuzz. https://github.com/dvyukov/go-fuzz. Accessed June 19, 2023.
[60]
Li, Y., Chen, B., Chandramohan, M., Lin, S.-W., Liu, Y., and Tiu, A., Steelix: Program-state based binary fuzzing, Proc. of 11th Joint Meeting on Foundations of Software Engineering, 2017, pp. 627–637.
[61]
Chen, P. and Chen, H., Angora: Efficient fuzzing by principled search, Proc. of IEEE Symposium on Security and Privacy, 2018, pp. 711–725.
[62]
Böhme, M., Pham, V.-T., Nguyen, M.-D., and Roychoudhury, A., Directed greybox fuzzing, Proc. of ACM SIGSAC Conference on Computer and Communications Security (CCS '17), 2017, pp. 2329–2344.
[63]
Wang, S., Nam, J., and Tan, L., QTEP: Quality-aware test case prioritization, Proc. of 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2017), 2017, pp. 523–534.
[64]
Eddington, M., Peach Fuzzer. https://peachtech.gitlab.io/peach-fuzzer-community/. Accessed June 13, 2023.
[65]
Aschermann, C., Frassetto, T., Holz, T., Jauernig, P., Sadeghi, A., and Teuchert, D., NAUTILUS: Fishing for deep bugs with grammars, Proc. of Network and Distributed System Security Symposium, 2019.
[66]
Bradshaw, S., Fuzzer Automation with SPIKE. https://resources.infosecinstitute.com/topic/fuzzer-automation-with-spike/. Accessed June 13, 2023.
[67]
SPIKE Protocol Fuzzer Creation Kit. https://github.com/guilhermeferreira/spikepp. Accessed June 13, 2023.
[68]
Amini, P., Portnoy, A., and Sears, R., Sulley. https://github.com/OpenRCE/sulley. Accessed June 15, 2023.
[69]
Kaksonen R., Laakso M., and Takanen A. Communications and Multimedia Security Issues of the New Century, IFIP — The International Federation for Information Processing 2001
[70]
Banks G., Cova M., Felmetsger V., Almeroth K., Kemmerer R., and Vigna G. Information Security, ISC 2006. 2006
[71]
Abdelnur H. J., State R., and Festor O. KiF: A stateful SIP fuzzer 2007
[72]
Johansson, W., Svensson, M., Larson, U. E., Almgren, M., and Gulisano, V., T-Fuzz: Model-based fuzzing for robustness testing of telecommunication protocols, Proc. of IEEE 7th International Conference on Software Testing, Verification and Validation, 2014, pp. 323–332.
[73]
Trinity: Linux System Call Fuzzer. https://github.com/kernelslacker/trinity. Accessed June 13, 2023.
[74]
KernelFuzzer. https://github.com/FSecureLABS/KernelFuzzer. Accessed June 15, 2023.
[75]
Godefroid, P., Kiezun, A., and Levin, M. Y., Grammar-based whitebox fuzzing, Proc. of 29th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2008, pp. 206–215.
[76]
Pham, V.-T., Böhme, M., and Roychoudhury, A., Model-based whitebox fuzzing for program binaries, Proc. of 31st IEEE/ACM International Conference on Automated Software Engineering, 2016, pp. 543–553.
[77]
Kim, S. Y., Lee, S., Yun, I., Xu, W., Lee, B., Yun, Y., and Kim, T., CAB-Fuzz: Practical concolic testing techniques for COTS operating systems, Proc. of USENIX Annual Technical Conference, 2017, pp. 689–701.
[78]
DOMFuzz. https://github.com/MozillaSecurity/domfuzz. Accessed June 16, 2023.
[79]
Jzfunfuzz. https://github.com/MozillaSecurity/funfuzz. Accessed June 16, 2023.
[80]
Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V., Using Frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations, Proc. of IEEE Symposium on Security and Privacy, 2014, pp. 114–129.
[81]
Kario, H., Tlfuzzer. https://github.com/tlsfuzzer/tlsfuzzer. Accessed June 16, 2023.
[82]
Somorovsky, J., Systematic fuzzing and testing of TLS libraries, Proc. of ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1492–1504.
[83]
Wang, J., Chen, B., Wei, L., and Liu, Y., Skyfire: Data-driven seed generation for fuzzing, Proc. of the IEEE Symposium on Security and Privacy, 2017, pp. 579–594.
[84]
Della Toffola, L., Staicu, C. A., and Pradel, M., Saying ‘hi!’ is not enough: Mining inputs for effective test generation, Proc. of 32nd IEEE/ACM International Conference on Automated Software Engineering, 2017, pp. 44–49.
[85]
Han, H., Oh, D., and Cha, S. K., CodeAlchemist: Semantics-aware code generation to find vulnerabilities in Javascript engines, Proc. of Network and Distributed System Security Symposium, 2019.
[86]
Han, H. and Cha, S. K., IMF: Inferred model-based fuzzer, Proc. of ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 2345–2358.
[87]
Godefroid, P., Peleg, H., and Singh, R., Learn&Fuzz: Machine learning for input fuzzing, Proc. of 32nd IEEE/ACM International Conference on Automated Software Engineering, 2017, pp. 50–59. https://arxiv.org/abs/1701.07232.
[88]
Liu, P., Zhang, X., Pistoia, M., Zheng, Y., Marques, M., and Zeng, L., Automatic text input generation for mobile testing, Proc. of IEEE/ACM 39th International Conference on Software Engineering (ICSE), 2017, pp. 643–653.
[89]
Höschele, M. and Zeller, A., Mining input grammars from dynamic taints, Proc. of 31st IEEE/ACM International Conference on Automated Software Engineering (ASE), 2016, pp. 720-725.
[90]
Bastani, O., Sharma, R., Aiken, A., and Liang, P., Synthesizing program input grammars, Proc. of 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2017, pp. 95-110. https://arxiv.org/abs/1608.01723.
[91]
Doupé, A., Cavedon, L., Kruegel, C., and Vigna, G., Enemy of the state: A state-aware black-box web vulnerability scanner, Proc. of 21st USENIX Security Symposium, 2012, pp. 523–538.
[92]
Gascon, H., Wressnegger, C., Yamaguchi, F., Arp, D., and Rieck, K., PULSAR: Stateful black-box fuzzing of proprietary network protocols, Proc. of International Conference on Security and Privacy in Communication Systems, 2015, pp. 330–347.
[93]
Helin, A., Radamsa. https://gitlab.com/akihe/radamsa. Accessed June 16, 2023.
[94]
Hocevar, S., Zzuf. https://github.com/samhocevar/zzuf. Accessed June 16, 2023.
[95]
Cha, S. K., Woo, M., and Brumley, D., Program-adaptive mutational fuzzing, Proc. of IEEE Symposium on Security and Privacy, 2015, pp. 725–741.
[96]
Kargén, U. and Shahmehri, N., Turning programs against each other: High coverage fuzz testing using binary-code mutation and dynamic slicing, Proc. of 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015), 2015, pp. 782–792.
[97]
Moura L. D. and Bjørner N. Satisfiability modulo theories: Introduction and applications Communications of the ACM 2011 54 69-77
[98]
Gan, S., Zhang, C., Qin, X., Tu, X., Li, K., Pei, Z., and Chen, Z., CollAFL: Path sensitive fuzzing, Proc. of IEEE Symposium on Security and Privacy, 2018, pp. 679–696.
[99]
Rustamov F., Kim J., Yu J., and Yun J. Exploratory review of hybrid fuzzing for automated vulnerability detection IEEE Access 2021 9 131166-131190
[100]
Sen K., Marinov D., and Agha G. CUTE: A concolic unit testing engine for C ACM SIGSOFT Software Engineering Notes 2005 30 263-272
[101]
Godefroid P., Klarlund N., and Sen K. DART: Directed automated random testing ACM SIGPLAN Notices 2005 40 213-223
[102]
Cadar, C., Dunbar, D., and Engler, D., KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs, Proc. of the 8th USENIX conference on Operating System Design and Implementation, 2008, pp. 209–224.
[103]
Godefroid, P., Levin, M. Y., and Molnar, D. A., Automated whitebox fuzz testing, Proc. of Network and Distributed System Security Symposium, 2008, pp. 151–166.
[104]
Godefroid P., Levin M. Y., and Molnar D. SAGE: Whitebox fuzzing for security testing Communications of ACM 2012 55 40-44
[105]
Chipounov V., Kuznetsov V., and Candea G. S2E: A platform for in-vivo multi-path analysis of software systems ACM SIGARCH Computer Architecture News Notices 2011 46 265-278
[106]
Cha, S. K., Avgerinos, T., Rebert, A., and Brumley, D., Unleashing Mayhem on binary code, Proc. of IEEE Symposium on Security and Privacy, 2012, pp. 380–394.
[107]
Neugschwandtner, M., Comparetti, P. M., Haller, I., and Bos, H., The BORG: Nanoprobing binaries for buffer overreads, Proc. of 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15), 2015, pp. 87–97.
[108]
Yun, I., Lee, S., Xu, M., Jang, Y., and Kim, T., QSYM: A practical concolic execution engine tailored for hybrid fuzzing, Proc. of 27th USENIX Security Symposium, 2018, pp. 745–761.
[109]
Sargsyan, S., Hakobyan, J., Mehrabyan, M., Mishechkin, M., Akozin, V., and Kurmangaleev, S., ISP-fuzzer: extendable fuzzing framework, Proc. of 2019 Ivannikov Memorial Workshop (IVMEM), 2019, pp. 68-71.
[110]
Mishechkin, M. V., Akolzin, V. V., and Kurmanga-leev, Sh. F., Architecture and functionality of the ISP Fuzzer tool, Ivannikov ISP RAS Open Conference, 2020.
[111]
Vishnyakov, A., Fedotov, A., Kuts, D., Novikov, A., Parygina, D., Kobrin, E., Logunova, V., Belecky, P., and Kurmangaleev, S., Sydr: Cutting edge dynamic symbolic execution, Ivannikov ISP RAS Open Conference (ISPRAS), 2020, pp. 46–54.
[112]
Aschermann, C., Schumilo, S., Blazytko, T., Gawlik, R., and Holz, T., REDQUEEN: Fuzzing with input-to-state correspondence, Proc. of Network and Distributed System Security Symposium, 2019.
[113]
Savidov G. and Fedotov A. Casr-Cluster: Crash clustering for Linux applications, 2021 Ivannikov ISPRAS Open Conference 2021
[114]
CASR: Crash Analysis and Severity Report. https://github.com/ispras/casr. Accessed December 5, 2023.
[115]
Molnar, D., Li, X. C., and Wagner, D. A., Dynamic test generation to find integer bugs in x86 binary Linux programs, Proc. of 18th USENIX Security Symposium, 2009, pp. 67–82.
[116]
Cui, W., Peinado, M., Cha, S. K., Fratantonio, Y., and Kemerlis, V. P., RETracer: Triaging crashes by reverse execution from partial memory dumps, Proc. of 38th International Conference on Software Engineering, 2016, pp. 820–831.
[117]
Regehr, J., Chen, Y., Cuoq, P., Eide, E., Ellison, C., and Yang, X., Test-case reduction for C compiler bugs, Proc. of ACM SIGPLAN Notices, 2012, vol. 47, no. 6, pp. 335–346.
[118]
Foote, J., GDB Exploitable Plugin. https://github.com/jfoote/exploitable. Accessed June 19, 2023.
[119]
Cadar, C., Ganesh, V., Pawlowski, P. M., Dill, D. L., and Engler, D., EXE: Automatically generating inputs of death, Proc. of 13th ACM Conference on Computer and Communications Security, 2006, pp 322–335.
[120]
KLEE Symbolic Virtual Machine. https://github.com/klee/klee.
[121]
Fioraldi, A., Maier, D., Eißfeldt, H., and Heuse, M., AFL++: Combining incremental steps of fuzzing research, Proc. of 14th USENIX Conference on Offensive Technologies (WOOT'20), USENIX Association, 2020.
[122]
AFL++. https://github.com/AFLplusplus/AFLplusplus. Accessed December 5, 2023.
[123]
Schumilo, S., Aschermann, C., Gawlik, R., Schinzel, S., and Holz, T., kAFL: Hardware-assisted feedback fuzzing for OS kernels, Proc. of 26th USENIX Security Symposium, 2017, pp. 167–182.
[124]
Boofuzz. https://github.com/jtpereyda/boofuzz. Accessed June 19, 2023.
[125]
Defensics. https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html. Accessed December 5, 2023.
[126]
Tsankov, P., Dashti, M. T., and Basin, D., SecFuzz: Fuzz-testing security protocols, Proc. of 7th International Workshop on Automation of Software Test (AST), 2012, pp. 1–7.
[127]
Munea T. L., Lim H., and Shon T. Network protocol fuzz testing for information systems and applications: A survey and taxonomy Multimedia Tools and Applications 2016 75 14745-14757
[128]
Yang X., Chen Y., Eide E., and Regehr J. Finding and understanding bugs in C compilers ACM SIGPLAN Notices 2011 46 283-294
[129]
Csmith. https://github.com/csmith-project/csmith. Accessed June 20, 2023.
[130]
Holler, C., Herzig, K., and Zeller, A., Fuzzing with code fragments, Proc. of 21th USENIX Security Symposium, 2012, pp. 445–458.
[131]
Ma, H., A survey of modern compiler fuzzing, 2023. https://arxiv.org/abs/2306.06884.
[132]
Henderson A., Yin H., Jin G., Han H., and Deng H. Research in Attacks, Intrusions, and Defenses (RAID 2017). LNCS 2017
[133]
Eceiza M., Flores J. L., and Iturbe M. Fuzzing the Internet of Things: A review on the techniques and challenges for efficient vulnerability discovery in embedded systems IEEE Internet of Things Journal 2021 8 10390-10411
[134]
Eisele, M., Maugeri, M., Shriwas, R., Huth, C., and Bella, G., Embedded fuzzing: A review of challenges, tools, and solutions, Cybersecurity, 2022, vol. 5, no. 1.
[135]
Yun J., Rustamov F., Kim J., and Shin Y. Fuzzing of embedded systems: A survey ACM Computing Surveys 2023 55 1-33
[136]
Whitehouse, O., Introduction to Anti-fuzzing: A Defence in Depth Aid. http://research.nccgroup.com/2014/01/02/introduction-to-anti-fuzzing-a-defence-in-depth-aid. Accessed December 5, 2023.
[137]
Edholm, E. and Göransson, D., Escaping the Fuzz – Evaluating Fuzzing Techniques and Fooling Them with Anti-Fuzzing, M.S. Thesis, Gothenburg: Chalmers University of Technology, 2016.
[138]
Collberg, C., Thomborson, C., and Low, D., Manufacturing cheap, resilient, and stealthy opaque constructs, Proc. of 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 1998, pp. 184–196.
[139]
Junod, P., Rinaldini, J., Wehrli, J., and Michielin, J., Obfuscator-LLVM—software protection for the masses, Proc. of 2015 IEEE/ACM 1st International Workshop on Software Protection, 2015, pp. 3–9.
[140]
Zhang, J., Li, Z., Liu, Y., Sun, Z., and Wang, Z., SAFTE: A Self-injection based anti-fuzzing technique, Computers and Electrical Enginerring, 2023, vol. 111, part B, 108980.
[141]
Cheng C. CC., Lin L., Shi C., and Guan Y. Digital Forensics 2023: Advances in Digital Forensics XIX, IFIP Advances in Information and communication Technology 2023
[142]
Zhou Z., Wang C., and Zhao Q. Security and Privacy in Communication Networks 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2023
[143]
Zhou Z. and Wang C. Practical anti-fuzzing techniques with performance optimization IEEE Open Journal of the Computer Society 2023 4 206-217
[144]
Jung, J., Hu, H., Solodukhin, D., Pagan, D., Lee, K. H., and Kim, T., FUZZIFICATION: Anti-fuzzing techniques, Proc. of 28th USENIX Conference on Security Symposium (SEC'19), 2019, pp. 1913–1930.
[145]
Güler, E., Aschermann, C., Abbasi, A., and Holz, T., ANTIFUZZ: Impeding fuzzing audits of binary executables, Proc. of 28th USENIX Conference on Security Symposium (SEC'19), 2019, pp. 1931–1947.
[146]
ANTIFUZZ. https://github.com/RUB-SysSec/antifuzz. Accessed December 5, 2023.
[147]
Li, Y., Meng, G., Xu, J., Zhang, C., Chen, H., Xie, X., Wang, H., and Liu, Y., Vall-nut: Principled anti-grey box – fuzzing, Proc. of IEEE 32nd International Symposium on Software Reliability Engineering, 2021, pp. 288–299.
[148]
Hu, Z., Hu, Y., and Dolan-Gavitt, B., Chaff Bugs: Deterring attackers by making software buggier, arXiv:1808.0065, 2018. https://arxiv.org/abs/1808.00659. Accessed December 5, 2023.
[149]
Kaprekar D. R. On Kaprekar numbers Journal of Recreational Mathematics 1980 13 81-82
[150]
Bartocci E. and Falcone Y. LNCS 10457 2018
[151]
Drusinsky, D., The Temporal Rover and the ATG Rover, in Havelund, K., Penix, J., and Visser., W. (eds), SPIN Model Checking and Software Verification (SPIN 2000). LNCS 1885, Springer, 2000, pp. 323–330.
[152]
Havelund, K. and Roşu, G., Java PathExplorer – A runtime verification tool, Proc. of 6th International Symposium on Artificial Intelligence, Robotics and Automation in Space (i-SAIRAS'01), 2001.
[153]
Leucker M. and Schallhart C. A brief account of runtime verification Journal of Logic and Algebraic Programming 2009 78 293-303
[154]
Falcone Y., Krstić S., Reger G., and Traytel D. A taxonomy for classifying runtime verification tools International Journal on Software Tools for Technology Transfer 2021 23 255-284
[155]
Sánchez C., Schneider G., Ahrendt W., Bartocci E., Bianculli D., Colombo C., Falcone Y., Francalanza A., Krstić S., Lourenço J. M., Nickovic D., Pace G. J., Rufino J., Signoles J., Traytel D., and Weiss A. A survey of challenges for runtime verification from advanced application domains (beyond software) Formal Methods in System Design 2019 54 279-335
[156]
Cavalli A. R., Higashino T., and Núñez M. A survey on formal active and passive testing with applications to the cloud Annals of Telecommunications 2015 70 85-93
[157]
Itkin, I. and Yavorskiy, R., Overview of applications of passive testing techniques, Modeling and Analysis of Complex Systems and Processes, 2019. https://ceur-ws.org/Vol-2478/paper9.pdf. Accessed June 20, 2023.
[158]
Edwards, A., Jaeger, T., and Zhang, X., Runtime verification of authorization hook placement for the Linux security modules framework, Proc. of 9th ACM Conference on Computer and Communications Security, 2002, pp. 225–234.
[159]
Sarrab, M. K., Policy-Based Runtime Verification of Information Flow, PhD Thesis, Leicester: Software Technology Research Laboratory, De Monfort University, 2011.
[160]
Efremov D. and Shchepetkov I. Runtime verification of Linux kernel security module, Proc. of International Workshop on Formal Methods, LNCS 12233 2020
[161]
Efremov, D. V., Kopach, V. V., Kornykhin, E. V., Kulyamin, V. V., Petrenko, A. K., Khoroshilov, A. V., and Shchepetkov, I. V., Monitoring and testing OS modules based on abstract models of the system’s behavior, Trudy Instituta systemnogo programmirovaniya RAN (Proc. of ISP RAS), 2021, vol. 33, no. 6, pp. 15–26.
[162]
Bartocci E., Bonakdarpour B., and Falcone Y. Runtime Verification 2014. LNCS 8734 2014
[163]
Falcone Y., Ničković D., Reger G., and Thoma D. Runtime Verification 2015. LNCS 9333 2015
[164]
Reger G., Hallé S., and Falcone Y. Runtime Verification 2016. LNCS 10012 2016
[165]
Delahaye, M., Kosmatov, N., and Signoles, J., Common specification language for static and dynamic analysis of C programs, Proc. of 28th Annual ACM Symposium on Applied Computing, 2013, pp. 1230–1235.
[166]
E-ACSL. https://frama-c.com/fc-plugins/e-acsl.html. Accessed June 21, 2023.
[167]
E-ACSL Code. https://github.com/evdenis/e-acsl. Accessed June 21, 2023.
[168]
ANSI/ISO C Specification Language. https://frama-c.com/html/acsl.html. Accessed June 21, 2023.
[169]
Navabpour, S., Joshi, Y., Wu, C. W. W., Berkovich, S., Medhat, R., Bonakdarpour, B., and Fischmeister, S., RiTHM: A tool for enabling time-triggered runtime verification for C programs, Proc. of 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2013), 2013, pp. 603–606.
[170]
Medhat R., Joshi Y., Bonakdarpour B., and Fischmeister S. Runtime Verification 2016, LNCS 10012 2016
[171]
Colombo, C., Pace, G. J., and Schneider, G., LARVA—safer monitoring of real-time Java programs, Proc. of 7th IEEE International Conference on Software Engineering and Formal Methods, 2009, pp. 33–37.
[172]
LARVA. http://www.cs.um.edu.mt/~svrg/Tools/LARVA/. Accessed June 21, 2023.
[173]
LARVA Code. https://github.com/ccol002/larva-rv-tool. Accessed June 21, 2023.
[174]
Colombo C., Pace G. J., and Schneider G. Dynamic event-based runtime monitoring of real-time and contextual properties, Proc. of Formal Methods for Industrial Critical Systems (FMICS 2008), LNCS 5596 2008
[175]
Luo Q., Zhang Y., Lee C., Jin D., O’Neil Meredith P., Serbanuta T.-F., and Roşu G. Runtime Verification 2014, LNCS 8734 2014
[176]
RV-Monitor Code. https://github.com/runtimeverification/rv-monitor. Accessed June 21, 2023.
[177]
Falcone Y., Meredith P., Şerbănuţă T. F., Shiriashi S., Iwai A., and Roşu G. Runtime Verification 2015. LNCS 9333 2015
[178]
Reger, G., Cruz, H. C., and Rydeheard, D. E., MarQ: Monitoring at runtime with QEA, Proc. of 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2015), LNCS 9035, Sringer, 2015, pp. 596-610.
[179]
Decker, N., Harder, J., Scheffel, T., Schmitz, M., and Thoma, D., Runtime monitoring with union-find structures, Proc. of 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2016), LNCS 9636, Springer, 2016, pp. 868–884.
[180]
Mufin Project. https://www.isp.uni-luebeck.de/mufin. Accessed June 21, 2023.
[181]
Serebryany, K., Bruening, D., Potapenko, A., and Vyukov, D., AddressSanitizer: A fast address sanity checker, Proc. of USENIX Annual Technical Conference, 2012, pp. 309–318.
[182]
AddressSanitizer. https://github.com/google/sanitizers/wiki/AddressSanitizer. Accessed June 22, 2023.
[183]
QASan (QEMU-AddressSanitizer). https://github.com/andreafioraldi/qasan. Accessed June 22, 2023.
[184]
Han, W., Joe, B., Lee, B., Song, C., and Shin, I., Enhancing memory error detection for large-scale applications and fuzz testing, Proc. of Network and Distributed System Security Symposium, 2018.
[185]
Nagarakatte S., Zhao J., Martin M. M. K., and Zdancewic S. SoftBound: Highly compatible and complete spatial memory safety for C ACM SIGPLAN Notices 2009 44 245-258
[186]
Nagarakatte S., Zhao J., Martin M. M. K., and Zdancewic S. CETS: Compiler enforced temporal safety for C ACM SIGPLAN Notices 2010 45 31-40
[187]
Lee, B., Song, C., Kim, T., and Lee, W., Type casting verification: Stopping an emerging attack vector, Proc. of 24th USENIX Security Symposium, 2015, pp. 81–96.
[188]
Haller, I., Jeon, Y., Peng, H., Payer, M., Giuffrida, C., Bos, H., and van der Kouwe, E., TypeSan: Practical type confusion detection, Proc. of ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 517–528.
[189]
Jeon, Y., Biswas, P., Carr, S., Lee, B., and Payer, M., HexType: Efficient detection of type confusion errors for C++, Proc. of ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 2373–2387.
[190]
Wang, X., Zeldovich, N., Kaashoek, M. F., and Solar-Lezama, A., Towards optimization-safe systems: Analyzing the impact of undefined behavior, Proc. of 24th ACM Symposium on Operating System Principles, 2013, pp. 260–275.
[191]
Valgrind. https://valgrind.org/. Accessed June 21, 2023.
[192]
Seward, J. and Nethercote, N., Using Valgrind to detect undefined value errors with bit-precision, Proc. of USENIX Annual Technical Conference, 2005, pp. 2.
[193]
Bruening, D. and Zhao, Q., Practical memory checking with Dr. Memory, Proc. of International Symposium on Code Generation and Optimization, 2011, pp. 213–223.
[194]
Stepanov, E. and Serebryany, K., MemorySanitizer: Fast detector of uninitialized memory use in C++, Proc. of IEEE/ACM International Symposium on Code Generation and Optimization, 2015, pp. 46-55.
[195]
MemorySanitizer in LLVM/Clang. https://clang.llvm.org/docs/MemorySanitizer.html. Accessed June 22, 2023.
[196]
Dietz W., Li P., Regehr J., and Adve V. Understanding integer overflow in C/C++ ACM Transactions on Software Engineering and Methodology 2015 25 1-29
[197]
UndefinedBehaviorSanitizer in LLVM/Clang. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html. Accessed June 22, 2023.
[198]
Serebryany, K. and Iskhodzhanov, T., ThreadSanitizer: Data race detection in practice, Proc. of Workshop on Binary Instrumentation and Applications, 2009, pp. 62–71.
[199]
ThreadSanitizer in LLVM/Clang. https://clang.llvm.org/docs/ThreadSanitizer.html. Accessed June 22, 2023.
[200]
Boyer R. S., Elspas B., and Levitt K. N. SELECT—a formal system for testing and debugging programs by symbolic execution ACM SIGPLAN Notices 1975 10 234-245
[201]
Howden W. E. Methodology for the generation of program test data IEEE Transactions on Computers 1975 C-24 554-560
[202]
King, J. C., A new approach to program testing, Proc. of International Conference on Reliable Software, 1975, pp. 228–233.
[203]
King J. C. Symbolic execution and program testing Communications of the ACM 1976 19 385-394
[204]
Cadar C. and Sen K. Symbolic execution for software testing: Three decades later Communications of ACM 2013 56 82-90
[205]
Baldoni R., Coppa E., Cono D’Elia D., Demetrescu C., and Finocchi I. A survey of symbolic execution techniques ACM Computing Surveys 2018 51 1-39
[206]
Avgerinos, T., Cha, S. K., Lim, B.T.H., and Brumley, D., AEG: Automatic exploit generation, Proc. of Network and Distributed System Security Symposium, 2011, pp. 283–300.
[207]
Mi, X., Rawat, S., Giuffrida, C., and Bos, H., LeanSym: Efficient hybrid fuzzing through conservative constraint debloating, Proc. of 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '21), 2012, pp. 62–77.
[208]
Godefroid P. Compositional dynamic test generation ACM SIGPLAN Notices 2007 42 47-54
[209]
Godefroid, P. and Luchaup, D., Automatic partial loop summarization in dynamic test generation, Proc. of International Symposium on Software Testing and Analysis (ISSTA’11), 2011, pp. 23-33.
[210]
Xie, X., Chen, B., Liu, Y., Le, W., and Li, X., Proteus: Computing disjunctive loop summary via path dependency analysis, Proc. of 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16), 2016, pp. 61–72.
[211]
McMillan, K. L., Lazy annotation for program testing and verification, Proc. of 22nd International Conference on Computer Aided Verification (CAV’10), LNCS 6174, 2010, pp. 104–118.
[212]
Yi, Q., Yang, Z., Guo, S., Wang, C., Liu, J., and Zhao, C., Postconditioned symbolic execution, Proc. of IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015, pp. 1–10.
[213]
Kuznetsov V., Kinder J., Bucur S., and Candea G. Efficient state merging in symbolic execution ACM SIGPLAN Notices 2012 47 193-204
[214]
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P., BitBlaze: A new approach to computer security via binary analysis, Proc. of 4th International Conference on Information Systems Security ((ICISS’08), LNCS 5352, 2008, pp. 1–25.
[215]
BitBlaze: Binary Analysis for Computer Security. http://bitblaze.cs.berkeley.edu/. Accessed June 27, 2023.
[216]
Brumley, D., Jager, I., Avgerinos, T., and Schwartz, E. J., BAP: A binary analysis platform, Proc. of 23rd International Conference on Computer Aided Verification (CAV’11), LNCS 6806, 2011, pp. 463–469.
[217]
Kus, D., Towards symbolic pointers reasoning in dynamic symbolic execution, arXiv2109.03698, 2022. https://arxiv.org/abs/2109.03698. Accessed December 5, 2023.
[218]
Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., and Vigna, G., SOK: (State of) the art of war: Offensive techniques in binary analysis, Proc. of IEEE Symposium on Security and Privacy, 2016, pp. 138–157.
[219]
Poeplau, S. and Francillon, A., Symbolic execution with SymCC: Don’t interpret, compile! Proc. of 29th USENIX Security Symposium, 2020, pp. 181–198.
[220]
Borzacchiello, L., Coppa, E., and Demetrescu, C., FUZZOLIC: Mixing fuzzing and concolic execution, Computers and Security, 2021, vol. 108, no. C.
[221]
Wang, T., Wei, T., Lin, Z., and Zhou, W., IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution, Proc of Network and Distributed System Security Simposium, 2009.
[222]
Chen, Y., Li, P., Xu, J., Guo, S., Zhou, R., Zhang, Y., Wei, T., and Lu, L., SAVIOR: Towards bug-driven hybrid testing, Proc. of IEEE Symposium on Security and Privacy, 2020, pp. 1580–1596. https://arxiv.org/abs/1906.07327.
[223]
Österlund, S., Razavi, K., Bos, H., and Giuffrida, C., ParmeSan: Sanitizer-guided greybox fuzzing, Proc. of 29th USENIX Conference on Security (SEC'20), pp. 2289–2306.
[224]
Dovgalyuk, P. M., Klimushenkova, M. A., Fursova, N. I., Stepanov V. M., Vasiliev I. A., Ivanov, A. A., Ivanov, A. V., Bakulin, M. G., and Egorov, D. I., Natch: detecting the software attack surface with virtual machine introspection and taint analysis, Trudy Instituta systemnogo programmirovaniya RAN (Proc. of ISP RAS), 2022, vol. 34, no. 5, pp. 89–110.
[225]
Isaev I. K. and Sidorov D. V. The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs Programming and Computer Software 2010 36 225-236
[226]
Ermakov, M. K. and Gerasimov, A. Yu., Avalanche: using parallel and distributed dynamic software analysis to improve defect detection, Trudy Instituta systemnogo programmirovaniya RAN (Proc. of ISP RAS), 2013, vol. 25, pp. 29–38.
Recommendations
Verifying data- and control-oriented properties combining static and runtime verification: theory and tools
Static verification techniques are used to analyse and prove properties about programs before they are executed. Many of these techniques work directly on the source code and are used to verify data-oriented properties over all possible executions. The ...
Bounded model checking of high-integrity software
HILT '13: Proceedings of the 2013 ACM SIGAda annual conference on High integrity language technologyModel checking [5] is an automated algorithmic technique for exhaustive verification of systems, described as finite state machines, against temporal logic [9] specifications. It has been used successfully to verify hardware at an industrial scale [6]. ...
Discover deeper bugs with dynamic symbolic execution and coverage‐based fuzz testing
Coverage‐based fuzz testing and dynamic symbolic execution are both popular program testing techniques. However, on their own, both techniques suffer from scalability problems when considering the complexity of modern software. Hybrid testing methods ...
Comments
Information & Contributors
Information
Published In
© Pleiades Publishing, Ltd. 2024. ISSN 0361-7688, Programming and Computer Software, 2024, Vol. 50, No. 1, pp. 90–114. © Pleiades Publishing, Ltd., 2024. Russian Text © The Author(s), 2023, published in Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS), 2023, Vol. 35, No. 4.
Publisher
Plenum Press
United States
Publication History
Published: 01 February 2024
Accepted: 25 December 2023
Revision received: 19 December 2023
Received: 17 December 2023
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 24 Jan 2025