Rapid Taint Assisted Concolic Execution (TACE)
Authors: 
Ridhi Jain, Norbert Tihanyi, Mthandazo Ndhlovu, Mohamed Amine Ferrag, and Lucas C. CordeiroAuthors Info & Claims
Ridhi Jain, Norbert Tihanyi, Mthandazo Ndhlovu, Mohamed Amine Ferrag, and Lucas C. CordeiroAuthors Info & ClaimsJuly 2024
Pages 627 - 631
Abstract
While fuzz testing is a popular choice for testing open-source software, it might not effectively detect bugs in programs that feature many symbols due to the significant increase in exploration of the program executions. Fuzzers can be more effective when they concentrate on a smaller and more relevant set of symbols, focusing specifically on the key executions. We present rapid Taint Assisted Concolic Execution (TACE), which utilizes the concept of taint in symbolic execution to identify all sets of dependent symbols. TACE can evaluate a subset of these sets with a significantly reduced testing effort by concretizing some symbols from selected subsets. The remaining subsets are explored with symbolic values. TACE significantly enhances speed, achieving a 50x constraint-solving time improvement over SymQEMU in binary applications. In our fuzzing campaign, we tested five popular open-source libraries (minizip-ng, TPCDump, GifLib, OpenJpeg, bzip2) and identified a new heap buffer overflow in the latest version of GifLib 5.2.1 with an assigned CVE-2023-48161 number. Under identical conditions and hardware environments, SymCC could not identify the same issue, underscoring TACE's enhanced capability in quickly discovering real-world vulnerabilities.
References
[1]
Kaled M. Alshmrany, Mohannad Aldughaim, Ahmed Bhayat, and Lucas C. Cordeiro. 2021. FuSeBMC: An Energy-Efficient Test Generator for Finding Security Vulnerabilities in C Programs. In Tests and Proofs, Frédéric Loulergue and Franz Wotawa (Eds.). Springer International Publishing, Cham. 85–105. isbn:978-3-030-79379-1
[2]
Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). Association for Computing Machinery, New York, NY, USA. 1083–1094. isbn:9781450327565 https://doi.org/10.1145/2568225.2568293
[3]
Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 51, 3 (2018), 1–39.
[4]
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI 08). USENIX Association, San Diego, CA. https://www.usenix.org/conference/osdi-08/klee-unassisted-and-automatic-generation-high-coverage-tests-complex-systems
[5]
Cristian Cadar, Vijay Ganesh, Peter M Pawlowski, David L Dill, and Dawson R Engler. 2008. EXE: Automatically generating inputs of death. ACM TISSEC, 12, 2 (2008), 1–38.
[6]
Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: Symposium on Principles of Programming Languagesthree decades later. Commun. ACM, 56, 2 (2013), 82–90.
[7]
Ju Chen, WookHyun Han, Mingjun Yin, Haochen Zeng, Chengyu Song, Byoungyoung Lee, Heng Yin, and Insik Shin. 2022. SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. 2531–2548. isbn:978-1-939133-31-1 https://www.usenix.org/conference/usenixsecurity22/presentation/chen-ju
[8]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Notices, 46, 3 (2011), 265–278.
[9]
Lori A. Clarke. 1976. A system to generate test data and symbolically execute programs. IEEE Transactions on software engineering, 3 (1976), 215–222.
[10]
Florian Corzilius, Gereon Kremer, Sebastian Junges, Stefan Schupp, and Erika Ábrahám. 2015. SMT-RAT: an open source C++ toolbox for strategic and parallel SMT solving. In SAT 2015. Springer, 360–368.
[11]
Rafael Dutra, Jonathan Bachrach, and Koushik Sen. 2018. SMTSampler: Efficient Stimulus Generation from Complex SMT Constraints. In 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE Press, 1–8. https://doi.org/10.1145/3240765.3240848
[12]
Mikhail R. Gadelha, Rafael S. Menezes, and Lucas C. Cordeiro. 2021. ESBMC 6.1: automated test case generation using bounded model checking. Int. J. Softw. Tools Technol. Transf., 23, 6 (2021), 857–861.
[13]
Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed automated random testing. In PLDI. 213–223.
[14]
Wei-jiang Hong, Yi-jun Liu, Zhen-bang Chen, Wei Dong, and Ji Wang. 2020. Modified condition/decision coverage (MC/DC) oriented compiler optimization for symbolic execution. Frontiers of Information Technology & Electronic Engineering, 21, 9 (2020), 1267–1284.
[15]
Sarfraz Khurshid, Corina S Păsăreanu, and Willem Visser. 2003. Generalized symbolic execution for model checking and testing. In 9th International Conference, TACAS, ETAPS. 553–568.
[16]
JC King. 1976. Symbolic Execution and Program Testing, communications de l’ACM, vol. 19 n. 7. July, 10 (1976), 360248–360252.
[17]
Samuel Kolb, Stefano Teso, Andrea Passerini, and Luc De Raedt. 2018. Learning SMT (LRA) constraints using SMT solvers. In IJCAI. 2333–2340.
[18]
Hongzhe Li, Taebeom Kim, Munkhbayar Bat-Erdene, and Heejo Lee. 2013. Software Vulnerability Detection Using Backward Trace Analysis and Symbolic Execution. In 2013 International Conference on Availability, Reliability and Security. 446–454. https://doi.org/10.1109/ARES.2013.59
[19]
Yi Li, Aws Albarghouthi, Zachary Kincaid, Arie Gurfinkel, and Marsha Chechik. 2014. Symbolic Optimization with SMT Solvers. In POPL. ACM, 607–618. isbn:9781450325448 https://doi.org/10.1145/2535838.2535857
[20]
Xianya Mi, Sanjay Rawat, Cristiano Giuffrida, and Herbert Bos. 2021. LeanSym: Efficient hybrid fuzzing through conservative constraint debloating. In RAID. 62–77.
[21]
Stefan Nagy and Matthew Hicks. 2019. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing. In IEEE SP. 787–802.
[22]
Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with $SymCC$: Don’t interpret, compile!. In USENIX. 181–198.
[23]
Sebastian Poeplau and Aurélien Francillon. 2021. SymQEMU: Compilation-based symbolic execution for binaries. In NDSS.
[24]
TACE repository. 2023. Taint Assisted Concolic Execution (TACE) Git Hub repository. https://github.com/tacetool/TACE.
[25]
Richard Rutledge and Alessandro Orso. 2022. Automating Differential Testing with Overapproximate Symbolic Execution. In IEEE ICST. 256–266.
[26]
Koushik Sen and Gul Agha. 2006. CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools: (Tool Paper). In CAV 2006. Springer, 419–423.
[27]
Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. $AddressSanitizer$: A fast address sanity checker. In 2012 USENIX annual technical conference (USENIX ATC 12). 309–318.
[28]
Xiaoyin Wang, Lingming Zhang, and Philip Tanofsky. 2015. Experience report: How is dynamic symbolic execution different from manual testing? a study on klee. In ISSTA. ACM, 199–210.
[29]
Christoph M Wintersteiger, Youssef Hamadi, and Leonardo De Moura. 2009. A concurrent portfolio approach to SMT solving. In CAV. Springer, 715–720.
[30]
Michał Zalewski. [n. d.]. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/ [Online; accessed 1 Sep. 2022]
Index Terms
- Rapid Taint Assisted Concolic Execution (TACE)
Recommendations
Accelerating Taint-Based Concolic Testing by Pruning Pointer Overtaint
SERE '12: Proceedings of the 2012 IEEE Sixth International Conference on Software Security and ReliabilityTaint-based Concolic testing is a software testing technique, which combines dynamic taint analysis, symbolic testing and concrete execution. Concolic testing is faster than symbolic testing while maintaining the same precision. Taint-based concolic ...
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software EngineeringWe present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...
Concolic testing
ASE '07: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software EngineeringConcolic testing automates test input generation by combining the concrete and symbolic (concolic) execution of the code under test. Traditional test input generation techniques use either (1) concrete execution or (2) symbolic execution that builds ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 10 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
FSE '24
Sponsor:
FSE '24: 32nd ACM International Conference on the Foundations of Software Engineering
July 15 - 19, 2024
Porto de Galinhas, Brazil
Acceptance Rates
Overall Acceptance Rate 112 of 543 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 15Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)15
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in