Abstract
Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of software vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.
Similar content being viewed by others
References
Bekrar S, Bekrar C, Groz R, et al. A taint based approach for smart fuzzing [C] // Proc 5th IEEE International Conference on Software Testing, Verification and Validation. Piscataway N J: IEEE Press, 2012: 818–825.
Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature Generation of exploits on commodity software [EB/OL]. [2015-09-10]. http://repository. cmu.edu/cgi/viewcontent.cgi?article=1042&context=ece.
Clause J, Li W, Orso A. Dytan: A generic dynamic taint analysis framework [C] // Proc 2007 International Symposium on Software Testing and Analysis. New York: ACM Press, 2007: 196–206.
Song D, Brumley D, Yin H, et al. Information Systems Security [M]. Berlin: Springer-Verlag Press, 2008
Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing [C] // Proc of the 31st International Conference on Software Engineering. Washington: IEEE Press, 2009: 474–484.
Sutton M, Greene A, Amini P. Fuzzing: Brute Force Vulnerability Discovery [M]. Upper Saddle River: Addison-Wesley Professional Press, 2007.
Pak B S. Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution [D]. Pittsburgh: Carnegie Mellon University, 2012.
Caca labs. Zzuf [EB/OL]. [2015-09-10]. http://caca.zoy.org/wiki/zzuf.
Fitblip. Sulley [EB/OL]. [2015-09-10]. https://github.com/OpenRCE/sulley.
Cai J, ZOU P, He J, et al. A smart fuzzing approach for integer overflow detection [J]. Information Technology in Industry, 2014, 2(3): 98–103.
Bekrar S, Bekrar C, GROZ R, et al. Finding software vulnerabilities by smart fuzzing [C] // Proc 4th IEEE International Conference on Software Testing, Verification and Validation. Piscataway N J: IEEE Press, 2011: 427–430.
Anand S. Techniques to Facilitate Symbolic Execution of Real-world Programs [D]. Atlanta: Georgia Institute of Technology, 2012.
Avgerinos T, Rebert A, Cha S K, et al. Enhancing symbolic execution with veritesting [C] // Proc 36th International Conference on Software Engineering, New York: ACM Press, 2014: 1083–1094.
Cadar C, Sen K. Symbolic execution for software testing: Three decades later [J]. Communications of the ACM, 2013, 56(2): 82–90.
Sen K, Marinov D, Agha G. Cute: A Concolic Unit Testing Engine for C [C] // Proc Joint 10th European Software Engineering Conference and 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering. New York: ACM Press, 2005: 263–272.
Godefroid P, Klarlund N, Sen K. Dart: Directed automated random testing [C] // 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM Press, 2005: 213–223.
Godefroid P, Levin M, Molnar D. Automated whitebox fuzz testing [EB/OL]. [2015-09-10]. http: // research.microsoft. com/en-us/um/people/pg/public_psfiles/ndss2008.pdf.
Cadar C, Dunbar D, Engler D. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs [EB/OL]. [2015-09-10]. https://www.usenix. org/legacy/events/osdi08/tech/full_papers/cadar/cadar_html/.
Sogeti ESEC Lab. Fuzzgrind [EB/OL]. [2015-09-10]. http://esec-lab.sogeti.com/pages/fuzzgrind.html.
Martignoni L, Mccaman S, Poosankam P. Path-exploration lifting: Hi-fi tests for lo-fiemulators [C] // ACM SIGARCH Computer Architecture News. New York: ACM Press, 2012, 40(1): 337–348.
Cearä D, Mounier L, Potet M L. Taint dependency sequences: A characterization of insecure execution paths based on input-sensitive cause sequences [C] // Proc of the 3rd International Conference on Software Testing, Verification, and Validation Workshops. Washington D C: IEEE Computer Society, 2010: 371–380.
Cova M, Felmetsger V, Banks G, et al. Static detection of vulnerabilities in x86 executables [C] // Proc 22nd Annual Computer Security Applications Conference. Piscata way NJ: IEEE Press, 2006: 269–278.
Cifuentes C, Scholz B. Parfait: Designing a scalable bug checker [C] // Proc 2008 Workshop on Static Analysis. New York: ACM Press, 2008: 4–11.
Chang R, Jiang G, Ivancic F. Inputs of coma: Static detection of denial-of-service vulnerabilities [C] // Proc 22nd IEEE Computer Security Foundations Symposium. Piscataway N J: IEEE Press, 2009: 186–199
Jovanovic N, Kruegel C, Kirda E. Pixy: A static analysis tool for detecting Web application vulnerabilities[C] // Proc 2006 IEEE Symposium on Security and Privacy. Piscataway N J: IEEE Press, 2006.
Kemerlis V P, Portokalidis G, Jee K, et al. Libdft: Practical dynamic data flow tracking for commodity systems [C] // ACM SIGPLAN Notices. New York: ACM Press, 2012, 47(7): 121–132.
Li G, Zhang Y, Peng X. Hunter: Online Accurate Taint Propagation Analysis Based System for Detecting Bugs in Binaries [C] // Proc of the 12th International Conference on Dependable, Autonomic and Secure Computing. Piscataway N J: IEEE Press, 2014: 69–74.
Wang T L, We T, Zou W. RoBDD-based fine-grained dynamic taint analysis [J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2011, 47(6): 1003–1008(Ch).
The Open Web Application Security Project. Buffer Ove rflow [EB/OL]. [2015-09-10]. https://www.owasp.org/index.php/Buffer_Overflow.
The Open Web Application Security Project. Integer Overflow [EB/OL]. [2015-09-10]. https://www.owasp.org/index.php/Integer_overflow.
Common Weakness Enumeration CWE-369: Divide By Zero [EB/OL]. [2015-09-10]. http://cwe.mitre.org/data/definitions/369.html.
Common Weakness Enumeration. CWE-416: Use after Free [EB/OL]. [2015-09-10]. http://cwe.mitre.org/data/definitions/416.html.
Common Weakness Enumeration. Using freed memory [EB/OL]. [2015-09-10]. https: // www.owasp.org/index.php/Using_freed_memory.
Bruening D. DynamoRIO [EB/OL]. [2015-09-10]. http://www. dynamorio.org/.
Armour-Brown C, Borntraeger C, Fitzhardinge J, et al. Valgrind [EB/OL]. [2015-09-10]. http://valgrind.org/.
Intel. Pin-A Dynamic Binary Instrumentation Tool [EB/OL]. [2015-09-10]. https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool.
Luk C K, Cohn R, Muth R, et al. Pin:Building customized program analysis tools with dynamic instrumentation [C] // ACM Sigplan Notices. New York: ACM Press, 2005, 40(6): 190–200.
Wang T, Wei T, Lin Z, et al. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution [EB/OL]. [2015-09-10]. http: // citeseerx. ist.psu.edu/viewdoc/download?doi=10.1.1.153.1801&rep=rep1&type=pdf.
The Open Web Application Security Project. Dangerous Function[EB/OL]. [2015-09-10]. https: // www.owasp.org/index. php/Dangerous_Function.
Offensive Security. The Exploit Database [EB/OL]. [2015-09-10]. http: // www.exploit-db.com/.
National Institute of Standards and Technology. CVE-2014-1684 [EB/OL]. [2015-09-10]. http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1684.
National Institute of Standards and Technology. CVE-2012-4409 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4409.
National Institute of Standards and Technology. CVE-2007-4938 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4938.
National Institute of Standards and Technology. CVE-2013-2912 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2912.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2012AA012902) and the “HGJ” National Major Technological Projects (2013ZX01045-004)
Biography: CAI Jun, male, Ph.D. candidate, research direction: information security, network security and software security.
Rights and permissions
About this article
Cite this article
Cai, J., Zou, P., Ma, J. et al. SwordDTA: A dynamic taint analysis tool for software vulnerability detection. Wuhan Univ. J. Nat. Sci. 21, 10–20 (2016). https://doi.org/10.1007/s11859-016-1133-1
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-016-1133-1