Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

SwordDTA: A dynamic taint analysis tool for software vulnerability detection

  • Security of Information System
  • Published:
Wuhan University Journal of Natural Sciences

Abstract

Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of software vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bekrar S, Bekrar C, Groz R, et al. A taint based approach for smart fuzzing [C] // Proc 5th IEEE International Conference on Software Testing, Verification and Validation. Piscataway N J: IEEE Press, 2012: 818–825.

    Google Scholar 

  2. Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature Generation of exploits on commodity software [EB/OL]. [2015-09-10]. http://repository. cmu.edu/cgi/viewcontent.cgi?article=1042&context=ece.

  3. Clause J, Li W, Orso A. Dytan: A generic dynamic taint analysis framework [C] // Proc 2007 International Symposium on Software Testing and Analysis. New York: ACM Press, 2007: 196–206.

    Google Scholar 

  4. Song D, Brumley D, Yin H, et al. Information Systems Security [M]. Berlin: Springer-Verlag Press, 2008

    Google Scholar 

  5. Ganesh V, Leek T, Rinard M. Taint-based directed whitebox fuzzing [C] // Proc of the 31st International Conference on Software Engineering. Washington: IEEE Press, 2009: 474–484.

    Google Scholar 

  6. Sutton M, Greene A, Amini P. Fuzzing: Brute Force Vulnerability Discovery [M]. Upper Saddle River: Addison-Wesley Professional Press, 2007.

    Google Scholar 

  7. Pak B S. Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution [D]. Pittsburgh: Carnegie Mellon University, 2012.

    Google Scholar 

  8. Caca labs. Zzuf [EB/OL]. [2015-09-10]. http://caca.zoy.org/wiki/zzuf.

  9. Fitblip. Sulley [EB/OL]. [2015-09-10]. https://github.com/OpenRCE/sulley.

  10. Cai J, ZOU P, He J, et al. A smart fuzzing approach for integer overflow detection [J]. Information Technology in Industry, 2014, 2(3): 98–103.

    Google Scholar 

  11. Bekrar S, Bekrar C, GROZ R, et al. Finding software vulnerabilities by smart fuzzing [C] // Proc 4th IEEE International Conference on Software Testing, Verification and Validation. Piscataway N J: IEEE Press, 2011: 427–430.

    Google Scholar 

  12. Anand S. Techniques to Facilitate Symbolic Execution of Real-world Programs [D]. Atlanta: Georgia Institute of Technology, 2012.

    Google Scholar 

  13. Avgerinos T, Rebert A, Cha S K, et al. Enhancing symbolic execution with veritesting [C] // Proc 36th International Conference on Software Engineering, New York: ACM Press, 2014: 1083–1094.

    Google Scholar 

  14. Cadar C, Sen K. Symbolic execution for software testing: Three decades later [J]. Communications of the ACM, 2013, 56(2): 82–90.

    Article  Google Scholar 

  15. Sen K, Marinov D, Agha G. Cute: A Concolic Unit Testing Engine for C [C] // Proc Joint 10th European Software Engineering Conference and 13th ACM SIGSOFT Symposium on the Foundations of Software Engineering. New York: ACM Press, 2005: 263–272.

    Google Scholar 

  16. Godefroid P, Klarlund N, Sen K. Dart: Directed automated random testing [C] // 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation. New York: ACM Press, 2005: 213–223.

    Chapter  Google Scholar 

  17. Godefroid P, Levin M, Molnar D. Automated whitebox fuzz testing [EB/OL]. [2015-09-10]. http: // research.microsoft. com/en-us/um/people/pg/public_psfiles/ndss2008.pdf.

  18. Cadar C, Dunbar D, Engler D. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs [EB/OL]. [2015-09-10]. https://www.usenix. org/legacy/events/osdi08/tech/full_papers/cadar/cadar_html/.

  19. Sogeti ESEC Lab. Fuzzgrind [EB/OL]. [2015-09-10]. http://esec-lab.sogeti.com/pages/fuzzgrind.html.

  20. Martignoni L, Mccaman S, Poosankam P. Path-exploration lifting: Hi-fi tests for lo-fiemulators [C] // ACM SIGARCH Computer Architecture News. New York: ACM Press, 2012, 40(1): 337–348.

    Article  Google Scholar 

  21. Cearä D, Mounier L, Potet M L. Taint dependency sequences: A characterization of insecure execution paths based on input-sensitive cause sequences [C] // Proc of the 3rd International Conference on Software Testing, Verification, and Validation Workshops. Washington D C: IEEE Computer Society, 2010: 371–380.

    Google Scholar 

  22. Cova M, Felmetsger V, Banks G, et al. Static detection of vulnerabilities in x86 executables [C] // Proc 22nd Annual Computer Security Applications Conference. Piscata way NJ: IEEE Press, 2006: 269–278.

    Google Scholar 

  23. Cifuentes C, Scholz B. Parfait: Designing a scalable bug checker [C] // Proc 2008 Workshop on Static Analysis. New York: ACM Press, 2008: 4–11.

    Chapter  Google Scholar 

  24. Chang R, Jiang G, Ivancic F. Inputs of coma: Static detection of denial-of-service vulnerabilities [C] // Proc 22nd IEEE Computer Security Foundations Symposium. Piscataway N J: IEEE Press, 2009: 186–199

    Google Scholar 

  25. Jovanovic N, Kruegel C, Kirda E. Pixy: A static analysis tool for detecting Web application vulnerabilities[C] // Proc 2006 IEEE Symposium on Security and Privacy. Piscataway N J: IEEE Press, 2006.

    Google Scholar 

  26. Kemerlis V P, Portokalidis G, Jee K, et al. Libdft: Practical dynamic data flow tracking for commodity systems [C] // ACM SIGPLAN Notices. New York: ACM Press, 2012, 47(7): 121–132.

    Article  Google Scholar 

  27. Li G, Zhang Y, Peng X. Hunter: Online Accurate Taint Propagation Analysis Based System for Detecting Bugs in Binaries [C] // Proc of the 12th International Conference on Dependable, Autonomic and Secure Computing. Piscataway N J: IEEE Press, 2014: 69–74.

    Google Scholar 

  28. Wang T L, We T, Zou W. RoBDD-based fine-grained dynamic taint analysis [J]. Acta Scientiarum Naturalium Universitatis Pekinensis, 2011, 47(6): 1003–1008(Ch).

    Google Scholar 

  29. The Open Web Application Security Project. Buffer Ove rflow [EB/OL]. [2015-09-10]. https://www.owasp.org/index.php/Buffer_Overflow.

  30. The Open Web Application Security Project. Integer Overflow [EB/OL]. [2015-09-10]. https://www.owasp.org/index.php/Integer_overflow.

  31. Common Weakness Enumeration CWE-369: Divide By Zero [EB/OL]. [2015-09-10]. http://cwe.mitre.org/data/definitions/369.html.

  32. Common Weakness Enumeration. CWE-416: Use after Free [EB/OL]. [2015-09-10]. http://cwe.mitre.org/data/definitions/416.html.

  33. Common Weakness Enumeration. Using freed memory [EB/OL]. [2015-09-10]. https: // www.owasp.org/index.php/Using_freed_memory.

  34. Bruening D. DynamoRIO [EB/OL]. [2015-09-10]. http://www. dynamorio.org/.

  35. Armour-Brown C, Borntraeger C, Fitzhardinge J, et al. Valgrind [EB/OL]. [2015-09-10]. http://valgrind.org/.

  36. Intel. Pin-A Dynamic Binary Instrumentation Tool [EB/OL]. [2015-09-10]. https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool.

  37. Luk C K, Cohn R, Muth R, et al. Pin:Building customized program analysis tools with dynamic instrumentation [C] // ACM Sigplan Notices. New York: ACM Press, 2005, 40(6): 190–200.

    Article  Google Scholar 

  38. Wang T, Wei T, Lin Z, et al. IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution [EB/OL]. [2015-09-10]. http: // citeseerx. ist.psu.edu/viewdoc/download?doi=10.1.1.153.1801&rep=rep1&type=pdf.

  39. The Open Web Application Security Project. Dangerous Function[EB/OL]. [2015-09-10]. https: // www.owasp.org/index. php/Dangerous_Function.

  40. Offensive Security. The Exploit Database [EB/OL]. [2015-09-10]. http: // www.exploit-db.com/.

  41. National Institute of Standards and Technology. CVE-2014-1684 [EB/OL]. [2015-09-10]. http: //web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1684.

  42. National Institute of Standards and Technology. CVE-2012-4409 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4409.

  43. National Institute of Standards and Technology. CVE-2007-4938 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4938.

  44. National Institute of Standards and Technology. CVE-2013-2912 [EB/OL]. [2015-09-10]. http: // web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2912.

Download references

Author information

Authors and Affiliations

  1. Science and Technology on Complex Electronic System Simulation Laboratory, Academy of Equipment, Beijing, 101416, China

    Jun Cai, Peng Zou & Jun He

  2. China Information Technology Security Evaluation Center, Beijing, 100085, China

    Jinxin Ma

Authors
  1. Jun Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peng Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jinxin Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jun He
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peng Zou.

Additional information

Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2012AA012902) and the “HGJ” National Major Technological Projects (2013ZX01045-004)

Biography: CAI Jun, male, Ph.D. candidate, research direction: information security, network security and software security.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cai, J., Zou, P., Ma, J. et al. SwordDTA: A dynamic taint analysis tool for software vulnerability detection. Wuhan Univ. J. Nat. Sci. 21, 10–20 (2016). https://doi.org/10.1007/s11859-016-1133-1

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-016-1133-1

Keywords

CLC number

Search

Navigation