Mockingbird: a framework for enabling targeted dynamic analysis of Java programs
Pages 39 - 42
Abstract
The paper presents the Mockingbird framework that combines static and dynamic analyses to yield an efficient and scalable approach to analyze large Java software. The framework is an innovative integration of existing static and dynamic analysis tools and a newly developed component called the Object Mocker that enables the integration. The static analyzers are used to extract potentially vulnerable parts from large software. Targeted dynamic analysis is used to analyze just the potentially vulnerable parts to check whether the vulnerability can actually be exploited.
We present a case study to illustrate the use of the framework to analyze complex software vulnerabilities. The case study is based on a challenge application from the DARPA Space/Time Analysis for Cybersecurity (STAC) program. Interestingly, the challenge program had been hardened and was thought not to be vulnerable. Yet, using the framework we could discover an unintentional vulnerability that can be exploited for a denial of service attack. The accompanying demo video depicts the case study.
Video: https://youtu.be/m9OUWtocWPE
References
[1]
B. Holland, G. R. Santhanam, P. Awadhutkar, and S. Kothari, "Statically-informed dynamic analysis tools to detect algorithmic complexity vulnerabilities," in Source Code Analysis and Manipulation (SCAM), 2016 IEEE 16th International Working Conference. IEEE, 2016, pp. 79--84.
[2]
DARPA, "Space/Time Analysis for Cybersecurity," https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-BAA-14-60/listing.html, 2014.
[3]
G. R. Santhanam, B. Holland, S. Kothari, and N. Ranade, "Human-on-the-loop automation for detecting software side-channel vulnerabilities," in International Conference on Information Systems Security. Springer, 2017, pp. 209--230.
[4]
M. Abliz, "Internet denial of service attacks and defense mechanisms," University of Pittsburgh, Department of Computer Science, Technical Report, pp. 1--50, 2011.
[5]
M. D. Ernst, "Static and dynamic analysis: Synergy and duality," in WODA 2003: ICSE Workshop on Dynamic Analysis. New Mexico State University Portland, OR, 2003, pp. 24--27.
[6]
W. Le, "Segmented symbolic analysis," in Proceedings of the 2013 International Conference on Software Engineering. IEEE Press, 2013, pp. 212--221.
[7]
N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, "Driller: Augmenting fuzzing through selective symbolic execution." in NDSS, vol. 16, 2016, pp. 1--16.
[8]
T. Deering, S. Kothari, J. Sauceda, and J. Mathews, "Atlas: A new way to explore software, build analysis tools," in Companion Proceedings of the 36th International Conference on Software Engineering, ser. ICSE Companion 2014. New York, NY, USA: ACM, 2014.
[9]
B. Holland, G. R. Santhanam, and S. Kothari, "Transferring state-of-the-art immutability analyses: Experimentation toolbox and accuracy benchmark," in Software Testing, Verification and Validation (ICST), 2017 IEEE International Conference on. IEEE, 2017, pp. 484--491.
[10]
B. Holland, P. Awadhutkar, S. Kothari, A. Tamrawi, and J. Mathews, "Comb: Computing relevant program behaviors." in Proceedings of the 40th International Conference on Software Engineering (ICSE 2018), ser. ICSE '18. IEEE Press, 2018.
[11]
M. Zalewski, "american fuzzy lop (2.52b)," http://lcamtuf.coredump.cx/afl, Mar. 2018.
[12]
R. Kersten, K. Luckow, and C. S. Păsăreanu, "Poster: Afl-based fuzzing for java with kelinci," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2017, pp. 2511--2513.
[13]
S. Freeman and N. Pryce, Growing object-oriented software, guided by tests. Pearson Education, 2009.
[14]
A. Tamrawi and S. Kothari, "Projected control graph for accurate and efficient analysis of safety and security vulnerabilities," in Software Engineering Conference (APSEC), 2016 23rd Asia-Pacific. IEEE, 2016, pp. 113--120.
[15]
S. Kothari, P. Awadhutkar, A. Tamrawi, and J. Mathews, "Modeling lessons from verifying large software systems for safety and security," in Proceedings of the 2017 Winter Simulation Conference, 2017.
[16]
"Byte buddy," http://bytebuddy.net, Sept. 2018.
[17]
E. Kuleshov, "Using the asm framework to implement common java bytecode transformation patterns," Aspect-Oriented Software Development, 2007.
[18]
M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao, "The daikon system for dynamic detection of likely invariants," Science of Computer Programming, vol. 69, no. 1--3, pp. 35--45, 2007.
[19]
B. Holland, "Computing homomorphic program invariants," Ph.D. dissertation, Iowa State University, 2018.
[20]
N. Voss, "afl-unicorn: Fuzzing arbitrary binary code," https://github.com/Battelle/afl-unicorn, Jul. 2018.
[21]
T. Kaczanowski, Practical Unit Testing with TestNG and Mockito. Tomasz Kaczanowski, 2012.
[22]
"Artin group," https://en.wikipedia.org/wiki/Artin_group, Spet. 2018.
[23]
P. Awadhutkar, G. R. Santhanam, B. Holland, and S. Kothari, "Intelligence amplifying loop characterizations for detecting algorithmic complexity vulnerabilities," in 2017 24th Asia-Pacific Software Engineering Conference (APSEC), vol. 00, Dec. 2017, pp. 249--258.
[24]
D. B. Kirk Schloegel, "Method for software vulnerability flow analysis, generation of vulnerability-covering code, and multi-generation of functionally-equivalent code," U.S. Patent US8 407 800B2, Mar. 26, 2013.
Recommendations
Securing web applications with static and dynamic information flow tracking
PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulationSQL injection and cross-site scripting are two of the most common security vulnerabilities that plague web applications today. These and many others result from having unchecked data input reach security-sensitive operations. This paper describes a ...
Fuzzing vulnerability discovery techniques: Survey, challenges and future directions
AbstractFuzzing is a powerful tool for vulnerability discovery in software, with much progress being made in the field in recent years. There is limited literature available on the fuzzing vulnerability discovery approaches. Hence, in this ...
File Guard: automatic format-based media file sanitization
AbstractThis paper proposes a format-based file sanitization mechanism, File Guard, aiming at preventing software vulnerabilities from being triggered by input files. Based on our experiments and the statistics on Common Vulnerabilities and Exposures, we ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
May 2019
369 pages
- Conference Chair:
- Gunter Mussbacher,
- General Chair:
- Joanne M. Atlee,
- Program Chair:
- Tevfik Bultan
Sponsors
- SIGSOFT: ACM Special Interest Group on Software Engineering
- IEEE-CS: Computer Society
Publisher
IEEE Press
Publication History
Published: 25 May 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ICSE '19
Sponsor:
- SIGSOFT
- IEEE-CS
ICSE '19: 41st International Conference on Software Engineering
May 25 - 31, 2019
Quebec, Montreal, Canada
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 59Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)1
Reflects downloads up to 19 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in