Article

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection

Authors:

Tielei Wang,

Tao Wei,

Guofei Gu,

Wei ZouAuthors Info & Claims

SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

Pages 497 - 512

https://doi.org/10.1109/SP.2010.37

Published: 16 May 2010 Publication History

Publisher Site

Abstract

Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated malformed inputs are rejected in the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. In this paper, we present TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel contributions: 1) TaintScope is the first checksum-aware fuzzing tool to the best of our knowledge. It can identify checksum fields in input instances, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. 2) TaintScope is a directed fuzzing tool working at X86 binary level (on both Linux and Window). Based on fine-grained dynamic taint tracing, TaintScope identifies which bytes in a well-formed input are used in security-sensitive operations (e.g., invoking system/library calls) and then focuses on modifying such bytes. Thus, generated inputs are more likely to trigger potential vulnerabilities. 3) TaintScope is fully automatic, from detecting checksum, directed fuzzing, to repairing crashed samples. It can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 27 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Google Picasa, Microsoft Paint, and ImageMagick. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Corresponding patches from vendors are released or in progress based on our reports.

Cited By

View all

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Yadav AWilson JHuyen PTan SMechtaev SKhurshid S(2024)BOSS: A dataset to train ML-based systems to repair programs with out-of-bounds write flawsProceedings of the 5th ACM/IEEE International Workshop on Automated Program Repair10.1145/3643788.3648013(26-33)Online publication date: 20-Apr-2024
https://dl.acm.org/doi/10.1145/3643788.3648013
She DStorek AXie YKweon SSrivastava PJana S(2024)FOX: Coverage-guided Fuzzing as Online Stochastic ControlProceedings of the 17th ACM/IEEE International Workshop on Search-Based and Fuzz Testing10.1145/3643659.3648562(57-58)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3643659.3648562
Show More Cited By

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis

Recommendations

History and Future of Automated Vulnerability Analysis
SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

The software upon which our modern society operates is riddled with security vulnerabilities. These vulnerabilities allow hackers access to our sensitive data and make our system insecure. To identify vulnerabilities in software, human experts, or ...
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program ...
FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution)
Fundamental Approaches to Software Engineering
Abstract
We describe and evaluate a novel white-box fuzzer for C programs named FuSeBMC, which combines fuzzing and symbolic execution, and applies Bounded Model Checking (BMC) to find security vulnerabilities in C programs. FuSeBMC explores and analyzes C ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

May 2010

504 pages

ISBN:9780769540351

Publisher

IEEE Computer Society

United States

Publication History

Published: 16 May 2010

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

95
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhang YLiu TWang YQi YJi KTang JWang XLi XZuo Z(2024)HardTaint: Production-Run Dynamic Taint Analysis via Selective Hardware TracingProceedings of the ACM on Programming Languages10.1145/36897688:OOPSLA2(1615-1640)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689768
Yadav AWilson JHuyen PTan SMechtaev SKhurshid S(2024)BOSS: A dataset to train ML-based systems to repair programs with out-of-bounds write flawsProceedings of the 5th ACM/IEEE International Workshop on Automated Program Repair10.1145/3643788.3648013(26-33)Online publication date: 20-Apr-2024
https://dl.acm.org/doi/10.1145/3643788.3648013
She DStorek AXie YKweon SSrivastava PJana S(2024)FOX: Coverage-guided Fuzzing as Online Stochastic ControlProceedings of the 17th ACM/IEEE International Workshop on Search-Based and Fuzz Testing10.1145/3643659.3648562(57-58)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3643659.3648562
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Jonáš MStrejček JTrtík MUrban L(2024)Gray-Box Fuzzing via Gradient Descent and Boolean Expression CoverageTools and Algorithms for the Construction and Analysis of Systems10.1007/978-3-031-57256-2_5(90-109)Online publication date: 6-Apr-2024
https://dl.acm.org/doi/10.1007/978-3-031-57256-2_5
Mallissery SWu Y(2023)Demystify the Fuzzing Methods: A Comprehensive SurveyACM Computing Surveys10.1145/362337556:3(1-38)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3623375
Humayun AKim MGulzar MChandra SBlincoe KTonella P(2023)Co-dependence Aware Fuzzing for Dataflow-Based Big Data AnalyticsProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616298(1050-1061)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616298
Liu ZChen CAhmed EZhang JLiu D(2023)WinkFuzz: Model-based Script Synthesis for FuzzingProceedings of the Third International Symposium on Advanced Security on Software and Systems10.1145/3591365.3592946(1-12)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3591365.3592946
Contreras CDokic HHuang ZStan Raicu DFurst JTchoua R(2023)Multiclass Classification of Software Vulnerabilities with Deep LearningProceedings of the 2023 15th International Conference on Machine Learning and Computing10.1145/3587716.3587738(134-140)Online publication date: 17-Feb-2023
https://dl.acm.org/doi/10.1145/3587716.3587738
Deng PYang ZZhang LYang GHong WZhang YYang MMeng WJensen CCremers CKirda E(2023)NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing LogicProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623103(1272-1286)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623103
Show More Cited By

Abstract

Cited By

Recommendations

History and Future of Automated Vulnerability Analysis

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution)

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations