ABSTRACT
We present Splat, a tool for automatically generating inputs that lead to memory safety violations in C programs. Splat performs directed random testing of the code, guided by symbolic execution. However, instead of representing the entire contents of an input buffer symbolically, Splat tracks only a prefix of the buffer symbolically, and a symbolic length that may exceed the size of the symbolic prefix. The part of the buffer beyond the symbolic prefix is filled with concrete random inputs. The use of symbolic buffer lengths makes it possible to compactly summarize the behavior of standard buffer manipulation functions, such as string library functions, leading to a more scalable search for possible memory errors. While reasoning only about prefixes of buffer contents makes the search theoretically incomplete, we experimentally demonstrate that the symbolic length abstraction is both scalable and sufficient to uncover many real buffer overflows in C programs. In experiments on a set of benchmarks developed independently to evaluate buffer overflow checkers, Splat was able to detect buffer overflows quickly, sometimes several orders of magnitude faster than when symbolically representing entire buffers. Splat was also able to find two previously unknown buffer overflows in a heavily-tested storage system.
- C. Cadar, V. Ganesh, P. Pawlowski, D. Dill, and D. Engler. Exe: automatically generating inputs of death. In CCS, 2006. Google ScholarDigital Library
- N. Dor, M. Rodeh, and S. Sagiv. CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In PLDI, 2003. Google ScholarDigital Library
- J. C. Foster, V. Osipov, and N. Bhalla. Buffer Overflow Attacks. Syngress, 2005. Google ScholarDigital Library
- V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV, 2007. Google ScholarDigital Library
- P. Godefroid. Compositional dynamic test generation. In POPL, 2007. Google ScholarDigital Library
- P. Godefroid, N. Klarlund, and K. Sen. Dart: directed automated random testing. In PLDI, 2005. Google ScholarDigital Library
- P. Godefroid, M. Y. Levin, and D. Molnar. Active property checking. Technical report, Microsoft, 2007.Google Scholar
- P. Godefroid, M.Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008.Google Scholar
- A. Groce, G. J. Holzmann, and R. Joshi. Randomized differential testing as a prelude to formal verification. In ICSE, 2007. Google ScholarDigital Library
- R. Jones and P. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Third International Workshop on Automated Debugging, 1997.Google Scholar
- P. Joshi, K. Sen, and M. Shlimovich. Predictive testing: amplifying the effectiveness of software testing. In FSE, 2007. Google ScholarDigital Library
- D. Knuth. The Art of Computer Programming, Volume 3: Sorting and Searching. Addison-Wesley, 1997. Google ScholarDigital Library
- E. Larson and T. Austin. High coverage detection of input-related security faults. In USENIX, 2003. Google ScholarDigital Library
- R. Ma jumdar and R. Xu. Directed test generation with symbolic grammars. In ASE, 2007. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI, 2007. Google ScholarDigital Library
- O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In NDSS, 2004.Google Scholar
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In FSE, 2005. Google ScholarDigital Library
- J. Seward and N. Nethercote. Using Valgrind to detect undefined value errors with bit-precision. In USENIX, 2005. Google ScholarDigital Library
- D. Sleator and R. Tarjan. Self-adjusting binary search trees. J. ACM, 32(3):652--686, 1985. Google ScholarDigital Library
- W. Visser, C. S. Pasareanu, and R. Pelánek. Test input generation for Java containers using state matching. In ISSTA, 2006. Google ScholarDigital Library
- D. Wagner, J. S. Foster, E. A. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In NDSS, 2000.Google Scholar
- Y. Xie, A. Chou, and D. Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. In FSE, 2003. Google ScholarDigital Library
- M. Zhivich, T. Leek, and R. Lippmann. Dynamic buffer overflow detection. In BUGS, 2005.Google Scholar
- M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In FSE, 2004. Google ScholarDigital Library
Index Terms
- Testing for buffer overflows with length abstraction
Recommendations
Modular checking for buffer overflows in the large
ICSE '06: Proceedings of the 28th international conference on Software engineeringWe describe an ongoing project, the deployment of a modular checker to statically find and prevent every buffer overflow in future versions of a Microsoft product. Lightweight annotations specify requirements for safely using each buffer, and functions ...
Buffer Overflow Management in QoS Switches
We consider two types of buffering policies that are used in network switches supporting Quality of Service (QoS). In the FIFO type, packets must be transmitted in the order in which they arrive; the constraint in this case is the limited buffer ...
Nearly optimal FIFO buffer management for two packet classes
We consider a FIFO buffer with finite storage space. An arbitrary input stream of packets arrives at the buffer, but the output stream rate is bounded, so overflows may occur. We assume that each packet has value which is either 1 or α, for some α > 1. ...
Comments