Binary Code Vulnerability Mining System Research And Design Based On Dynamic Symbolic Execution

Vulnerability is the defects in the implementation or security strategy of computer hardware, software or protocol. Vulnerability exists in all kinds of software and it can be very harmful. Many virus, Trojans and worms use computer vulnerabilities to spread and attack causing serious economy loss and harm to society. The problem of vulnerability is so severe that vulnerability mining is becoming more and more important. The technology of vulnerability mining is divided into two categories based on the target. One is source code vulnerability mining, the other is executive code vulnerability mining. The technology for source code vulnerability mining is mature. Unfortunately, executive code vulnerability mining technology still has a long way to go. Because it involves compile technology, binary code system, PE(Portable Executable) File format and other knowledge, it's much harder than the source code situation. So vulnerability mining technology for executable code is an important study direction.It is common to use Fuzzing test in executable code vulnerability mining. It's a effective method, but flawed. It is a total random test, and it has little knowledge about the program, so there is no guarantee on efficiency. Symbolic Execution is a technology used in source code analysis, it create a way to understand the program. Because the differences between source code and executive code, it's not easy to use Symbolic Execution in executive code analysis. If Symbolic Execution can be used in executive code analysis, then it can help the process of Fuzzing. This is called smart Fuzzing. It will greatly improve the efficiency of Fuzzing.This paper will solve the difficulty of Symbolic Execution with executive code, and present a binary Symbolic Execution method based on dynamic debugging and virtual execution. Joint with traditional Fuzzing, this paper present a better Fuzzing system—smart Fuzzing. The system includes 5 modules:the debugger module, the input locate module, the binary code analysis module, the symbolic execution module and the smart Fuzzing module. The system uses PE file under Windows environment as test subject. The debugger was built to dynamically load program to obtain the binary code. The system transformed binary code into the expression useful for symbolic execution, which contains more information than assemble code, and then performed symbolic execution with virtual execution synchronously to obtain path conditions effectively. Then the system generates test cases that can cover different paths by altering the path condition properly. In this way the efficiency of vulnerability mining will be greatly improved. With the information about the program's procedure, people can analyze software bug more quickly.This paper presents a binary symbolic execution system based on dynamic debugging and virtual execution, and verifies it's correctness. Then combining with traditional Fuzzing technology, this paper presents a smart Fuzzing method. The system will provide great help in executive code vulnerability mining.