| Taint analysis and symbolic execution are two effective techniques to discover software vulnerabilities. This paper introduces the two state-of-the-art techniques. To solve the detection gap problem, we propose the third taint state and six new detection rules. Furthermore, because taint theory cannot perform byte-level analysis and guide the generation of test cases, symbolic execution is used to improve taint analysis. Based on the ideas above, we design and implement two tools, DsVD(Dynamic Software Vulnerability Detector) and DsVD-SE(Dynamic Software Vulnerability Detector– Symbolic Execution). DsVD uses the third taint state and the six new rules to detect vulnerabilities and DsVD-SE are able to perform byte-level analysis and generate path information. Two optimization methods are used to reduce runtime overhead of DsVD and DsVD-SE. Experimental results show that DsVD and DsVD-SE can effectively discover vulnerabilities. After testing 5 real-world word processors, we found 63 vulnerabilities. Benefited from two optimizations, DsVD enjoys the lowest runtime overhead compared to relative tools, only 3.1 times. |
PDF Full Text Request