| Memory corruption vulnerabilities are an ever-present risk in software,which attackers can exploit to obtain unauthorized access to confidential information.As products with access to sensitive data are becoming more prevalent,the number of potentially exploitable systems is also increasing,resulting in a greater need for automated software vetting tools.Current techniques for finding potential bugs include static,dynamic,and concolic analysis systems,which each having their own advantages and disadvantages.A common limitation of systems designed to create inputs which trigger vulnerabilities is that they only find shallow bugs and struggle to exercise deeper paths in executables.We present a hybrid vulnerability excavation tool which leverages fuzzing and selective concolic execution in a complementary manner,to find deeper bugs.Inexpensive fuzzing is used to exercise compartments of an application,while concolic execution is used to generate inputs which satisfy the complex checks separating the compartments.Fuzzing provides a fast and cheap overview of a compartment,effectively exploring loops and simple checks,but often fails to transition between compartments.Selective concolic execution gets into state explosions when considering loops and inner checks,but is highly effective at finding paths between compartments of a binary.By combining these two techniques,where each individually fails,Driller is able to explore a greater space of functionality within the binaryBy combining the strengths of the two techniques,we mitigate their weaknesses,avoiding the path explosion inherent in concolic analysis and the incompleteness of fuzzing.Driller uses selective concolic execution to explore only the paths deemed interesting by the fuzzer and to generate inputs for conditions that the fuzzer cannot satisfy.We evaluate Driller on 126 applications released in the qualifying event of the Cyber Grand Challenge and show its efficacy by identifying more number of vulnerabilities. |
PDF Full Text Request