Seshagiri Prabhu | Software Research Laboratory

We have been doing a survey on published research papers which is trying to detect security vulnerabilities in programs or applications using dynamic analysis. Our work is mainly focused on mainly four domains – desktop based binary applications, Android applications, embedded or firmware binaries and web related scripting language based applications. This blog post is a high level overview of our upcoming survey paper.

Before going to the details of our findings, we would like to discuss some of the questions which we had in our mind when we started this project

When is a bug a security vulnerability?

A defect in a program which causes the violation of at least one of the basic goals of security – confidentiality, integrity and availability (CIA).

What is an exploit?

A piece of code, application or the input that takes the advantage of a security bug present in the vulnerable program to gain some information or cause some abnormality in its behavior.

How do we differentiate static and dynamic analysis?

Static analysis evaluates code without executing it while dynamic analysis tests the behavior of code during execution. Dynamic analysis enables monitoring of the code during the program execution.

Which all are the dynamic analysis techniques we are going to survey?

We are surveying the following techniques:

Dynamic taint analysis runs a program and observes which computations are affected by predefined taint sources such as user input.

Symbolic execution automatically builds a logical formula describing a program execution path, which reduces the problem of reasoning about the execution to the domain of logic.

Concolic testing uses symbolic execution in conjunction with an automated theorem proving or constraint solver to generate concrete inputs with the aim of maximizing code in-order to find new bugs. It is also known as hybrid testing.

Fuzzing involves generation of various – expected, unexpected and random inputs to the program to observe its behavior – mainly crash.

Guided fuzzing uses fuzzing in conjunction with symbolic execution or concolic testing or dynamic taint analysis with an aim to improve the efficiency in finding crashes in the program under testing

- Which are the various vulnerabilities commonly discovered using these analysis

Vulnerability type	Description	CIA triad violation
Program crash	Could be due to various reasons including logic errors, critical exceptions, segfault etc.	A & I
EIP overwrite	Extended Instruction Pointer (EIP) points to the next instruction to be executed. If it is overwritten with an arbitrary value, the program can be crashed or can be diverted to take different execution path which is not intended by the developer of the application.	A & I
Integer overflow	The result of an arithmetic operation exceeds the maximum or minimum limit of the integer data type used to store the resulting value and hence it resets to zero. An overflow condition may give results leading to crash or unintended behavior.	A & I
Out-of-bound read	This vulnerability allows to read the data past the end or beginning of the buffer/array.	C
NULL pointer dereference	The application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit	A
Double free	The program tries to call free() twice on the same memory address causes crash	A
Use after free	This bug occurs when the program tries to read the memory which is already freed. This causes program crash. In certain circumstances doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.	CIA
Race condition	The program is concurrently executed by different processes using a shared resource with improper synchronization leading to data inconsistency	I
Stack based buffer overflow	A condition where the buffer being written is full and the adjacent memory locations on the stack are also overwritten. Buffer overflow often leads to crash, execution of arbitrary code execution and subversion of program execution	CIA
Format string vulnerability	The program uses a function that accepts a format string as an argument, but the format string originates from an external source. Using this vulnerability, an attacker can either crash the program, execute arbitrary code by changing the value of EIP register or read unauthorized information	CIA
Code injection	If an application allows user input to contain code segment, there is a possibility that artibitary commands can be executed if the input is not properly sanitized	CIA
Cross site scripting	The web application incorrectly sanitizes the input and result of the injected script is visible when page is generated. XSS is most commonly used for information disclosure. It can be also used to execute arbitrary code	CIA
SQL injection	The SQL queries used in the server side of the web application includes an incorrectly sanitized user input. Using this vulnerability, the attacker will be able to read/update/delete the information in the database.	C & I
Denial of Service attack	The application could not limit the amount or size of resources requested by user, ending up consuming more resources than intended. This would prevent valid users from accessing the application as the entire system resource is consumed by the attacker	A
Privilege escalation	An act of exploiting a bug in the application to gain elevated access to resources	C
Authentication bypass	The presence of backdoors in the form of hardcoded credentials and intentionally hidden authentication interfaces.	C

The tabular form of our findings:

#	Domain	Technique	Mindmap Title	Paper title	Vulnerabilities detected	Exploits generated	Google Link
1	Android	Fuzzing	Automated security testing of Android applications on the cloud	A whitebox approach for automated security testing of Android applications on the cloud	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+whitebox+approach+for+automated+security+testing+of+Android+applications+on+the+cloud&btnG=
2	Android	Fuzzing	DroidFuzzer	DroidFuzzer: Fuzzing the Android Apps withIntent-Filter Tag	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DroidFuzzer%3A+Fuzzing+the+Android+Apps+withIntent-Filter+Tag&btnG=
3	Android	Fuzzing	Intent fuzzer	Intent fuzzer: crafting intents of death	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Intent+fuzzer%3A+crafting+intents+of+death&btnG=
4	Binary	Concolic testing	Autiomatic Exploit Generator	AEG: Automatic Exploit Generation	Stack based buffer overflow, format string	Return-to-libc	https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=AEG%3A+Automatic+Exploit+Generation&btnG=
5	Binary	Concolic testing	BORG	The BORG: Nanoprobing Binaries for Buffer Overreads	NULL Pointer dereference		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=The+BORG%3A+Nanoprobing+Binaries+for+Buffer+Overreads&btnG=
6	Binary	Concolic testing	CAB-Fuzz	CAB-FUZZ: Practical Concolic Testing Techniques for COTS OperatingSystems	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CAB-FUZZ%3A+Practical+Concolic+Testing+Techniques+for+COTS+OperatingSystems&btnG=
7	Binary	Concolic testing	CRAX	CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations	EIP Overflow	Shellcode, return-to-libc	https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CRAX%3A+Software+Crash+Analysis+for+Automatic+Exploit+Generation+by+Modeling+Attacks+as+Symbolic+Continuations&btnG=
8	Binary	Concolic testing	MACE	MACE: Model-inference-Assisted Concolic Explorationfor Protocol and Vulnerability Discovery	EIP Overflow, Out-of-bound read, NULL pointer dereference		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=MACE%3A+Model-inference-Assisted+Concolic+Explorationfor+Protocol+and+Vulnerability+Discovery&btnG=
9	Binary	Dynamic Taint Analysis	AXGEN	Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities	EIP Overflow		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automatic+Generation+of+Control+Flow+Hijacking+Exploits+for+Software+Vulnerabilities&btnG=
10	Binary	Dynamic Taint Analysis	Q: Exploit Hardening	Q: Exploit Hardening Made Easy	EIP Overflow	ROP-exploit	https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Q%3A+Exploit+Hardening+Made+Easy&btnG=
11	Binary	Guided Fuzzing	A Hybrid Symbolic Execution Assisted FuzzingMethod	A Hybrid Symbolic Execution Assisted FuzzingMethod	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+Hybrid+Symbolic+Execution+Assisted+FuzzingMethod&btnG=
12	Binary	Guided Fuzzing	Automated whitebox fuzztesting	Automated whitebox fuzztesting	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automated+whitebox+fuzztesting&btnG=
13	Binary	Guided Fuzzing	Buzzfuzz	Taint-based directed whitebox fuzzing	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Taint-based+directed+whitebox+fuzzing&btnG=
14	Binary	Guided Fuzzing	Dowser	Dowsing for overflows: A guided fuzzer to find buffer boundary violations	EIP Overflow		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Dowsing+for+overflows%3A+A+guided+fuzzer+to+find+buffer+boundary+violations&btnG=
15	Binary	Guided Fuzzing	Driller	Driller: AugmentingFuzzing Through Selective Symbolic Execution	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Driller%3A+AugmentingFuzzing+Through+Selective+Symbolic+Execution&btnG=
16	Binary	Guided Fuzzing	Taintscope	TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection	EIP overflow, Integer overflow, NULL pointer derference		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=TaintScope%3A+A+checksum-aware+directed+fuzzing+tool+for+automatic+software+vulnerability+detection&btnG=
17	Binary	Guided Fuzzing	VUzzer	VUzzer: Application-aware Evolutionary Fuzzing	Out-of-bound read, NULL pointer dereference, Double free		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=VUzzer%3A+Application-aware+Evolutionary+Fuzzing&btnG=
18	Binary	Symbolic Execution	DART	DART: directed automated random testing	EIP overflow		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DART%3A+directed+automated+random+testing&btnG=
19	Binary	Symbolic Execution	PEX: White Box Test Generation for .NET	Pex–White Box Test Generation for .NET	Program crash, NULL pointer dereferenec		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Pex%E2%80%93White+Box+Test+Generation+for+.NET&btnG=
20	Binary	Symbolic Execution	Replayer	Replayer: automatic protocol replay by binary analysis	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysis&btnG=
21	Binary	Symbolic Execution	SoK (state of) the art of war offensive binary	SoK (state of) the art of war offensive binary	EIP Overflow	ROP exploit, Shellcode	https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysisSoK+%28state+of%29+the+art+of+war+offensive+binary&btnG=
22	Binary	Symbolic Execution	Symbolic cross checking of data parallel FP code	Symbolic cross checking of data parallel FP code	Use after free		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Symbolic+cross+checking+of+data+parallel+FP+code&btnG=
23	Binary	Symbolic Execution	UC-Symbolic Execution	Under-Constrained Symbolic Execution: Correctness Checking for Real Code	Out-of-bound read, NULL pointer dereference, use after free		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Under-Constrained+Symbolic+Execution%3A+Correctness+Checking+for+Real+Code&btnG=
24	Binary	Symbolic Execution	Veritesting	Enhancing Symbolic Execution with Veritesting	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enhancing+Symbolic+Execution+with+Veritesting&btnG=
25	Embedded	Concolic testing	Avatar	A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares	Authentication bypass		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22A+Framework+to+Support+Dynamic+Security+Analysis+of+Embedded+Systems%E2%80%99+Firmwares%22&btnG=
26	Embedded	Symbolic Execution	FIRMADYNE	Towards Automated Dynamic Analysis for Linux-based Embedded Firmware	EIP overwrite, code injection		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22Towards+Automated+Dynamic+Analysis+for+Linux-based+Embedded+Firmware%22&btnG=
27	Embedded	Symbolic Execution	Firmalice	Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware	Authentication bypass		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22Firmalice+-+Automatic+Detection+of+Authentication+Bypass+Vulnerabilities+in+Binary+Firmware%22&btnG=
28	Scripting	Fuzzing	Enemy of the State:A State-Aware Black-Box Web Vulnerability Scanner	Enemy of the State:A State-Aware Black-Box Web Vulnerability Scanner	XSS, SQLi		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enemy+of+the+State%3AA+State-Aware+Black-Box+Web+Vulnerability+Scanner&btnG=
29	Scripting	Symbolic Execution	A Symbolic Execution Framework for JavaScript	A Symbolic Execution Framework for JavaScript	Code injection		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+Symbolic+Execution+Framework+for+JavaScript&btnG=
30	Scripting	Symbolic Execution	Finding bugs in dynamic web apps	Finding bugs in dynamic web apps	Program crash		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Finding+bugs+in+dynamic+web+apps&btnG=
31	Scripting	Symbolic Execution	Waler	Toward Automated Detection ofLogic Vulnerabilities in Web Applications	XSS, SQLi		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Toward+Automated+Detection+ofLogic+Vulnerabilities+in+Web+Applications&btnG=
32	Scripting	Symbolic Execution	WAPTEC	WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction	XSS, SQLi, DoS		https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=WAPTEC%3A+whitebox+analysis+of+web+applications+for+parameter+tampering+exploit+construction&btnG=

This is the link to the mindmap version of the table: http://app.mindmapmaker.org/#m:mmc88ebaf011214664b5ccbf67cc6179b7. Once the diagram is loaded, you can click on the techniques to expand the papers published under that domain.

The aforementioned mindmap diagram is a visual representation of the hierarchical information of our findings. The central idea of our survey is the vulnerability detection using dynamic analysis. As mentioned earlier, we have only considered 4 domains: binary, web/scripting, embedded/firmware and Android, mainly because these are the main areas where some significant amount of work is done in finding vulnerabilities. Each domain is further branched to various sub-branched based on various dynamic analysis techniques.

The pink colour nodes in the diagram represent a publication. It is usually the framework developed by the publishers or the title of the research paper to detect vulnerability using the dynamic analysis technique class mentioned in the parent node. The publication node is always branched into two 1) outcome and 2) framework.

Outcome describes the type of vulnerabilities they were able to discover using their approach and sometimes their system may generate exploit scripts automatically. In most cases, the exploit scripts are generated for:

Return-to-libc attack: when there is a buffer overflow vulnerability and the stack is WX protected, the processor will refuse to execute code at certain memory locations where program can write, failing to execute the user loaded shellcode in the stack. The attacker can circumvent this protection by combing the address of the system calls code (libc) present in memory which is executable.
Return oriented programming is an advanced version of stack-smashing attack where the attacker gains the control over the call stack and uses the sequence of machine code already present in the memory to change the control-flow to perform arbitrary operations.

The sub branches of the framework describes the details of :

The novel path prioritization techniques introduced in the paper in-order to reduce the search space. It could be for avoiding loops and path explosion, target code blocks which are more likely to be vulnerable due to the presence of system calls etc.
The reuse or modification of any existing tools like concolic testing or symbolic execution frameworks, fuzzers, constraint solvers, automatic theorem solvers, previously published approaches etc
Inputs from the static analysis techniques to construct call graph, extract plausible vulnerable components using data flow analysis etc
Test execution environment: whether the application is run on embedded/mobile hardware directly or on emulator
Vulnerability analysis module to verify whether the critical exceptions or program crash can be classified as a true positive
Exploit development module in the framework

This is a high level overview of our ongoing work, stay tuned for the comprehensive study of the survey on vulnerability detection using dynamic analysis.

References

Chen, Z., Guo, S., & Fu, D. (2012). A Directed Fuzzing Based on the Dynamic Symbolic Execution and Extended Program Behavior Model. In 2012 Second International Conference on Instrumentation, Measurement, Computer, Communication and Control (pp. 1641–1644). https://doi.org/10.1109/IMCCC.2012.382

Pham, V.-T., Böhme, M., Santosa, A. E., Căciulescu, A. R., & Roychoudhury, A. (2018). Smart Greybox Fuzzing. ArXiv:1811.09447 [Cs]. Retrieved from http://arxiv.org/abs/1811.09447

Padhye, R., Lemieux, C., Sen, K., Papadakis, M., & Le Traon, Y. (2019). Semantic fuzzing with zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis - ISSTA 2019 (pp. 329–340). Beijing, China: ACM Press. https://doi.org/10.1145/3293882.3330576

aflgo. (2019). aflgo/aflgo. Retrieved from https://github.com/aflgo/aflgo (Original work published 2017)

Secunia, S. (n.d.). Vulnerability Review 2018. Flexera. Retrieved from https://www.flexera.com/media/pdfs/research-svm-vulnerability-review-2018.pdf

Mitre, C. (2019). Vulnerability distribution of cve security vulnerabilities by types. Retrieved September 23, 2018, from https://www.cvedetails.com/vulnerabilities-by-types.php

Wichmann, B. A., Canning, A. A., Clutterbuck, D. L., Winsborrow, L. A., Ward, N. J., & Marsh, D. W. R. (1995). Industrial perspective on static analysis. Software Engineering Journal, 10(2), 69–75. https://doi.org/10.1049/sej.1995.0010

Molnar, D., Li, X. C., & Wagner, D. A. (2009). Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs. In Proceedings of the 18th Conference on USENIX Security Symposium (pp. 67–82). Berkeley, CA, USA: USENIX Association. Retrieved from http://dl.acm.org/citation.cfm?id=1855768.1855773

Chen, Y., Groce, A., Zhang, C., Wong, W.-K., Fern, X., Eide, E., & Regehr, J. (2013). Taming Compiler Fuzzers. In Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 197–208). New York, NY, USA: ACM. https://doi.org/10.1145/2491956.2462173

Zhang, C., Groce, A., & Alipour, M. A. (2014). Using Test Case Reduction and Prioritization to Improve Symbolic Execution. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (pp. 160–170). New York, NY, USA: ACM. https://doi.org/10.1145/2610384.2610392

Ognawala, S., Hutzelmann, T., Psallida, E., & Pretschner, A. (2018). Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (pp. 1475–1482). New York, NY, USA: ACM. https://doi.org/10.1145/3167132.3167289

Person, S., Yang, G., Rungta, N., & Khurshid, S. (2011). Directed Incremental Symbolic Execution. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 504–515). New York, NY, USA: ACM. https://doi.org/10.1145/1993498.1993558

Li, Y., Su, Z., Wang, L., & Li, X. (2013). Steering Symbolic Execution to Less Traveled Paths. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications (pp. 19–32). New York, NY, USA: ACM. https://doi.org/10.1145/2509136.2509553

Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., & Wu, Y. (2006). LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture (pp. 135–148). Washington, DC, USA: IEEE Computer Society. https://doi.org/10.1109/MICRO.2006.29

Cheng, W., Zhao, Q., Yu, B., & Hiroshige, S. (2006). TaintTrace: Efficient Flow Tracing with Dynamic Binary Rewriting. In 11th IEEE Symposium on Computers and Communications (ISCC’06) (pp. 749–754). https://doi.org/10.1109/ISCC.2006.158

Newsome, J. (2005). Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium.

Effective File Format Fuzzing – Thoughts, Techniques and Results (Black Hat Europe 2016). (2018, July 13). Retrieved November 1, 2018, from https://j00ru.vexillium.org/talks/blackhat-eu-effective-file-format-fuzzing-thoughts-techniques-and-results/

Zalewski, M. (2014, November 7). Pulling JPEGs out of thin air. Retrieved November 1, 2018, from https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html

Mitre, C. (n.d.). CWE - CWE-787: Out-of-bounds Write (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/787.html

Mitre, C. (n.d.). CWE - CWE-200: Information Exposure (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/200.html

Mitre, C. (n.d.). CWE - CWE-369: Divide By Zero (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/369.html

Mitre, C. (n.d.). CWE - CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak’) (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/401.html

Lee, H., Grosse, R., Ranganath, R., & Ng, A. Y. (2009). Convolutional Deep Belief Networks for Scalable Unsupervised Learning of Hierarchical Representations. In Proceedings of the 26th Annual International Conference on Machine Learning (pp. 609–616). New York, NY, USA: ACM. https://doi.org/10.1145/1553374.1553453

Arjovsky, M., Chintala, S., & Bottou, L. (2017). Wasserstein GAN. Retrieved from https://arxiv.org/abs/1701.07875

Goodfellow, I. J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., … Bengio, Y. (2014). Generative Adversarial Nets. In Proceedings of the 27th International Conference on Neural Information Processing Systems - Volume 2 (pp. 2672–2680). Cambridge, MA, USA: MIT Press. Retrieved from http://dl.acm.org/citation.cfm?id=2969033.2969125

Hu, Z., Shi, J., Huang, Y., Xiong, J., & Bu, X. (2018). GANFuzz: A GAN-based Industrial Network Protocol Fuzzing Framework. In Proceedings of the 15th ACM International Conference on Computing Frontiers (pp. 138–145). New York, NY, USA: ACM. https://doi.org/10.1145/3203217.3203241

She, D., Pei, K., Epstein, D., Yang, J., Ray, B., & Jana, S. (2018). NEUZZ: Efficient Fuzzing with Neural Program Learning. ArXiv:1807.05620 [Cs]. Retrieved from http://arxiv.org/abs/1807.05620

Lv, C., Ji, S., Li, Y., Zhou, J., Chen, J., Zhou, P., & Chen, J. (2018). SmartSeed: Smart Seed Generation for Efficient Fuzzing. ArXiv:1807.02606 [Cs]. Retrieved from http://arxiv.org/abs/1807.02606

Nichols, N., Raugas, M., Jasper, R., & Hilliard, N. (2017). Faster Fuzzing: Reinitialization with Deep Neural Models. ArXiv:1711.02807 [Cs]. Retrieved from http://arxiv.org/abs/1711.02807

Mitre, C. (n.d.). CWE - CWE-476: NULL Pointer Dereference (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/476.html

Mitre, C. (n.d.). CWE - CWE-416: Use After Free (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/416.html

Mitre, C. (n.d.). CWE - CWE-415: Double Free (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/415.html

Mitre, C. (n.d.). CWE - CWE-288: Authentication Bypass Using an Alternate Path or Channel (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/288.html

Mitre, C. (n.d.). CWE - CWE-190: Integer Overflow or Wraparound (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/190.html

Mitre, C. (n.d.). CWE - CWE-134: Use of Externally-Controlled Format String (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/134.html

Mitre, C. (n.d.). CWE - CWE-122: Heap-based Buffer Overflow (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/122.html

Mitre, C. (n.d.). CWE - CWE-125: Out-of-bounds Read (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/125.html

Mitre, C. (n.d.). CWE - CWE-121: Stack-based Buffer Overflow (3.1). Retrieved October 31, 2018, from https://cwe.mitre.org/data/definitions/121.html

Cho, K., van Merrienboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., & Bengio, Y. (2014). Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation. ArXiv:1406.1078 [Cs, Stat]. Retrieved from http://arxiv.org/abs/1406.1078

Hochreiter, S., & Schmidhuber, J. (1997). Long Short-term Memory. Neural Comput., 9(9), 1735–1780. https://doi.org/10.1162/neco.1997.9.8.1735

Systems, A. (2006, November). PDF Reference: Adobe portable document format. Version 1.7. Retrieved from https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf

Godefroid, P., Kiezun, A., & Levin, M. Y. (2008). Grammar-based Whitebox Fuzzing. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (pp. 206–215). New York, NY, USA: ACM. https://doi.org/10.1145/1375581.1375607

Zhang, B., Ye, J., Feng, C., & Tang, C. (2017). S2F: Discover Hard-to-Reach Vulnerabilities by Semi-Symbolic Fuzz Testing. In 2017 13th International Conference on Computational Intelligence and Security (CIS) (pp. 548–552). Hong Kong: IEEE. https://doi.org/10.1109/CIS.2017.00127

Xu, W., Kashyap, S., Min, C., & Kim, T. (2017). Designing New Operating Primitives to Improve Fuzzing Performance. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 2313–2328). New York, NY, USA: ACM. https://doi.org/10.1145/3133956.3134046

Han, H., & Cha, S. K. (2017). IMF: Inferred Model-based Fuzzer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 2345–2358). New York, NY, USA: ACM. https://doi.org/10.1145/3133956.3134103

Sim, K. Y., Kuo, F.-C., & Merkel, R. (2011). Fuzzing the Out-of-memory Killer on Embedded Linux: An Adaptive Random Approach. In Proceedings of the 2011 ACM Symposium on Applied Computing (pp. 387–392). New York, NY, USA: ACM. https://doi.org/10.1145/1982185.1982268

Mendonça, M., & Neves, N. (2008). Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities. In 2008 Seventh European Dependable Computing Conference (pp. 110–119). Kaunas, Lithuania: IEEE. https://doi.org/10.1109/EDCC-7.2008.22

Hodován, R., & Kiss, Á. (2016). Fuzzing JavaScript Engine APIs. In Proceedings of the 12th International Conference on Integrated Formal Methods - Volume 9681 (pp. 425–438). Berlin, Heidelberg: Springer-Verlag. https://doi.org/10.1007/978-3-319-33693-0_27

Godefroid, P., Peleg, H., & Singh, R. (2017). Learn&Fuzz: Machine Learning for Input Fuzzing. In Proceedings of the 32Nd IEEE/ACM International Conference on Automated Software Engineering (pp. 50–59). Piscataway, NJ, USA: IEEE Press. Retrieved from http://dl.acm.org/citation.cfm?id=3155562.3155573

Grieco, G., Ceresa, M., Mista, A., & Buiras, P. (2017). QuickFuzz Testing for Fun and Profit. J. Syst. Softw., 134(C), 340–354. https://doi.org/10.1016/j.jss.2017.09.018

Software Research Laboratory

University of Louisiana at Lafayette

Author Archives: Seshagiri Prabhu

Vulnerability Detection using Dynamic Analysis

References