We have been doing a survey on published research papers which is trying to detect security vulnerabilities in programs or applications using dynamic analysis. Our work is mainly focused on mainly four domains – desktop based binary applications, Android applications, embedded or firmware binaries and web related scripting language based applications. This blog post is a high level overview of our upcoming survey paper.
Before going to the details of our findings, we would like to discuss some of the questions which we had in our mind when we started this project
- When is a bug a security vulnerability?
A defect in a program which causes the violation of at least one of the basic goals of security – confidentiality, integrity and availability (CIA).
- What is an exploit?
A piece of code, application or the input that takes the advantage of a security bug present in the vulnerable program to gain some information or cause some abnormality in its behavior.
- How do we differentiate static and dynamic analysis?
Static analysis evaluates code without executing it while dynamic analysis tests the behavior of code during execution. Dynamic analysis enables monitoring of the code during the program execution.
- Which all are the dynamic analysis techniques we are going to survey?
We are surveying the following techniques:
Dynamic taint analysis runs a program and observes which computations are affected by predefined taint sources such as user input.
Symbolic execution automatically builds a logical formula describing a program execution path, which reduces the problem of reasoning about the execution to the domain of logic.
Concolic testing uses symbolic execution in conjunction with an automated theorem proving or constraint solver to generate concrete inputs with the aim of maximizing code in-order to find new bugs. It is also known as hybrid testing.
Fuzzing involves generation of various – expected, unexpected and random inputs to the program to observe its behavior – mainly crash.
Guided fuzzing uses fuzzing in conjunction with symbolic execution or concolic testing or dynamic taint analysis with an aim to improve the efficiency in finding crashes in the program under testing
- Which are the various vulnerabilities commonly discovered using these analysis
|Vulnerability type||Description||CIA triad violation|
|Program crash||Could be due to various reasons including logic errors, critical exceptions, segfault etc.||A & I|
|EIP overwrite||Extended Instruction Pointer (EIP) points to the next instruction to be executed. If it is overwritten with an arbitrary value, the program can be crashed or can be diverted to take different execution path which is not intended by the developer of the application.||A & I|
|Integer overflow||The result of an arithmetic operation exceeds the maximum or minimum limit of the integer data type used to store the resulting value and hence it resets to zero. An overflow condition may give results leading to crash or unintended behavior.||A & I|
|Out-of-bound read||This vulnerability allows to read the data past the end or beginning of the buffer/array.||C|
|NULL pointer dereference||The application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit||A|
|Double free||The program tries to call free() twice on the same memory address causes crash||A|
|Use after free||This bug occurs when the program tries to read the memory which is already freed. This causes program crash. In certain circumstances doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.||CIA|
|Race condition||The program is concurrently executed by different processes using a shared resource with improper synchronization leading to data inconsistency||I|
|Stack based buffer overflow||A condition where the buffer being written is full and the adjacent memory locations on the stack are also overwritten. Buffer overflow often leads to crash, execution of arbitrary code execution and subversion of program execution||CIA|
|Format string vulnerability||The program uses a function that accepts a format string as an argument, but the format string originates from an external source. Using this vulnerability, an attacker can either crash the program, execute arbitrary code by changing the value of EIP register or read unauthorized information||CIA|
|Code injection||If an application allows user input to contain code segment, there is a possibility that artibitary commands can be executed if the input is not properly sanitized||CIA|
|Cross site scripting||The web application incorrectly sanitizes the input and result of the injected script is visible when page is generated. XSS is most commonly used for information disclosure. It can be also used to execute arbitrary code||CIA|
|SQL injection||The SQL queries used in the server side of the web application includes an incorrectly sanitized user input. Using this vulnerability, the attacker will be able to read/update/delete the information in the database.||C & I|
|Denial of Service attack||The application could not limit the amount or size of resources requested by user, ending up consuming more resources than intended. This would prevent valid users from accessing the application as the entire system resource is consumed by the attacker||A|
|Privilege escalation||An act of exploiting a bug in the application to gain elevated access to resources||C|
|Authentication bypass||The presence of backdoors in the form of hardcoded credentials and intentionally hidden authentication interfaces.||C|
The tabular form of our findings:
|#||Domain||Technique||Mindmap Title||Paper title||Vulnerabilities detected||Exploits generated||Google Link|
|1||Android||Fuzzing||Automated security testing of Android applications on the cloud||A whitebox approach for automated security testing of Android applications on the cloud||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+whitebox+approach+for+automated+security+testing+of+Android+applications+on+the+cloud&btnG=|
|2||Android||Fuzzing||DroidFuzzer||DroidFuzzer: Fuzzing the Android Apps withIntent-Filter Tag||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DroidFuzzer%3A+Fuzzing+the+Android+Apps+withIntent-Filter+Tag&btnG=|
|3||Android||Fuzzing||Intent fuzzer||Intent fuzzer: crafting intents of death||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Intent+fuzzer%3A+crafting+intents+of+death&btnG=|
|4||Binary||Concolic testing||Autiomatic Exploit Generator||AEG: Automatic Exploit Generation||Stack based buffer overflow, format string||Return-to-libc||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=AEG%3A+Automatic+Exploit+Generation&btnG=|
|5||Binary||Concolic testing||BORG||The BORG: Nanoprobing Binaries for Buffer Overreads||NULL Pointer dereference||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=The+BORG%3A+Nanoprobing+Binaries+for+Buffer+Overreads&btnG=|
|6||Binary||Concolic testing||CAB-Fuzz||CAB-FUZZ: Practical Concolic Testing Techniques for COTS OperatingSystems||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CAB-FUZZ%3A+Practical+Concolic+Testing+Techniques+for+COTS+OperatingSystems&btnG=|
|7||Binary||Concolic testing||CRAX||CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations||EIP Overflow||Shellcode, return-to-libc||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=CRAX%3A+Software+Crash+Analysis+for+Automatic+Exploit+Generation+by+Modeling+Attacks+as+Symbolic+Continuations&btnG=|
|8||Binary||Concolic testing||MACE||MACE: Model-inference-Assisted Concolic Explorationfor Protocol and Vulnerability Discovery||EIP Overflow, Out-of-bound read, NULL pointer dereference||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=MACE%3A+Model-inference-Assisted+Concolic+Explorationfor+Protocol+and+Vulnerability+Discovery&btnG=|
|9||Binary||Dynamic Taint Analysis||AXGEN||Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities||EIP Overflow||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automatic+Generation+of+Control+Flow+Hijacking+Exploits+for+Software+Vulnerabilities&btnG=|
|10||Binary||Dynamic Taint Analysis||Q: Exploit Hardening||Q: Exploit Hardening Made Easy||EIP Overflow||ROP-exploit||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Q%3A+Exploit+Hardening+Made+Easy&btnG=|
|11||Binary||Guided Fuzzing||A Hybrid Symbolic Execution Assisted FuzzingMethod||A Hybrid Symbolic Execution Assisted FuzzingMethod||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=A+Hybrid+Symbolic+Execution+Assisted+FuzzingMethod&btnG=|
|12||Binary||Guided Fuzzing||Automated whitebox fuzztesting||Automated whitebox fuzztesting||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Automated+whitebox+fuzztesting&btnG=|
|13||Binary||Guided Fuzzing||Buzzfuzz||Taint-based directed whitebox fuzzing||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Taint-based+directed+whitebox+fuzzing&btnG=|
|14||Binary||Guided Fuzzing||Dowser||Dowsing for overflows: A guided fuzzer to find buffer boundary violations||EIP Overflow||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Dowsing+for+overflows%3A+A+guided+fuzzer+to+find+buffer+boundary+violations&btnG=|
|15||Binary||Guided Fuzzing||Driller||Driller: AugmentingFuzzing Through Selective Symbolic Execution||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Driller%3A+AugmentingFuzzing+Through+Selective+Symbolic+Execution&btnG=|
|16||Binary||Guided Fuzzing||Taintscope||TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection||EIP overflow, Integer overflow, NULL pointer derference||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=TaintScope%3A+A+checksum-aware+directed+fuzzing+tool+for+automatic+software+vulnerability+detection&btnG=|
|17||Binary||Guided Fuzzing||VUzzer||VUzzer: Application-aware Evolutionary Fuzzing||Out-of-bound read, NULL pointer dereference, Double free||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=VUzzer%3A+Application-aware+Evolutionary+Fuzzing&btnG=|
|18||Binary||Symbolic Execution||DART||DART: directed automated random testing||EIP overflow||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=DART%3A+directed+automated+random+testing&btnG=|
|19||Binary||Symbolic Execution||PEX: White Box Test Generation for .NET||Pex–White Box Test Generation for .NET||Program crash, NULL pointer dereferenec||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Pex%E2%80%93White+Box+Test+Generation+for+.NET&btnG=|
|20||Binary||Symbolic Execution||Replayer||Replayer: automatic protocol replay by binary analysis||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysis&btnG=|
|21||Binary||Symbolic Execution||SoK (state of) the art of war offensive binary||SoK (state of) the art of war offensive binary||EIP Overflow||ROP exploit, Shellcode||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Replayer%3A+automatic+protocol+replay+by+binary+analysisSoK+%28state+of%29+the+art+of+war+offensive+binary&btnG=|
|22||Binary||Symbolic Execution||Symbolic cross checking of data parallel FP code||Symbolic cross checking of data parallel FP code||Use after free||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Symbolic+cross+checking+of+data+parallel+FP+code&btnG=|
|23||Binary||Symbolic Execution||UC-Symbolic Execution||Under-Constrained Symbolic Execution: Correctness Checking for Real Code||Out-of-bound read, NULL pointer dereference, use after free||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Under-Constrained+Symbolic+Execution%3A+Correctness+Checking+for+Real+Code&btnG=|
|24||Binary||Symbolic Execution||Veritesting||Enhancing Symbolic Execution with Veritesting||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enhancing+Symbolic+Execution+with+Veritesting&btnG=|
|25||Embedded||Concolic testing||Avatar||A Framework to Support Dynamic Security|
Analysis of Embedded Systems’ Firmwares
|26||Embedded||Symbolic Execution||FIRMADYNE||Towards Automated Dynamic Analysis for|
Linux-based Embedded Firmware
|EIP overwrite, code injection||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=%22Towards+Automated+Dynamic+Analysis+for+Linux-based+Embedded+Firmware%22&btnG=|
|27||Embedded||Symbolic Execution||Firmalice||Firmalice - Automatic Detection of Authentication|
Bypass Vulnerabilities in Binary Firmware
|28||Scripting||Fuzzing||Enemy of the State:A State-Aware Black-Box Web Vulnerability Scanner||Enemy of the State:A State-Aware Black-Box Web Vulnerability Scanner||XSS, SQLi||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Enemy+of+the+State%3AA+State-Aware+Black-Box+Web+Vulnerability+Scanner&btnG=|
|30||Scripting||Symbolic Execution||Finding bugs in dynamic web apps||Finding bugs in dynamic web apps||Program crash||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Finding+bugs+in+dynamic+web+apps&btnG=|
|31||Scripting||Symbolic Execution||Waler||Toward Automated Detection ofLogic Vulnerabilities in Web Applications||XSS, SQLi||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=Toward+Automated+Detection+ofLogic+Vulnerabilities+in+Web+Applications&btnG=|
|32||Scripting||Symbolic Execution||WAPTEC||WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction||XSS, SQLi, DoS||https://scholar.google.com/scholar?hl=en&as_sdt=0%2C19&q=WAPTEC%3A+whitebox+analysis+of+web+applications+for+parameter+tampering+exploit+construction&btnG=|
This is the link to the mindmap version of the table: http://app.mindmapmaker.org/#m:mmc88ebaf011214664b5ccbf67cc6179b7. Once the diagram is loaded, you can click on the techniques to expand the papers published under that domain.
The aforementioned mindmap diagram is a visual representation of the hierarchical information of our findings. The central idea of our survey is the vulnerability detection using dynamic analysis. As mentioned earlier, we have only considered 4 domains: binary, web/scripting, embedded/firmware and Android, mainly because these are the main areas where some significant amount of work is done in finding vulnerabilities. Each domain is further branched to various sub-branched based on various dynamic analysis techniques.
The pink colour nodes in the diagram represent a publication. It is usually the framework developed by the publishers or the title of the research paper to detect vulnerability using the dynamic analysis technique class mentioned in the parent node. The publication node is always branched into two 1) outcome and 2) framework.
Outcome describes the type of vulnerabilities they were able to discover using their approach and sometimes their system may generate exploit scripts automatically. In most cases, the exploit scripts are generated for:
- Return-to-libc attack: when there is a buffer overflow vulnerability and the stack is WX protected, the processor will refuse to execute code at certain memory locations where program can write, failing to execute the user loaded shellcode in the stack. The attacker can circumvent this protection by combing the address of the system calls code (libc) present in memory which is executable.
- Return oriented programming is an advanced version of stack-smashing attack where the attacker gains the control over the call stack and uses the sequence of machine code already present in the memory to change the control-flow to perform arbitrary operations.
The sub branches of the framework describes the details of :
- The novel path prioritization techniques introduced in the paper in-order to reduce the search space. It could be for avoiding loops and path explosion, target code blocks which are more likely to be vulnerable due to the presence of system calls etc.
- The reuse or modification of any existing tools like concolic testing or symbolic execution frameworks, fuzzers, constraint solvers, automatic theorem solvers, previously published approaches etc
- Inputs from the static analysis techniques to construct call graph, extract plausible vulnerable components using data flow analysis etc
- Test execution environment: whether the application is run on embedded/mobile hardware directly or on emulator
- Vulnerability analysis module to verify whether the critical exceptions or program crash can be classified as a true positive
- Exploit development module in the framework
This is a high level overview of our ongoing work, stay tuned for the comprehensive study of the survey on vulnerability detection using dynamic analysis.