Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux - PowerPoint PPT Presentation

Aug 25, 2023 •334 likes •480 views

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner Security Bugs Common 6,515 vulnerabili/es reported in 2007 Major vendors : Adobe, Apple, MicrosoN Plus many more

Dynamic Test Genera/on To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner
Security Bugs Common • 6,515 vulnerabili/es reported in 2007 – Major vendors : Adobe, Apple, MicrosoN … – Plus many more – web.nvd.nist.gov/view/vuln/sta/s/cs • Each one means patch, QA’ing, releasing
Find Bug Report Bug Write Bug Fix Bug The “Bug Cycle”
Find Bug Report Bug Write Bug Fix Bug The “Bug Cycle”
Technique : Fuzz Testing Miller, Fredriksen, and So, “An Empirical Study of the Reliability of UNIX Utilities” http://pages.cs.wisc.edu/~bart/fuzz/fuzz.html
Integer Bugs • #2 cause of vendor advisories in 2006 • Underflow/Overflow • Value conversions • Signed/Unsigned conversion bugs • Poor fit with tradi/onal run/me, sta/c analysis – Sta/c analysis: false posi/ves – Run/me analysis: “benign” overflow problem
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { What if x == -1 ? if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { -1 > 800? No! if (x > 800) ‏ { return; } else { copy_bytes(x,src, dst); } }
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else copy_bytes( unsigned int x,... { copy_bytes(x,src, dst); } }
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } else copy_bytes( unsigned int x,... { copy_bytes(x,src, dst); } Copy a few more than 800 bytes..! }
Signed/Unsigned Conversion void bad(int x,char * src,char * dst) ‏ { if (x > 800) ‏ { return; } Bug pattern : treat value x as signed, else then as unsigned or vice versa { copy_bytes(x,src, dst); } }
Unknown / Top Signed Unsigned Potential Bug /Bot
Unknown / Top Signed Unsigned Potential Bug /Bot Idea: 1. Keep track of type for every tainted program value 2. Use solver to force values with type “Bot” to equal -1 New algorithm: infer types over long binary traces.

Recommend

[2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014

[1/2] Fantastic C++ Bugs and Where to Find Them [2/2] Find scary C++ bugs before they find you Konstantin Serebryany, Google May 2014 @compsciclub.ru Agenda AddressSanitizer (aka ASan) detects use-after-free and buffer overflows

742 views • 55 slides

Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and

1 Understanding and Genera-ng High Quality Patches for Concurrency Bugs Haopeng Liu , Yuxi Chen and Shan Lu 2 What are concurrency bugs Synchroniza-on mistakes in mul--threaded programs 3 What are concurrency bugs Synchroniza-on

826 views • 65 slides

This is a PDF version with notes. You can find the PPTX version at

This is a PDF version with notes. You can find the PPTX version at http://www.cse.iitd.ernet.in/~sbansal/talks/btkernel.pptx 1 Firstly, what is Dynamic Binary Translation and what is it used for. Dynamic Binary Translation or DBT is the

617 views • 49 slides

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides

A a:INTEGER b:INTEGER B C c:INTEGER D d:INTEGER Figure 1: Class Inheritance Hierarchy 1 2

EECS3311 Software Design Fall 2018 Static Types, Expectations, Dynamic Types, and Type Casts Chen-Wei Wang Contents 1 Inheritance Hierarchy 1 2 Static Types (at Compile Time) Define Expected Usages 2 3 Dynamic Types (at Runtime) 2 4

198 views • 5 slides

Bugs / Insekten int I = 0; i++; void

Bugs / Insekten int I = 0; i++; void foo() { do(); c = a + b ; } int get() { return fo(); } close(); Test 1 Test 2 Test 3 Test 4 Test 5 Selektierte Tests System Alle Tests [s]

661 views • 50 slides

Binary Search Trees ! A data structures with efficient support for many dynamic set operations:

Binary Search Trees ! A data structures with efficient support for many dynamic set operations: Search/Find Minimum/findMin Maximum/findMax Binary Search Trees Predecessor Successor Insert Delete/Remove ! All

83 views • 4 slides

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in

lecture 7 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ? Sequential circuits 3 multiplicand - integer multiplication and division multiplier - floating point arithmetic product - finite

183 views • 3 slides

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides

Order Statistics on Binary Trees Goal: find the k th element (in order) of a binary tree where

Order Statistics on Binary Trees Goal: find the k th element (in order) of a binary tree where 1 <= k <= N Why? Find the median: k = n/2, or k = n/2 and n/2 Find quartiles: k = n/4, n/2, 3n/4 t 7 t.size()

194 views • 7 slides

Genera&ng a power set Given a set of elements, would

Genera&ng a power set Given a set of elements, would like to find set of all subsets [1, 2, 3] Leads to [], [1], [2], [3],

310 views • 8 slides

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides

Datatracker Testing Making the users happy by catching bugs Contents How test coverage

Datatracker Testing Making the users happy by catching bugs Contents How test coverage has changed Catching data corruption Finding user points of pain Dead code removal Chasing the holy grail of full test coverage What

549 views • 27 slides

i radix point (binary point) assumed to be to the right of i 0 the rightmost digit.

Number Systems Binary: Computer Arithmetic Hexadecimal: Word Size: (Fixed) number of bits used to represent a number School of Computer Science G51CSA School of Computer Science G51CSA 1 2 Integer Representation Non Negative Integer

391 views • 5 slides

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p

Batch binary Edwards D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 p index calculus Classic F needs to check smoothness < p . of many positive integers Smooth integer: integer > y . with no prime divisors y

475 views • 8 slides

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point

lecture 7 Sequential circuits 3 - integer multiplication and division - floating point arithmetic - finite state machines February 1, 2016 Integer multiplication (grade school) How to do (unsigned) integer multiplication in binary ?

402 views • 24 slides

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung

About Directed Fuzzing and Use-After-Free: How to Find Complex & Silent Bugs? Manh-Dung Nguyen, Sbastien Bardin, Matthieu Lemerre (CEA LIST) Richard Bonichon (Tweag I/O) Roland Groz (Universit Grenoble Alpes) #BHUSA @BLACKHATEVENTS

546 views • 44 slides

Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, Xuejun Yang Background: Csmith [PLDI

797 views • 48 slides

Chapter 15: Dynamic Programming. Rod-cutting problem. Given: rod of integer length n inches a

Chapter 15: Dynamic Programming. Rod-cutting problem. Given: rod of integer length n inches a table of retail values (dollars for rods of integer lengths) Problem: cut the rod to maximize retail value For example: length i 1 2 3 4 5 6 7

394 views • 35 slides

Binary Counters Integer Representations towards Efficient Counting in the Bit Probe Model

Binary Counters Integer Representations towards Efficient Counting in the Bit Probe Model (presented at TAMC 2011) Gerth Stlting Brodal (Aarhus University) Mark Greve (Aarhus University) Vineet Pandey (BITS Pilani, India) S. Srinivasa Rao

486 views • 35 slides

Unit 1 Integer Representation 1.2 Skills & Outcomes You should master (understand +

1.1 Unit 1 Integer Representation 1.2 Skills & Outcomes You should master (understand + apply) Unsigned binary number to and from decimal Combinations that can be made with n bits 2's complement binary to and from decimal

862 views • 47 slides

Dynamic Fuzzy Logic Leads How Do We Find the . . . to More Adequate And How Do We Find the

Fuzzy Logic: Brief . . . Formulation of the . . . Dynamic Fuzzy Logic Correlation: Reminder Dynamic Fuzzy Logic Leads How Do We Find the . . . to More Adequate And How Do We Find the . . . Weighted Averages: . . . and Or

427 views • 30 slides

Practical Dynamic Symbolic Execution of Standalone JavaScript Johannes Kinder Royal Holloway,

Practical Dynamic Symbolic Execution of Standalone JavaScript Johannes Kinder Royal Holloway, University of London Joint work with Blake Loring and Duncan Mitchell Mission Statement Help find bugs in Node.js applications and libraries

360 views • 19 slides