Van-Thuan Pham, Wei Boon Ng, K. Rubinov, Abhik Roychoudhury
{"title":"Hercules: Reproducing Crashes in Real-World Application Binaries","authors":"Van-Thuan Pham, Wei Boon Ng, K. Rubinov, Abhik Roychoudhury","doi":"10.1109/ICSE.2015.99","DOIUrl":null,"url":null,"abstract":"Binary analysis is a well-investigated area in software engineering and security. Given real-world program binaries, generating test inputs which cause the binaries to crash is crucial. Generation of crashing inputs has many applications including off-line analysis of software prior to deployment, or online analysis of software patches as they are inserted. In this work, we present a method for generating inputs which reach a given \"potentially crashing\" location. Such potentially crashing locations can be found by a separate static analysis (or by gleaning crash reports submitted by internal / external users) and serve as the input to our method. The test input generated by our method serves as a witness of the crash. Our method is particularly suited for binaries of programs which take in complex structured inputs. Experiments on real-life applications such as the Adobe Reader and the Windows Media Player demonstrate that our Hercules tool built on selective symbolic execution engine S2E can generate crashing inputs within few hours, where symbolic approaches (as embodied by S2E) or blackbox fuzzing approaches (as embodied by the commercial tool PeachFuzzer) failed.","PeriodicalId":330487,"journal":{"name":"2015 IEEE/ACM 37th IEEE International Conference on Software Engineering","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"33","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 IEEE/ACM 37th IEEE International Conference on Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSE.2015.99","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 33
Abstract
Binary analysis is a well-investigated area in software engineering and security. Given real-world program binaries, generating test inputs which cause the binaries to crash is crucial. Generation of crashing inputs has many applications including off-line analysis of software prior to deployment, or online analysis of software patches as they are inserted. In this work, we present a method for generating inputs which reach a given "potentially crashing" location. Such potentially crashing locations can be found by a separate static analysis (or by gleaning crash reports submitted by internal / external users) and serve as the input to our method. The test input generated by our method serves as a witness of the crash. Our method is particularly suited for binaries of programs which take in complex structured inputs. Experiments on real-life applications such as the Adobe Reader and the Windows Media Player demonstrate that our Hercules tool built on selective symbolic execution engine S2E can generate crashing inputs within few hours, where symbolic approaches (as embodied by S2E) or blackbox fuzzing approaches (as embodied by the commercial tool PeachFuzzer) failed.
二进制分析在软件工程和安全中是一个被广泛研究的领域。对于实际的程序二进制文件,生成导致二进制文件崩溃的测试输入是至关重要的。生成崩溃输入有许多应用程序,包括在部署之前对软件进行离线分析,或在软件补丁插入时对其进行在线分析。在这项工作中,我们提出了一种方法来生成到达给定“潜在崩溃”位置的输入。这些潜在的崩溃位置可以通过单独的静态分析(或通过收集内部/外部用户提交的崩溃报告)找到,并作为我们方法的输入。我们的方法生成的测试输入作为崩溃的见证。我们的方法特别适合于接受复杂结构化输入的二进制程序。在现实应用程序(如Adobe Reader和Windows Media Player)上的实验表明,我们的Hercules工具建立在选择性符号执行引擎S2E上,可以在几个小时内生成崩溃的输入,其中符号方法(如S2E所体现的)或黑盒模糊方法(如商业工具PeachFuzzer所体现的)失败。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
