Matryoshka

Chen, Peng; Liu, Jianzhong; Chen, Hao

doi:10.1145/3319535.3363225

Cited by 74 publications

(17 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We do not need full path or code coverage to be accurate, only enough program state change coverage (i.e., data-flow coverage) to differentiate semantics. While limitations of fuzzing (e.g., passing complex data checks [11]) may limit the quality of the IOVecs, we observe that they are sufficient in practice. Our experimental results reinforce our main claim that program state change (however the IOVecs are generated) provides a more stable semantic identification fingerprint than code measurements.…”

Section: B Iovfi Phasesmentioning

confidence: 77%

See 1 more Smart Citation

Accurate Compiler and Optimization Independent Function Identification Using Program State Transformations

McKee¹,

Burow²,

Payer³

2023

Proceedings 2023 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Reverse engineering unknown binaries is a difficult, resource intensive process due to information loss and optimizations performed by compilers that introduce significant binary diversity. Existing binary similarity approaches do not scale or are inaccurate. In this paper, we introduce IOVec Function Identification (IOVFI), which assesses similarity based on program state transformations, which compilers largely guarantee even across compilation environments and architectures. IOVFI executes functions with initial predetermined program states, measures the resulting program state changes, and uses the sets of input and output state vectors as unique semantic fingerprints. Since IOVFI relies on state vectors, and not code measurements, it withstands broad changes in compilers and optimizations used to generate a binary.Evaluating our IOVFI implementation as a semantic function identifier for coreutils-8.32, we achieve a high .773 average F-Score, indicating high precision and recall. When identifying functions generated from differing compilation environments, IOVFI achieves a 100% accuracy improvement over BinDiff 6, outperforms asm2vec in cross-compilation environment accuracy, and, when compared to dynamic frameworks, BLEX and IMF-SIM, IOVFI is 25%-53% more accurate.This paper provides the following contributions: 1) Design of IOVFI, a framework for semantic binary analysis that infers function semantics through program state changes;

show abstract

Section: B Iovfi Phasesmentioning

confidence: 77%

“…The fuzzer did not create inputs to pass these checks, and the functions are grouped into an equivalence class. Although inferring valid input is an ongoing research topic [10,11,50], both of these problems can be mitigated with a longer fuzzing campaign, a more sophisticated fuzzer, or through symbolic execution.…”

Section: E Large Shared Librariesmentioning

confidence: 99%

Accurate Compiler and Optimization Independent Function Identification Using Program State Transformations

McKee¹,

Burow²,

Payer³

2023

Proceedings 2023 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…Otherwise, a generative fuzzing approach [6,21] is a more effective fuzzing that generates effective input values based on modeling the structure of input data. Also, there are many research instrumenting target programs to maximize the effectiveness of fuzzing [22,23], and fuzzing operating systems [24,25].…”

Section: Fuzzingmentioning

confidence: 99%

“…Designing and implementing a fully automated solution for finding design or implementation flaws that affect the security of software systems is a challenging issue. According to 2022 Top 25 The Open Web Application Security Project (OWASP) Prating Scale for the list of software weaknesses, incorrect design and implementation defects are ranked high. This is mainly because such defects cannot be discovered by using rigorous unit tests or by performing fuzz testing as far as a software system has no functional errors and memory errors, while other security vulnerabilities (e.g., memory corruptions) can be detected by checking whether a program makes a crash or not.…”

Section: Introductionmentioning

confidence: 99%

SMINER: Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases

Sim¹,

Yi²,

Cho³

2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Despite the advances in automated vulnerability detection approaches, security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems. Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage. Therefore, it is an essential task to discover unrestricted and misimplemented behaviors of a system. However, it is a daunting task for security experts to discover such vulnerabilities in advance because it is timeconsuming and error-prone to analyze the whole code in detail. Also, most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities. This paper proposes SMINER, a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors. SMINER first collects unit test cases for the target system from the official repository. Next, preprocess the collected code fragments. SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing. To demonstrate the effectiveness of SMINER, this paper evaluates SMINER against Robot Operating System (ROS), a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration (NASA). From the evaluation, we discovered two real-world vulnerabilities in ROS.

show abstract

“…LAVA-M has a set of synthetic bugs inserted to 4 real-world programs base64, md5sum, uniq, who from project coreutils-8.24. It is commonly used to measure the ability of discovering bugs of modern fuzzers [4], [5], [22]. In LAVA-M, a bug is identified by a unique number and guarded by a 4-byte comparison as shown in Figure 7 (lines 2-3) where a bug is counted if the true-branch (lines 2-3) is satisfied.…”

Section: Detecting Bugsmentioning

confidence: 99%

A Quantitative Analysis of the Effect of Human Detection and Segmentation Quality in Person Re-identification Performance

Nguyen

Nguyêñ

et al. 2019

2019 International Conference on Multimedia Analysis and Pattern Recognition (MAPR)

View full text Add to dashboard Cite

Fuzzing has emerged as a powerful technique for finding security bugs in complicated real-world applications. American fuzzy lop (AFL), a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs. However, its random mutation strategy is unable to generate test inputs that satisfy complicated branching conditions (e.g., magic-byte comparisons, checksum tests, and nested if-statements), which are commonly used in image decoders/encoders, XML parsers, and checksum tools. Existing approaches (such as Steelix and Neuzz) on addressing this problem assume unrealistic assumptions such as we can satisfy the branch condition byte-to-byte or we can identify and focus on the important bytes in the input (called hot-bytes) once and for all. In this work, we propose an approach called Finch which is designed based on the following principles. First, there is a complicated relation between inputs and branching conditions and thus we need not only an expressive model to capture such relationship but also an informative measure so that we can learn such relationship effectively. Second, different branching conditions demand different hot-bytes and we must adjust our fuzzing strategy adaptively depending on which branches are the current bottleneck. We implement our approach as an open source project and compare its efficiency with other state-of-the-art fuzzers. Our evaluation results on 10 real-world programs and LAVA-M dataset show that Finch achieves sustained increases in branch coverage and discovers more bugs than other fuzzers.

show abstract

Matryoshka

Cited by 74 publications

References 33 publications

Accurate Compiler and Optimization Independent Function Identification Using Program State Transformations

Accurate Compiler and Optimization Independent Function Identification Using Program State Transformations

SMINER: Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases

A Quantitative Analysis of the Effect of Human Detection and Segmentation Quality in Person Re-identification Performance

Contact Info

Product

Resources

About