Dowsing for overflows: A guided fuzzer to find buffer boundary violations

I. Haller, J.M. Slowinska, M. Neugschwandtner, H.J. Bos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

copyright © 2013 USENIX Security Symposium.All right reserved.Dowser is a 'guided' fuzzer that combines taint tracking, program analysis and symbolic execution to find buffer overflow and underflow vulnerabilities buried deep in a program's logic. The key idea is that analysis of a program lets us pinpoint the right areas in the program code to probe and the appropriate inputs to do so. Intuitively, for typical buffer overflows, we need consider only the code that accesses an array in a loop, rather than all possible instructions in the program. After finding all such candidate sets of instructions, we rank them according to an estimation of how likely they are to contain interesting vulnerabilities. We then subject the most promising sets to further testing. Specifically, we first use taint analysis to determine which input bytes influence the array index and then execute the program symbolically, making only this set of inputs symbolic. By constantly steering the symbolic execution along branch outcomes most likely to lead to overflows, we were able to detect deep bugs in real programs (like the nginx webserver, the inspircd IRC server, and the ffmpeg videoplayer). Two of the bugs we found were previously undocumented buffer overflows in ffmpeg and the poppler PDF rendering library.
Original languageEnglish
Title of host publicationUSENIX Security
Place of PublicationWashington, DC
PublisherUSENIX
Pages49-63
ISBN (Electronic)9781931971034
Publication statusPublished - 2013
Event22nd USENIX Security Symposium - Washington, United States
Duration: 14 Aug 201316 Aug 2013

Conference

Conference22nd USENIX Security Symposium
Country/TerritoryUnited States
CityWashington
Period14/08/1316/08/13

Fingerprint

Dive into the research topics of 'Dowsing for overflows: A guided fuzzer to find buffer boundary violations'. Together they form a unique fingerprint.

Cite this