Abstract
copyright © 2013 USENIX Security Symposium.All right reserved.Dowser is a 'guided' fuzzer that combines taint tracking, program analysis and symbolic execution to find buffer overflow and underflow vulnerabilities buried deep in a program's logic. The key idea is that analysis of a program lets us pinpoint the right areas in the program code to probe and the appropriate inputs to do so. Intuitively, for typical buffer overflows, we need consider only the code that accesses an array in a loop, rather than all possible instructions in the program. After finding all such candidate sets of instructions, we rank them according to an estimation of how likely they are to contain interesting vulnerabilities. We then subject the most promising sets to further testing. Specifically, we first use taint analysis to determine which input bytes influence the array index and then execute the program symbolically, making only this set of inputs symbolic. By constantly steering the symbolic execution along branch outcomes most likely to lead to overflows, we were able to detect deep bugs in real programs (like the nginx webserver, the inspircd IRC server, and the ffmpeg videoplayer). Two of the bugs we found were previously undocumented buffer overflows in ffmpeg and the poppler PDF rendering library.
Original language | English |
---|---|
Title of host publication | USENIX Security |
Place of Publication | Washington, DC |
Publisher | USENIX |
Pages | 49-63 |
ISBN (Electronic) | 9781931971034 |
Publication status | Published - 2013 |
Event | 22nd USENIX Security Symposium - Washington, United States Duration: 14 Aug 2013 → 16 Aug 2013 |
Conference
Conference | 22nd USENIX Security Symposium |
---|---|
Country/Territory | United States |
City | Washington |
Period | 14/08/13 → 16/08/13 |