The BORG
- 2 March 2015
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
Automated program testing tools typically try to explore, and cover, as much of a tested program as possible, while attempting to trigger and detect bugs. An alternative and complementary approach can be to first select a specific part of a program that may be subject to a specific class of bug, and then narrowly focus exploration towards program paths that could trigger such a bug. In this work, we introduce the BORG (Buffer Over-Read Guard), a testing tool that uses static and dynamic program analysis, taint propagation and symbolic execution to detect buffer overread bugs in real-world programs. BORG works by first selecting buffer accesses that could lead to an overread and then guiding symbolic execution towards those accesses along program paths that could actually lead to an overread. BORG operates on binaries and does not require source code. To demonstrate BORG's effectiveness, we use it to detect overreads in six complex server applications and libraries, including lighttpd, FFmpeg and ClamAVKeywords
Funding Information
- Österreichische Forschungsförderungsgesellschaft (257007-Syssec, COMET K1, 259108-Rosetta, Ph.D. Scholarship 2011-049)
- Österreichische Forschungsförderungsgesellschaft (257007-Syssec, COMET K1, 259108-Rosetta, Ph.D. Scholarship 2011-049)
- Österreichische Forschungsförderungsgesellschaft (257007-Syssec, COMET K1, 259108-Rosetta, Ph.D. Scholarship 2011-049)
- Österreichische Forschungsförderungsgesellschaft (257007-Syssec, COMET K1, 259108-Rosetta, Ph.D. Scholarship 2011-049)
This publication has 26 references indexed in Scilit:
- Who allocated my memory? Detecting custom memory allocators in C binariesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2013
- Efficient state merging in symbolic executionPublished by Association for Computing Machinery (ACM) ,2012
- Automatic partial loop summarization in dynamic test generationPublished by Association for Computing Machinery (ACM) ,2011
- Directed Symbolic ExecutionLecture Notes in Computer Science, 2011
- Minemu: The World’s Fastest Taint TrackerLecture Notes in Computer Science, 2011
- Efficient Testing of Concurrent Programs with Abstraction-Guided Symbolic ExecutionLecture Notes in Computer Science, 2009
- A Decision Procedure for Bit-Vectors and ArraysPublished by Springer Science and Business Media LLC ,2007
- CUTEPublished by Association for Computing Machinery (ACM) ,2005
- A strong-connectivity algorithm and its applications in data flow analysisComputers & Mathematics with Applications, 1981
- A note on two problems in connexion with graphsNumerische Mathematik, 1959