Abstract
Windows programs are widely used. The effective testing of Windows applications can prevent financial losses. Currently, there are only a few tools that can test programs without source code on Windows. The state-of-art WinAFL tool suffers from the poor testing efficiency. Most of the other tools rely on analysing the source code on Linux. Concolic execution based on binary code is an efficient method to discover defects in program without source code. In this paper, we present WinTaintCE, which mainly uses Rich Instrument-based taint analysis technique for instruction refinement. The data in the input file of fuzzing tasks will be marked as the tainted source. All instructions that are flowing through tainted data will be extracted for symbolic execution. However, this step will overlook many instructions for calculating non tainted data. Thus, we innovatively propose Rich Instrument technology, which saves the values on all registers and memory addresses involved in an instruction to a trace file. During concolic execution based on that trace file, those saved values will be set directly for non tainted data in an instruction. Experimental results show that WinTaintCE can explore about 24%–130% more paths compared to WinAFL. Also, 96%–99% reduction in the number of instructions need to be analysed compared to existing binary analysis tools on Windows also proves the effectiveness of the methodology of this paper.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aslanyan, H., Arutunian, M., Keropyan, G., Kurmangaleev, S., Vardanyan, V.: BinSide: static analysis framework for defects detection in binary code. In: 2020 Ivannikov Memorial Workshop (IVMEM), pp. 3–8. IEEE (2020)
Baldoni, R., Coppa, E., D’elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 1–39 (2018)
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Usenix Conference on Operating Systems Design & Implementation (2009)
Chipounov, V., Kuznetsov, V., Candea, G.: S2E: a platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Not. 39(4), 265–278 (2012)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_15
Contributor, O.: Simulink benchmark. Web (2022). https://github.com/EmbedSystemTest/SimulinkTest
Fioraldi, A., Maier, D., Eißfeldt, H., Heuse, M.: \(\{\)AFL++\(\}\): combining incremental steps of fuzzing research. In: 14th USENIX Workshop on Offensive Technologies (WOOT 20) (2020)
Gerasimov, A., et al.: Anxiety: a dynamic symbolic execution framework. In: 2017 Ivannikov ISPRAS Open Conference (ISPRAS), pp. 16–21. IEEE (2017)
Github Company: Winlibs (2023). https://github.com/winlibs
Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing: SAGE has had a remarkable impact at Microsoft. Queue 10(1), 20 (2012)
Google Company: Winafl (2023). https://github.com/googleprojectzero/winafl
Inc., M.: Simulink design verifier. Web (2022). https://nl.mathworks.com/products/simulink-design-verifier.html
Ivannikov, V., Belevantsev, A., Borodin, A., Ignatiev, V., Zhurikhin, D., Avetisyan, A.: Static analyzer SVACE for finding defects in a source program code. Program. Comput. Softw. 40, 265–275 (2014)
JonathanSalwan: Triton examples. Web (2023). https://github.com/JonathanSalwan/Triton/tree/master/src/examples/cpp
Jung, J., Tong, S., Hu, H., Lim, J., Kim, T.: WINNIE: fuzzing windows applications with harness synthesis and fast cloning. In: Network and Distributed System Security Symposium (2021)
Lattner, C.: LLVM: an infrastructure for multi-stage optimization (2003)
Molnar, D.A., Wagner, D., et al.: Catchconv: symbolic execution and run-time type inference for integer conversion errors. UC Berkeley EECS (2007)
Nejati, S., Gaaloul, K., Menghi, C., Briand, L.C., Foster, S., Wolfe, D.: Evaluating model testing and model checking for finding requirements violations in simulink models. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 1015–1025 (2019)
Padaryan, V.A., Kaushan, V., Fedotov, A.: Automated exploit generation for stack buffer overflow vulnerabilities. Program. Comput. Softw. 41, 373–380 (2015)
Roohi, N., Wang, Y., West, M., Dullerud, G.E., Viswanathan, M.: Statistical verification of the Toyota powertrain control verification benchmark. In: International Conference on Hybrid Systems: Computation and Control (2017)
Sankaranarayanan, S., Fainekos, G.: Simulating insulin infusion pump risks by in-silico modeling of the insulin-glucose regulatory system. In: Gilbert, D., Heiner, M. (eds.) CMSB 2012. LNCS, pp. 322–341. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33636-2_19
Sargsyan, S., Hakobyan, J., Mehrabyan, M., Mishechkin, M., Akozin, V., Kurmangaleev, S.: ISP-fuzzer: extendable fuzzing framework. In: 2019 Ivannikov Memorial Workshop (IVMEM), pp. 68–71. IEEE (2019)
Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des Technologies de l’information et des Communications. pp. 31–54. SSTIC, Rennes, France (Jun 2015)
Security, C.I.: Miasm. Web (2023). https://github.com/cea-sec/miasm
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)
Su, Z., et al.: Code synthesis for dataflow based embedded software design. IEEE Trans. Comput.-Aided Design Integr. Circuits Syst. 41, 49–61 (2021)
Su, Z., et al.: MDD: a unified model-driven design framework for embedded control software. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 41(10), 3252–3265 (2022)
Su, Z., et al.: PHCG: optimizing simulink code generation for embedded system with SIMD instructions. IEEE Trans. Comput.-Aided Design Integr. Circuits Syst. 42, 1072–1084 (2022)
Su, Z., et al.: STCG: state-aware test case generation for simulink models. In: 60th ACM/IEEE Design Automation Conference (DAC). ACM (2023)
Vishnyakov, A., et al.: Sydr: cutting edge dynamic symbolic execution. In: 2020 Ivannikov ISPRAS Open Conference (ISPRAS), pp. 46–54. IEEE (2020)
Yang, Y.: Wintaintce. Web (2023). https://github.com/GrowingCode/WinTaintCE-SETTA
Yun, I., Lee, S., Xu, M., Jang, Y., Kim, T.: QSYM: a practical concolic execution engine tailored for hybrid fuzzing. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 745–761 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yang, Y., Gao, C., Li, Z., Wang, Y., Wang, R. (2024). Binary Level Concolic Execution on Windows with Rich Instrumentation Based Taint Analysis. In: Hermanns, H., Sun, J., Bu, L. (eds) Dependable Software Engineering. Theories, Tools, and Applications. SETTA 2023. Lecture Notes in Computer Science, vol 14464. Springer, Singapore. https://doi.org/10.1007/978-981-99-8664-4_20
Download citation
DOI: https://doi.org/10.1007/978-981-99-8664-4_20
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8663-7
Online ISBN: 978-981-99-8664-4
eBook Packages: Computer ScienceComputer Science (R0)