Skip to main content
Springer Nature Link
Log in

An analysis on secure coding using symbolic execution engine

  • Short Contribution
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Business’ dependency on a software or computer program is getting higher. In such an environment, eliminating security vulnerabilities have become increasingly important and difficult as programs are more complicated and have greater impacts on businesses. We analyzed the security vulnerabilities of code using a symbolic execution engine that tracks data which would kill or might make the program vulnerable. We also present smart fuzzing using the data from the symbolic execution engine, an effective software vulnerability-finding testing that automatically generates inputs that crash or penetrate the program. By using symbolic execution engine, we can produce the automatically-generated data that are strong against vulnerability issues. In the case when program verification tools fail to verify a program, either the program is buggy or the report is a false alarm. In this case, the burden is put on users in manually classifying the report, which is a time-consuming, error-prone task and it does not utilize facts already proven by the analysis. We present a new technique for assisting users in classifying error reports. Our technique computes small, relevant queries presented to a user, which capture exact information that the analysis misses to either discharge or validate the error. In this paper, a methodology proper to detecting the security vulnerability is suggested by engrafting the symbol-based engine into the secure coding. Also, its effect was verified through the security vulnerability inspection test using the suggested symbolic execution engine. A notion of symbolically executing the program has been presented, which is closely related to the normal notion of program execution. It offers the advantage that one symbolic execution may represent a large, usually infinite, class of normal executions. This can be used for great advantages in the program inspecting and debugging.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. CWE provides a unified, measurable set of software vulnerabilities that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these vulnerabilities in source code and operational systems as well as better understanding and management of software vulnerabilities related to architecture and design. CWE has the following vulnerabilities associated with race conditions. CWE-121: stack-based Buffer Overflow, CWE-122: Heap-based Buffer Overflow, CWE-131: Incorrect Calculation of Buffer Size, CWE-680: Integer Overflow to Buffer Overflow.

References

  1. Petukhov, A., Kozlov, D.: Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing. In: Application Security Conference, pp. 1–6. Ghent, Belgium (2008)

  2. Dougherty, C.: Practical identification of SQL injection vulnerabilities. US-CERT (United States Computer Emergency Readiness Team), pp. 1–13 (2015)

  3. http://cwe.mitre.org/data/definitions/89.html. Accessed 7 Sept 2015

  4. http://cwe.mitre.org/data/definitions/79.html. Accessed 12 Aug 2015

  5. Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: Proceedings of network and distributed systems security, pp. 1–8 (2008)

  6. Nidhral, S., Dondeti, J.: Black box and white box testing techniques: a literature review. Int. J. Embed. Syst. Appl. (IJESA) 2(2), 33–47 (2012)

    Google Scholar 

  7. Cadar, C., Dunbar, D., Engler, D.: KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, pp. 4–12. Stanford University, USA (2008)

  8. Kebbal, D.: Automatic Flow Analysis Using Symbolic Execution and Path Enumeration. Institut de Recherche en Informatique de Toulouse, USA, pp. 2–15

  9. Trtík, M.: Symbolic Execution and Program Loops. Ph.D. Thesis, pp. 2–15. Faculty of Informatics Masaryk University, Czech Republic (2013)

  10. http://babelfish.arc.nasa.gov/trac/jpf. Accessed 25 Aug 2015

Download references

Acknowledgments

This work was supported by the ICT R&D program of MSIP/IITP [R0112-14-1061, the analysis technology of vulnerability on open-source software, and the development of platform].

Author information

Authors and Affiliations

  1. Department of IT Policy and Managements, Soongsil University, Seoul, 156-743, South Korea

    Joon-Ho Kim & Myung-Chul Ma

  2. Department of Information Security, Soongsil University, Seoul, 156-743, South Korea

    Jae-Pyo Park

Authors
  1. Joon-Ho Kim
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Myung-Chul Ma
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Jae-Pyo Park
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Jae-Pyo Park.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, JH., Ma, MC. & Park, JP. An analysis on secure coding using symbolic execution engine. J Comput Virol Hack Tech 12, 177–184 (2016). https://doi.org/10.1007/s11416-016-0263-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-016-0263-5

Keywords