ABSTRACT
The development of a new application virtual machine (VM), like the creation of any complex piece of software, is a bug-prone process. In version 5.0, the widely-used Android operating system has changed from the Dalvik VM to the newly-developed ART VM to execute Android applications. As new iterations of this VM are released, how can the developers aim to reduce the number of potentially security-threatening bugs that make it into the final product? In this paper we combine domain-aware binary fuzzing and differential testing to produce DexFuzz, a tool that exploits the presence of multiple modes of execution within a VM to test for defects. These modes of execution include the interpreter and a runtime that executes ahead-of-time compiled code. We find and present a number of bugs in the in-development version of ART in the Android Open Source Project. We also assess DexFuzz's ability to highlight defects in the experimental version of ART released in the previous version of Android, 4.4, finding 189 crashing programs and 15 divergent programs that indicate defects after only 5,000 attempts.
- american-fuzzy-lop on Google Code. https://code.google.com/p/american-fuzzy-lop/. Accessed: 2014-11-12.Google Scholar
- Alien Dalvik. http://www.myriadgroup.com/products/device-solutions/mobile-software/alien-dalvik/. Accessed: 2014-11-25.Google Scholar
- BlueStacks AppPlayer. http://www.bluestacks.com/app-player.html. Accessed: 2014-11-25.Google Scholar
- HITB2014AMS - Day 1 - State of the ART: Exploring the new Android KitKat Runtime. https://www.corelan.be/index.php/2014/05/29/hitb2014ams-day-1-state-of-the-art-exploring-the-new-android-kitkat-runtime/. Accessed: 2014-11-20.Google Scholar
- Peachfuzzer. http://peachfuzzer.com/. Accessed: 2014-11-20.Google Scholar
- smali - an assembler/disassembler for android's dex format on Google Code. https://code.google.com/p/smali/. Accessed: 2014-11-19.Google Scholar
- K. Claessen and J. Hughes. Quickcheck: A lightweight tool for random testing of haskell programs. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming, ICFP '00, pages 268--279, New York, NY, USA, 2000. ACM. ISBN 1-58113-202-6. 10.1145/351240.351266. URL http://doi.acm.org/10.1145/351240.351266. Google ScholarDigital Library
- K. Dewey, J. Roesch, and B. Hardekopf. Language fuzzing using constraint logic programming. In Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE '14, pages 725--730, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-3013-8. 10.1145/2642937.2642963. URL http://doi.acm.org/10.1145/2642937.2642963. Google ScholarDigital Library
- C. Holler, K. Herzig, and A. Zeller. Fuzzing with code fragments. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 38--38, Berkeley, CA, USA, 2012. USENIX Association. URL http://dl.acm.org/citation.cfm?id=2362793.2362831. Google ScholarDigital Library
- K. Jayaraman, D. Harvison, V. Ganesh, and A. Kiezun. jfuzz: A concolic whitebox fuzzer for java. In NASA Formal Methods, pages 121--125, 2009.Google Scholar
- A. Lanzi, L. Martignoni, M. Monga, and R. Paleari. A smart fuzzer for x86 executables. In Proceedings of the Third International Workshop on Software Engineering for Secure Systems, SESS '07, pages 7--, Washington, DC, USA, 2007. IEEE Computer Society. ISBN 0-7695-2952-6. 10.1109/SESS.2007.1. URL http://dx.doi.org/10.1109/SESS.2007.1. Google ScholarDigital Library
- V. Le, M. Afshari, and Z. Su. Compiler validation via equivalence modulo inputs. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 216--226, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2784-8. 10.1145/2594291.2594334. URL http://doi.acm.org/10.1145/2594291.2594334. Google ScholarDigital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of unix utilities. Commun. ACM, 33 (12): 32--44, Dec. 1990. ISSN 0001-0782. 10.1145/96267.96279. URL http://doi.acm.org/10.1145/96267.96279. Google ScholarDigital Library
- P. Purdom. A sentence generator for testing parsers. BIT Numerical Mathematics, 12 (3): 366--375, 1972. ISSN 0006-3835. 10.1007/BF01932308. URL http://dx.doi.org/10.1007/BF01932308.Google ScholarDigital Library
- G. Wen, Y. Zhang, Q. Liu, and D. Yang. Fuzzing the actionscript virtual machine. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS '13, pages 457--468, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-1767-2. 10.1145/2484313.2484372. URL http://doi.acm.org/10.1145/2484313.2484372. Google ScholarDigital Library
- X. Yang, Y. Chen, E. Eide, and J. Regehr. Finding and understanding bugs in c compilers. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '11, pages 283--294, New York, NY, USA, 2011. ACM. ISBN 978-1-4503-0663-8. 10.1145/1993498.1993532. URL http://doi.acm.org/10.1145/1993498.1993532. Google ScholarDigital Library
Index Terms
- Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine Testing
Recommendations
Application of Domain-aware Binary Fuzzing to Aid Android Virtual Machine Testing
VEE '15The development of a new application virtual machine (VM), like the creation of any complex piece of software, is a bug-prone process. In version 5.0, the widely-used Android operating system has changed from the Dalvik VM to the newly-developed ART VM ...
Testing android apps through symbolic execution
There is a growing need for automated testing techniques aimed at Android apps. A critical challenge is the systematic generation of test cases. One method of systematically generating test cases for Java programs is symbolic execution. But applying ...
Grey-box concolic testing on binary code
ICSE '19: Proceedings of the 41st International Conference on Software EngineeringWe present grey-box concolic testing, a novel path-based test case generation method that combines the best of both white-box and grey-box fuzzing. At a high level, our technique systematically explores execution paths of a program under test as in ...
Comments