Towards building a generic vulnerability detection platform by combining scalable attacking surface analysis and directed fuzzing

Research output: Chapter in Book/Report/Conference proceedingConference PaperOtherpeer-review

Abstract

Vulnerabilities are one of the major threats to software security. Usually, they are hunted by security experts via manual code audits, or with some automated tools like fuzzers (e.g., [1, 5, 12]) and symbolic execution (e.g., [4, 7, 10, 13]), which can provide concrete inputs to trigger and validate the vulnerabilities. As fuzzy static scanners usually flag a list of potential vulnerable codes or functions with high rate of false positive, we deem them in the spectrum of attack surface identification approaches. The scalability of symbolic execution is extremely restricted by the path exploration problem and solver capability, which makes it not a preferable choice for large scale vulnerability detection. Coverage-based undirected fuzzing is hardly scalable and effective in general due to the large size of the program and the lack of good seeds to trigger various behaviors or executions. Faced with the fact that all existing static and dynamic detection tools are concerned with the trade-off problem between scalability and precision, a generic and scalable vulnerability detection platform is desirable.

Original languageEnglish
Title of host publicationFormal Methods and Software Engineering
Subtitle of host publication20th International Conference on Formal Engineering Methods, ICFEM 2018 Gold Coast, QLD, Australia, November 12–16, 2018 Proceedings
EditorsJing Sun, Meng Sun
Place of PublicationCham Switzerland
PublisherSpringer
Pages464-468
Number of pages5
ISBN (Electronic)9783030024505
ISBN (Print)9783030024499
DOIs
Publication statusPublished - 2018
Externally publishedYes
EventInternational Conference on Formal Engineering Methods 2018 - Gold Coast, Australia
Duration: 12 Nov 201816 Nov 2018
Conference number: 20th
https://link.springer.com/book/10.1007/978-3-030-02450-5 (Proceedings)
https://formal-analysis.com/icfem/2018/ (Website)

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume11232
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceInternational Conference on Formal Engineering Methods 2018
Abbreviated titleICFEM 2018
Country/TerritoryAustralia
CityGold Coast
Period12/11/1816/11/18
Internet address

Cite this