Abstract:

The dynamic test generation approach is becoming increasingly popular to finding security vulnerabilities in software. More and more research institutes and organizations use this approach to find security vulnerabilities in binary code. However, the existing binary level dynamic test generation approaches and tools are not retargetable, and can only find vulnerabilities in binaries for a specific ISA. This paper presents a new binarylevel dynamic test generation technique and a tool, Hunter,which implements this technique. Unlike other such techniques that can operate only on binaries in a specific ISA, Hunter takes the binaries of any ISA as inputs and dynamically generates new inputs that exercise different control paths in the program, which may lead to security vulnerabilities. Hunter defines a meta instruction set architecture(MetaISA); Hunter maps the execution information, which is collected during the binary source code execution, to MetaISA; and symbolic execution, constraint collection and constraint solver operates on MetaISA, thus making these processes ISAindependent.We have implemented our Hunter, retargeted it to 32bit x86, PowerPC and Sparc ISAs, and used it to automatically find the six known bugs in the six benchmarks. Our results indicate that our Hunter can easily be retargeted to any ISA with only a few overheads; and Hunter can effectively find bugs located deep within large applications from their binaries for 32bit x86, PowerPC or Sparc ISA.

Key words: dynamic test generation;redirected;ISAindependent