Decoupling Binary-Level Dynamic Test Generation from Specific Architecture Details

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software. More and more research institutes and organizations use this approach to find security vulnerabilities in binary code. However, the existing binary level dynamic test generation approaches and tools are not retargetable, and can only find vulnerabilities in binaries for a specific ISA. This paper presents a new binary-level dynamic test generation technique and a tool, ReTBLDTG, short for retargetable binary-level dynamic test generation, that implements this technique. Unlike other such techniques that can operate only on binaries in a specific ISA, ReTBLDTG takes binaries of any ISAs as input and dynamically generates new inputs that exercise different control paths in the program, which may lead to security vulnerabilities. ReTBLDTG defines a meta instruction set architecture (MetalSA); ReTBLDTG maps the execution information, which is collected during the binary source code execution, to MetalSA; and symbolic execution, constraint collection and constraint solver operates on MetalSA, thus making these processes ISA-independent. We have implemented our ReTBLDTG, retargeted it to 32-bit x86, PowerPC and Sparc ISAs, and used it to automatically find the six known bugs in the six benchmarks. Our results indicate that our ReTBLDTG can be easily retargeted to any ISA with only a few overheads; and ReTBLDTG can effectively find bugs located deep within large applications from their binaries for 32-bit x86, PowerPC or Sparc ISA.