Online Taint Propagation Analysis with Precise Pointer-to Analysis for Detecting Bugs in Binaries

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software, and is applied to detect bugs in binaries. However, the existing such systems adopt offline symbolic analysis and execution, based on program execution trace which includes the flow of execution instructions and the operand values, with all pointers or indirect memory access replaced by their execution values. And this yields two fatal problems: first, all symbolic information of pointers or indirect memory access is missing, secondly, the symbolic information of other variables is not accurate, especially for variables operated with pointers. We propose an approach, online taint propagation analysis for finding fatal bugs for pre-release software in binaries, and implement a systematic automatic dynamic test generation system, Hunter, for binary software testing. Our system implements accurate analysis by online taint propagation analysis and online byte-precise points-to analysis, thus online finding unknown high-priority fatal bugs that must be fixed immediately at apre-release stage in binaries. The effectiveness of the techniques approach are both validated by revealing many fatal bugs in both benchmarks and large real world applications.