Title :
Towards an automatic exploit pipeline
Author :
DeMott, Jared D. ; Enbody, Richard J. ; Punch, William F.
Author_Institution :
Comput. Sci. Dept., Michigan State Univ., East Lansing, MI, USA
Abstract :
A continuous and fully automated software exploit discovery and development pipeline for real-world problems has not yet been achieved, but is desired by defenders and attackers alike. We have made significant steps toward that goal by combining and enhancing known bug hunting and analysis techniques. The first step is the implementation of an easy-to-use distributed fuzzer. Single fuzzers take too long to produce the number of results required. Since distributed fuzzers achieve high-output (typically many found bugs) sorting is required, which we include. We add another layer of triage support by combining in an enhanced fault localization process. Our work automates much of the process so that human resources are only needed at a few key checkpoints along the pipeline, arguably enhancing overall system efficiency. We demonstrate our process on contrived code, the Siemens suite, and two real-world pieces of code: Firefox and Java.
Keywords :
Java; checkpointing; pipeline processing; program debugging; security of data; software fault tolerance; systems analysis; Firefox; Java; Siemens suite; analysis technique; automated software exploit discovery; automatic exploit pipeline; bug hunting; checkpoints; contrived code; development pipeline; distributed fuzzer; fault localization process; high-output sorting; human resources; software security; triage; Computer bugs; Debugging; Noise; Pipelines; Security; Software; Automatic Vulnerability Discovery and Exploitation; Distributed Fuzzing; Fault localization; Software Security; Software Testing and Debugging;
Conference_Titel :
Internet Technology and Secured Transactions (ICITST), 2011 International Conference for
Conference_Location :
Abu Dhabi
Print_ISBN :
978-1-4577-0884-8
