MACKE: Compositional analysis of low-level vulnerabilities with symbolic execution
Concolic (concrete+symbolic) execution has recently gained popularity as an effective means to uncover non-trivial vulnerabilities in software, such as subtle buffer overflows. However, symbolic execution tools that are designed to optimize statement coverage often fail to cover potentially vulnerab...
Gespeichert in:
| Veröffentlicht in: | Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering S. 780 - 785 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
ACM
01.09.2016
|
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Concolic (concrete+symbolic) execution has recently gained popularity as an effective means to uncover non-trivial vulnerabilities in software, such as subtle buffer overflows. However, symbolic execution tools that are designed to optimize statement coverage often fail to cover potentially vulnerable code because of complex system interactions and scalability issues of constraint solvers. In this paper, we present a tool (MACKE) that is based on the modular interactions inferred by static code analysis, which is combined with symbolic execution and directed inter-procedural path exploration. This provides an advantage in terms of statement coverage and ability to uncover more vulnerabilities. Our tool includes a novel feature in the form of interactive vulnerability report generation that helps developers prioritize bug fixing based on severity scores. A demo of our tool is available at https://youtu.be/icC3jc3mHEU. |
|---|---|
| AbstractList | Concolic (concrete+symbolic) execution has recently gained popularity as an effective means to uncover non-trivial vulnerabilities in software, such as subtle buffer overflows. However, symbolic execution tools that are designed to optimize statement coverage often fail to cover potentially vulnerable code because of complex system interactions and scalability issues of constraint solvers. In this paper, we present a tool (MACKE) that is based on the modular interactions inferred by static code analysis, which is combined with symbolic execution and directed inter-procedural path exploration. This provides an advantage in terms of statement coverage and ability to uncover more vulnerabilities. Our tool includes a novel feature in the form of interactive vulnerability report generation that helps developers prioritize bug fixing based on severity scores. A demo of our tool is available at https://youtu.be/icC3jc3mHEU. |
| Author | Ochoa, Martin Pretschner, Alexander Ognawala, Saahil Limmer, Tobias |
| Author_xml | – sequence: 1 givenname: Saahil surname: Ognawala fullname: Ognawala, Saahil email: ognawala@in.tum.de organization: Tech. Univ. of Munich, Munich, Germany – sequence: 2 givenname: Martin surname: Ochoa fullname: Ochoa, Martin email: martin_ochoa@sutd.edu.sg organization: Singapore Univ. of Technol. & Design, Singapore, Singapore – sequence: 3 givenname: Alexander surname: Pretschner fullname: Pretschner, Alexander email: pretschn@in.tum.de organization: Tech. Univ. of Munich, Munich, Germany – sequence: 4 givenname: Tobias surname: Limmer fullname: Limmer, Tobias email: tobias.limmer@siemens.com organization: Siemens AG, Munich, Germany |
| BookMark | eNotT8tKxDAUjaCgjl27cJMf6JjmHXdDGUdxRBBdD2lzg5G0GZp52L-3PjbncDkP7rlEp33qAaHrisyriotbahShSs5_WVcnqDBKTwJhTHMhzlGR8ychhFJpGKUX6PV5UT8t73Cdum3KYRdSbyO2E4w5ZJw8julYRjhAxId97GGwTYiTDzI-ht0HzmPXpBhaDF_Q7n_yV-jM25ih-OcZer9fvtUP5fpl9Vgv1qWlWu9Kp6WrpkcaQ0hLnPHecGFFQ6zjmreUewXSSau4U8RLTVg1HQwcaxvOdMNm6OavNwDAZjuEzg7jRgk9DRfsGwy9UFw |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/2970276.2970281 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEL url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| EISBN | 9781450338455 1450338453 |
| EndPage | 785 |
| ExternalDocumentID | 7582815 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IL ACM ALMA_UNASSIGNED_HOLDINGS APO CBEJK GUFHI LHSKQ RIE RIL |
| ID | FETCH-LOGICAL-a288t-d86d1022b900c0d9ff945a5b0ad484c24f7e6d6a74d70f680316a73ed3cb438b3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 22 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000390237000079&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 01:41:41 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a288t-d86d1022b900c0d9ff945a5b0ad484c24f7e6d6a74d70f680316a73ed3cb438b3 |
| OpenAccessLink | http://mediatum.ub.tum.de/node?id=1329071 |
| PageCount | 6 |
| ParticipantIDs | ieee_primary_7582815 |
| PublicationCentury | 2000 |
| PublicationDate | 2016-Sept. |
| PublicationDateYYYYMMDD | 2016-09-01 |
| PublicationDate_xml | – month: 09 year: 2016 text: 2016-Sept. |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2016 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssj0002269322 |
| Score | 1.784333 |
| Snippet | Concolic (concrete+symbolic) execution has recently gained popularity as an effective means to uncover non-trivial vulnerabilities in software, such as subtle... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 780 |
| SubjectTerms | Complex systems Compositional analysis Computer bugs Engines Memory management Scalability Security Software Symbolic execution |
| Title | MACKE: Compositional analysis of low-level vulnerabilities with symbolic execution |
| URI | https://ieeexplore.ieee.org/document/7582815 |
| WOSCitedRecordID | wos000390237000079&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEA61ePCk0opalRw8mjbdzebhTUqLIJYiCr2VPGZBWLvSl_rvTbLL6sGLpzwugUmGeeSbbxC6lkNmqaaC8IxZwrxBIJpqTkAqN6R56m2IjM0mxHQq53M1a6GbphYGACL4DPphGv_yXWm3IVU2EOGPJ1SU7wnBq1qtJp_i3QjviiQ1e8-QZYNECR9z8X4cA2_1r_Yp0XpMDv937hHq_pTh4VljYI5RC5Yd9PR4N3oY3-KgyDXgShdY19wiuMxxUX6QImCB8G5bBFLpiH_1ETEOSVe8_nozgQwYwyfY-Oy66GUyfh7dk7oxAtGJlBviJHchUjOKUkudynPFMp0Zqh2TzCYsF8Ad14I5QXMuveL6RQoutYal0qQnqL0sl3CKcGKFVNx6CVl_a4k1wLgRSjnOpHdO7BnqBHks3ivui0UtivO_t3vowDsUvMJgXaD2ZrWFS7Rvd5vX9eoqXtg3RgGXWQ |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1JSwMxFH6UKuhJpRV3c_Bo2nQmk8WblJZKF4pU6K1kkgwIY0e6qf_eJB2qBy-eslwCL3m8Jd_7HsCdaFFNFOGYJVRj6gwCVkQxbIU0LZLFzoaI0GyCj0ZiOpXjCtzvamGstQF8Zht-Gv7yTaHXPlXW5P6Px1eU7_nOWWW11i6j4hwJ54xEJX9PiybNSHIXdbFGGD1z9a8GKsF-dI_-d_Ix1H8K8dB4Z2JOoGLnNXgePrb7nQfkVbmEXKkcqZJdBBUZyosPnHs0ENqsc08rHRCwLiZGPu2Kll9vqacDRvbT6vDw6vDS7UzaPVy2RsAqEmKFjWDGx2qpJEQTI7NM0kQlKVGGCqojmnHLDFOcGk4yJpzqukVsTaxTGos0PoXqvJjbM0CR5kIy7SSk3b1FOrWUpVxKw6hw7ok-h5qXx-x9y34xK0Vx8ff2LRz0JsPBbPA06l_CoXMv2BaRdQXV1WJtr2Ffb1avy8VNuLxvV--aog |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+of+the+31st+IEEE%2FACM+International+Conference+on+Automated+Software+Engineering&rft.atitle=MACKE%3A+Compositional+analysis+of+low-level+vulnerabilities+with+symbolic+execution&rft.au=Ognawala%2C+Saahil&rft.au=Ochoa%2C+Martin&rft.au=Pretschner%2C+Alexander&rft.au=Limmer%2C+Tobias&rft.date=2016-09-01&rft.pub=ACM&rft.spage=780&rft.epage=785&rft_id=info:doi/10.1145%2F2970276.2970281&rft.externalDocID=7582815 |