Abstract
Both static analysis and dynamic analysis are methods to identify vulnerabilities in programs. Whereas sound static analysis is strong in identifying all vulnerabilities of a certain type by analyzing all program paths, it suffers from high numbers of false positives which can make this approach infeasible for large amounts of code. In contrast, dynamic analysis, in particular fuzzing, has a low number of false positives but suffers from the inability to prove the absence of bugs since it covers only specific execution paths. Therefore, many bug-triggering paths may not be executed. This can then lead to potentially high numbers of false negatives, i.e., missing observations of bugs which are actually present in the code. Since both methods have complementary strengths and weaknesses, interactive application security testing (IAST) aims at obtaining the best from both methods by a smart and interactive combination to mutually eliminate the weaknesses of each method. For instance, fuzzing techniques can be used to discriminate the true positives and the false positives from the static analysis, and static analysis can benefit from concrete values observed during test execution to make the analysis more precise. However, interactive application security testing comes with its own challenges that need to be solved using a set of methods and techniques. In this chapter, we present an approach to both automatically assess static analysis results using fuzzing to make static analysis feasible for large-scale projects and to improve fuzzing with results from static analysis, e.g., by using results from constant propagation, such as magic bytes, to cover code fragments that are hard to reach for traditional fuzzers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
It has a CVSS score of 7.5 out of 10, cf. Common Vulnerability Scoring System, https://nvd.nist.gov/vuln-metrics/cvss
- 3.
A collection of vulnerabilities discovered by the AFL fuzzer can be found under https://github.com/mrash/afl-cve
- 4.
CVE-2014-0160
- 5.
The snippet is taken from the official OpenSSL GitHub repository https://github.com/openssl/openssl/blob/OpenSSL_1_0_1f/ssl/t1_lib.c.
- 6.
- 7.
- 8.
Currently, only the specified function is tested. In the later course of the project, the calling functions will also be taken into account to decide whether a vulnerability can be exploited or not.
- 9.
We use here the Z3 Java bindings provided by Z3 itself.
- 10.
In LLVM-14, typed pointers have been deprecated, and they will be removed in LLVM-15 https://llvm.org/docs/OpaquePointers.html.
- 11.
C library function voids that copies n characters from one memory area to another.
- 12.
- 13.
More general out-of-bound access
- 14.
- 15.
- 16.
- 17.
Since the measurement was stopped when the bug was triggered
- 18.
Zero means there is currently no execution path that has been observed only once.
References
TIOBE, TIOBE Index (2022). https://www.tiobe.com/tiobe-index/. [Online; Accessed 03 Aug 2022]
N. I. of Standards and T. (NIST), CWE Over Time (2022). https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cwe-over-time. [Online; Accessed 03 Aug 2022]
B.P. Miller, L. Fredriksen, B. So, An empirical study of the reliability of unix utilities. Commun. ACM 33(12), 32–44 (1990)
A. Takanen, J.D. Demott, C. Miller, A. Kettunen, Fuzzing for Software Security Testing and Quality Assurance (Artech House, 2018)
M. Schneider, J. Großmann, N. Tcholtchev, I. Schieferdecker, A. Pietschker, Behavioral fuzzing operators for UML sequence diagrams, in International Workshop on System Analysis and Modeling (Springer, 2012), pp. 88–104
M. Schneider, J. Großmann, I. Schieferdecker, A. Pietschker, Online model-based behavioral fuzzing, in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (IEEE, 2013), pp. 469–475
M. Zalewski, American fuzzy lop (2019). http://lcamtuf.coredump.cx/afl
L.D. Group, Libfuzzer – a library for coverage-guided fuzz testing (2019). https://llvm.org/docs/LibFuzzer.html
S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, H. Bos, Vuzzer: application-aware evolutionary fuzzing, in NDSS, vol. 17 (2017), pp. 1–14
Y. Li, B. Chen, M. Chandramohan, S.-W. Lin, Y. Liu, A. Tiu, Steelix: program-state based binary fuzzing, in Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering (ACM, 2017), pp. 627–637
N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, G. Vigna, Driller: augmenting fuzzing through selective symbolic execution, in NDSS, vol. 16 (2016), pp. 1–16
A.B. Chowdhury, R.K. Medicherla, R. Venkatesh, Verifuzz: program aware fuzzing, in International Conference on Tools and Algorithms for the Construction and Analysis of Systems (Springer, 2019), pp. 244–249
S.K. Cha, M. Woo, D. Brumley, Program-adaptive mutational fuzzing, in 2015 IEEE Symposium on Security and Privacy (IEEE, 2015), pp. 725–741
J. Corina, A. Machiry, C. Salls, Y. Shoshitaishvili, S. Hao, C. Kruegel, G. Vigna, Difuze: interface aware fuzzing for kernel drivers, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (ACM, 2017), pp. 2123–2138
V.-T. Pham, M. Böhme, A. Roychoudhury, Model-based whitebox fuzzing for program binaries, in 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE) (IEEE, 2016), pp. 543–553
M. Böhme, V. Pham, M. Nguyen, A. Roychoudhury, Directed greybox fuzzing, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30–November 03, 2017, ed. by B.M. Thuraisingham, D. Evans, T. Malkin, D. Xu (ACM, 2017), pp. 2329–2344
V.-T. Pham, M. Böhme, A.E. Santosa, A.R. Căciulescu, A. Roychoudhury, Smart greybox fuzzing, arXiv preprint arXiv:1811.09447 (2018)
K.M. Alshmrany, M. Aldughaim, A. Bhayat, L.C. Cordeiro, Fusebmc v4: Smart seed generation for hybrid fuzzing – (competition contribution), in Fundamental Approaches to Software Engineering – 25th International Conference, FASE 2022, Held as Part of the European Joint Conferences on Theory and Practice of Software, (ETAPS) 2022, Munich, Germany, 2–7 Apr 2022, Proceedings, ed. by E.B. Johnsen, M. Wimmer. Lecture Notes in Computer Science, vol. 13241 (Springer, 2022), pp. 336–340
L. Borzacchiello, E. Coppa, C. Demetrescu, FUZZOLIC: mixing fuzzing and concolic execution. Comput. Secur. 108, 102368 (2021)
S. Ognawala, F. Kilger, A. Pretschner, Compositional fuzzing aided by targeted symbolic execution. CoRR, abs/1903.02981 (2019)
I.J. Good, The population frequencies of species and the estimation of population parameters. Biometrika 40(3–4), 237–264 (1953)
M. Böhme, STADS: software testing as species discovery, vol. 27 (2018), pp. 7:1–7:52
M. Böhme, D. Liyanage, V. Wüstholz, Estimating residual risk in greybox fuzzing, in ESEC/FSE ’21: 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Athens, Greece, 23–28 Aug 2021, ed. by D. Spinellis, G. Gousios, M. Chechik, M.D. Penta (ACM, 2021), pp. 230–241
M. Bozga, J. Fernandez, L. Ghirvu, Using static analysis to improve automatic test generation, in Tools and Algorithms for Construction and Analysis of Systems, 6th International Conference, TACAS 2000, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS 2000, Berlin, Germany, March 25–April 2, 2000, Proceedings, ed. by S. Graf, M.I. Schwartzbach. Lecture Notes in Computer Science, vol. 1785 (Springer, 2000), pp. 235–250
O. Chebaro, N. Kosmatov, A. Giorgetti, J. Julliand, Program slicing enhances a verification technique combining static and dynamic analysis, in Proceedings of the ACM Symposium on Applied Computing, SAC 2012, Riva, Trento, Italy, 26–30 March 2012, ed. by S. Ossowski, P. Lecca (ACM, 2012), pp. 1284–1291
X. Wang, H. Chen, Z. Jia, N. Zeldovich, M.F. Kaashoek, Improving integer security for systems with KINT, in 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2012, Hollywood, CA, USA, 8–10 Oct 2012, ed. by C. Thekkath, A. Vahdat (USENIX Association, 2012), pp. 163–177
H. Liang, L. Wang, D. Wu, J. Xu, MLSA: a static bugs analysis tool based on LLVM IR, in 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, SNPD 2016, Shanghai, China, May 30–June 1 2016, ed. by Y. Chen (IEEE Computer Society, 2016), pp. 407–412
N. Williams, B. Marre, P. Mouy, M. Roger, Pathcrawler: automatic generation of path tests by combining static and dynamic analysis, in Dependable Computing – EDCC-5, 5th European Dependable Computing Conference, Budapest, Hungary, 20–22 Apr 2005, Proceedings, ed. by M.D. Cin, M. Kaâniche, A. Pataricza. Lecture Notes in Computer Science, vol. 3463 (Springer, 2005), pp. 281–292
P. Godefroid, M.Y. Levin, D.A. Molnar, Automated whitebox fuzz testing, in Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, San Diego, California, USA, 10–13 Feb 2008 (The Internet Society, 2008)
P. Godefroid, M.Y. Levin, D.A. Molnar, SAGE: whitebox fuzzing for security testing. ACM Queue 10(1), 20 (2012)
T. Ball, The concept of dynamic analysis, in Software Engineering – ESEC/FSE’99, 7th European Software Engineering Conference, Held Jointly with the 7th ACM SIGSOFT Symposium on the Foundations of Software Engineering, Toulouse, France, Sept 1999, Proceedings, ed. by O. Nierstrasz, M. Lemoine. Lecture Notes in Computer Science, vol. 1687 (Springer, 1999), pp. 216–234
E.W. Dijkstra et al., Notes on Structured Programming (1970)
P.D. Schubert, B. Hermann, E. Bodden, Phasar: an inter-procedural static analysis framework for c/c++, in International Conference on Tools and Algorithms for the Construction and Analysis of Systems (Springer, 2019), pp. 393–410
L.D. Moura, N. Bjørner, Z3: An efficient SMT solver, in International conference on Tools and Algorithms for the Construction and Analysis of Systems (Springer, 2008), pp. 337–340
M. Böhme, V.-T. Pham, M.-D. Nguyen, A. Roychoudhury, Directed greybox fuzzing, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (ACM, 2017), pp. 2329–2344
A. Arcuri, L. Briand, A hitchhiker’s guide to statistical tests for assessing randomized algorithms in software engineering. Softw. Test. Verif. Reliab. 24(3), 219–250 (2014)
B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W.K. Robertson, F. Ulrich, R. Whelan, LAVA: large-scale automated vulnerability addition, in IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22–26 May 2016 (IEEE Computer Society, 2016), pp. 110–121
Acknowledgements
This work was supported by the Fraunhofer Internal Programs under Grant No. PREPARE 840 231.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Barakat, R., Blanckenburg, J.v., Kraus, R., Jezuita, F., Lüdtke, S., Schneider, M.A. (2024). Interactive Application Security Testing with Hybrid Fuzzing and Statistical Estimators. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-42212-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42211-9
Online ISBN: 978-3-031-42212-6
eBook Packages: Computer ScienceComputer Science (R0)