Team for Research in
Ubiquitous Secure Technology

MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery
Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin Zhijie Chen, Edward Xuejun Wu, Dawn Song

Citation
Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin Zhijie Chen, Edward Xuejun Wu, Dawn Song. "MACE: Model-inference-Assisted Concolic Exploration for Protocol and Vulnerability Discovery". Proceedings of the 20th USENIX conference on Security (SEC 11), Usenix, 2011.

Abstract
Program state-space exploration is central to software security, testing, and verification. In this paper, we propose a novel technique for state-space exploration of software that maintains an ongoing interaction with its environment. Our technique uses a combination of symbolic and concrete execution to build an abstract model of the analyzed application, in the form of a finite-state automaton, and uses the model to guide further state-space exploration. Through exploration, MACE further refines the abstract model. Using the abstract model as a scaffold, our technique wields more control over the search process. In particular: (1) shifting search to different parts of the search-space becomes easier, resulting in higher code coverage, and (2) the search is less likely to get stuck in small local state-subspaces (e.g., loops) irrelevant to the application’s interaction with the environment. Preliminary experimental results show significant increases in the code coverage and exploration depth. Further, our approach found a number of new deep vulnerabilities.

Electronic downloads

  • Cho.pdf · application/pdf · 210 kbytes
Citation formats  
  • HTML
    Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin
    Zhijie Chen, Edward Xuejun Wu, Dawn Song. <a
    href="http://www.truststc.org/pubs/854.html"
    >MACE: Model-inference-Assisted Concolic Exploration for
    Protocol and Vulnerability Discovery</a>, Proceedings
    of the 20th USENIX conference on Security (SEC 11), Usenix,
    2011.
  • Plain text
    Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin
    Zhijie Chen, Edward Xuejun Wu, Dawn Song. "MACE:
    Model-inference-Assisted Concolic Exploration for Protocol
    and Vulnerability Discovery". Proceedings of the 20th
    USENIX conference on Security (SEC 11), Usenix, 2011.
  • BibTeX
    @inproceedings{ChoBabicPoosankamChenWuSong11_MACEModelinferenceAssistedConcolicExplorationForProtocol,
        author = {Chia Yuan Cho and Domagoj Babic and Pongsin
                  Poosankam and Kevin Zhijie Chen and Edward Xuejun
                  Wu and Dawn Song},
        title = {MACE: Model-inference-Assisted Concolic
                  Exploration for Protocol and Vulnerability
                  Discovery},
        booktitle = {Proceedings of the 20th USENIX conference on
                  Security (SEC 11)},
        organization = {Usenix},
        year = {2011},
        abstract = {Program state-space exploration is central to
                  software security, testing, and verification. In
                  this paper, we propose a novel technique for
                  state-space exploration of software that maintains
                  an ongoing interaction with its environment. Our
                  technique uses a combination of symbolic and
                  concrete execution to build an abstract model of
                  the analyzed application, in the form of a
                  finite-state automaton, and uses the model to
                  guide further state-space exploration. Through
                  exploration, MACE further refines the abstract
                  model. Using the abstract model as a scaffold, our
                  technique wields more control over the search
                  process. In particular: (1) shifting search to
                  different parts of the search-space becomes
                  easier, resulting in higher code coverage, and (2)
                  the search is less likely to get stuck in small
                  local state-subspaces (e.g., loops) irrelevant to
                  the application’s interaction with the
                  environment. Preliminary experimental results show
                  significant increases in the code coverage and
                  exploration depth. Further, our approach found a
                  number of new deep vulnerabilities.},
        URL = {http://www.truststc.org/pubs/854.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.