Automatic vulnerability mining with abstract interpretation and static taint trace

Abstract

With the expansion of software scale, effective approaches for automatic vulnerability mining have been in badly needed. This paper presents a novel approach which can generate test cases of high pertinence and reachability. Unlike standard fuzzing techniques which explore the test space blindly, our approach utilizes abstract interpretation based on intervals to locate the Frail-Points of program which may cause buffer over-flow in some special conditions and the technique of static taint trace to build mappings between the Frail-Points and program inputs. Moreover, acquire path constraints of each Frail-Point through symbolic execution. Finally, combine information of mappings and path constraints to propose a policy for guiding test case generation.