Detecting injection vulnerabilities in executable codes with concolic execution

Abstract

Various methods have been suggested for detecting injection vulnerabilities in web-based applications by now. However, some injection vulnerabilities are not only web-based but also occur in stand-alone applications, i. e., SQL injection and OS command injection. Detecting the injection vulnerabilities in these applications is a challenge when their source code is not available. In this paper, we present a smart fuzzing method for detecting SQL injection and OS command injection vulnerabilities in the executable codes of stand-alone applications. Our fuzzer employs the concolic (concrete + symbolic) execution method to calculate symbolic path constraints for each executed path in the executable code of the target program. Also, it calculates vulnerability constraints for each executed path to determine what input data makes the intended vulnerabilities active in that path. The calculated constraints are used to generate new test data that traverse as many execution paths as possible and detect the vulnerabilities in each executed path. We have implemented the proposed smart fuzzer as a plug-in for Valgrind framework. The implemented fuzzer is tested on different groups of test programs. The experiments demonstrate that our fuzzer detects the vulnerabilities in these programs accurately.