File Download

There are no files associated with this item.

  Links for fulltext
     (May Require Subscription)
Supplementary

Conference Paper: Integrity: Finding integer errors by targeted fuzzing

TitleIntegrity: Finding integer errors by targeted fuzzing
Authors
Rong, YuyangChen, PengChen, Hao
KeywordsFuzzing
Integer errors
Software security
Issue Date2020
Citation
Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, 2020, v. 335, p. 360-380 How to Cite?
DOI: http://dx.doi.org/10.1007/978-3-030-63086-7_20
AbstractInteger arithmetic errors are a major source of software vulnerabilities. Since they rarely cause crashes, they are unlikely found by fuzzers without special techniques to trigger them. We design and implement Integrity, which finds integer errors using fuzzing. Our key contribution is that, by targeted instrumentation, we empower fuzzers with the ability to trigger integer errors. In our evaluation, Integrity found all the integer errors in the Juliet test suite with no false positive. On 9 popular open source programs, Integrity found a total of 174 true errors, including 8 crashes and 166 non-crashing errors. A major challenge during error review was how to determine if a non-crashing error was harmful. While solving this problem precisely is challenging because it depends on the semantics of the program, we propose two methods to find potentially harmful errors, based on the statistics of traces produced by the fuzzer and on comparing the output of independent implementations of the same algorithm. Our evaluation demonstrated that Integrity is effective in finding integer errors.
Persistent Identifierhttp://hdl.handle.net/10722/346979
ISSN
1867-8211
2023 SCImago Journal Rankings: 0.160

 

DC FieldValueLanguage
dc.contributor.authorRong, Yuyang-
dc.contributor.authorChen, Peng-
dc.contributor.authorChen, Hao-
dc.date.accessioned2024-09-17T04:14:33Z-
dc.date.available2024-09-17T04:14:33Z-
dc.date.issued2020-
dc.identifier.citationLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, 2020, v. 335, p. 360-380-
dc.identifier.issn1867-8211-
dc.identifier.urihttp://hdl.handle.net/10722/346979-
dc.description.abstractInteger arithmetic errors are a major source of software vulnerabilities. Since they rarely cause crashes, they are unlikely found by fuzzers without special techniques to trigger them. We design and implement Integrity, which finds integer errors using fuzzing. Our key contribution is that, by targeted instrumentation, we empower fuzzers with the ability to trigger integer errors. In our evaluation, Integrity found all the integer errors in the Juliet test suite with no false positive. On 9 popular open source programs, Integrity found a total of 174 true errors, including 8 crashes and 166 non-crashing errors. A major challenge during error review was how to determine if a non-crashing error was harmful. While solving this problem precisely is challenging because it depends on the semantics of the program, we propose two methods to find potentially harmful errors, based on the statistics of traces produced by the fuzzer and on comparing the output of independent implementations of the same algorithm. Our evaluation demonstrated that Integrity is effective in finding integer errors.-
dc.languageeng-
dc.relation.ispartofLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST-
dc.subjectFuzzing-
dc.subjectInteger errors-
dc.subjectSoftware security-
dc.titleIntegrity: Finding integer errors by targeted fuzzing-
dc.typeConference_Paper-
dc.description.naturelink_to_subscribed_fulltext-
dc.identifier.doi10.1007/978-3-030-63086-7_20-
dc.identifier.scopuseid_2-s2.0-85098248915-
dc.identifier.volume335-
dc.identifier.spage360-
dc.identifier.epage380-

Export via OAI-PMH Interface in XML Formats

OR

Export to Other Non-XML Formats