Automated program testing tools typically try to explore, and cover, as much of a tested program as possible, while attempting to trigger and detect bugs. An alternative and complementary approach can be to first select a specific part of a program that may be subject to a specific class of bug, and then narrowly focus exploration towards program paths that could trigger such a bug. In this work, we introduce the BORG (Buffer Over-Read Guard), a testing tool that uses static and dynamic program analysis, taint propagation and symbolic execution to detect buffer overread bugs in real-world programs. BORG works by first selecting buffer accesses that could lead to an overread and then guiding symbolic execution towards those accesses along program paths that could actually lead to an overread. BORG operates on binaries and does not require source code. To demonstrate BORG’s effectiveness, we use it to detect overreads in six complex server applications and libraries, including lighttpd, FFmpeg and ClamAV.
@inproceedings{Neugschwandtner2015The_BORG, title = {{The BORG: Nanoprobing Binaries for Buffer Overreads}}, author = {Neugschwandtner, Matthias and Milani Comparetti, Paolo and Haller, Istvan and Bos, Herbert}, booktitle = {Proceedings of the 5th ACM Conference on Data and Application Security and Privacy}, series = {CODASPY}, month = {March}, year = {2015} }