{"id":4826,"date":"2024-05-17T15:08:58","date_gmt":"2024-05-17T22:08:58","guid":{"rendered":"https:\/\/objectsecurity.com\/?p=4826"},"modified":"2024-05-20T08:43:45","modified_gmt":"2024-05-20T15:43:45","slug":"finding_segfaults","status":"publish","type":"post","link":"https:\/\/objectsecurity.com\/finding_segfaults\/","title":{"rendered":"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches"},"content":{"rendered":"<p><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-1\"><p><strong>The blog post explores different approaches to finding segmentation faults in binary machine code. It compares static analysis, fuzzing, and concolic analysis. While static analyzers quickly scan code for potential issues, they often produce false positives. Fuzzers dynamically test program behavior with varied inputs but may take a long time and lack reliability. Concolic analyzers explore program behavior comprehensively, offering higher accuracy but requiring more resources. Experiments demonstrate the performance and limitations of each approach, with concolic analysis showing promise despite its resource intensity.<\/strong><\/p>\n<p>Segmentation faults (segfaults) are a common error that occurs when a\u00a0 program tries to access a restricted area of memory. Segfaults can occur for a wide variety of reasons: usage of uninitialized pointers, out-of-bounds memory accesses, memory leaks, buffer overflows, etc. Segfaults almost always result in unintended program behavior, crashes, and\/or security vulnerabilities. Most software developers can remember a time when their program resulted in a pesky segfault that was both difficult and time consuming to track down and fix.<\/p>\n<p>Common methods to track down and eliminate segfaults typically rely on having a deep understanding of the target program\u2019s behavior. A programmer can use a debugger like GDB to reproduce the conditions needed to cause a segfault, and then fix said segfault in their source code. A programmer can also write a suite of automated tests that probe their software, ensuring no edge cases result in a segmentation fault.<\/p>\n<p>Even with these measures in place, segfaults still sometimes make their way into release builds of software. Users do not have the same knowledge about the software\u2019s behavior as its programmer does. The user doesn\u2019t know where in the program to look for a segfault. For this reason, I want to explore how to detect segmentation faults when you lack intimate knowledge about a program\u2019s behavior and design.<\/p>\n<h2>What approaches are possible?<\/h2>\n<p>Without intimate knowledge about a program, its implementation details are often obscure. A lack of documentation, source code, and other factors make it difficult for the uninformed to begin finding vulnerabilities. There exist a couple kinds of automated tools which help address this problem. We will explore each of these tools, comparing how they function, their pros, their cons, and their performance. These tools consist of the following:<\/p>\n<ul>\n<li>Static Analyzers:\n<ul>\n<li>flawfinder (<a href=\"https:\/\/github.com\/david-a-wheeler\/flawfinder\">https:\/\/github.com\/david-a-wheeler\/flawfinder<\/a>)<\/li>\n<li>cwe_checker (<a href=\"https:\/\/github.com\/fkie-cad\/cwe_checker\">https:\/\/github.com\/fkie-cad\/cwe_checker<\/a>)<\/li>\n<li>cppcheck (<a href=\"https:\/\/github.com\/danmar\/cppcheck\">https:\/\/github.com\/danmar\/cppcheck<\/a>)<\/li>\n<\/ul>\n<\/li>\n<li>Fuzzers:\n<ul>\n<li>AFL++ (<a href=\"https:\/\/github.com\/AFLplusplus\/AFLplusplus\">https:\/\/github.com\/AFLplusplus\/AFLplusplus<\/a>)<\/li>\n<li>Radamsa (<a href=\"https:\/\/gitlab.com\/akihe\/radamsa\">https:\/\/gitlab.com\/akihe\/radamsa<\/a>)<\/li>\n<\/ul>\n<\/li>\n<li>Concolic Analyzers\n<ul>\n<li>Weak Pointer Analysis (WPA)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Static analyzers assess both binary machine code and source code without executing the program under analysis. Often, these tools are used to enforce security, coding style, and other best practices. Static analyzers can help us find vulnerabilities by pointing out problematic code segments (either in binary or in source code). However, static analyzers are often considered \u201cnoisy\u201d: they will report anything and everything. This includes the vulnerabilities we are looking for, albeit in addition to numerous other false positives.<\/p>\n<p>Fuzzers allow you to inject semi-random data into a program to find bugs and security vulnerabilities. They do this by manipulating untrusted input until unintended program behavior occurs. When a fuzzer finds a vulnerability, you know exactly what input is needed to trigger the vulnerability. However, fuzzers are often limited by performance issues: they may run for days without finding the input needed to break an insecure program.<\/p>\n<p>Concolic analyzers utilize a combination of symbolic execution (treating program variables as manipulatable symbols) and concrete testing (testing on particular inputs). They trace the control flow of the target program, making notes of the input conditions needed to reach a certain state. Concolic analysis lets us explore the entirety of a program\u2019s potential behavior, including when\/where vulnerabilities may exist. However, concolic analyzers are quite resource intensive. They must keep track of each potential program state within memory.<\/p>\n<h2>A Primer on Weak Pointer Analysis<\/h2>\n<p>Weak Pointer Analysis is a form of concolic analysis that focuses on evaluating the behavior of pointers under various simulated program conditions. Its aim is to detect memory pointers that can be manipulated by untrusted input to point outside of their intended boundaries. Such pointers can result in buffer overflows, segfaults, and other memory-related vulnerabilities.)<\/p>\n<p>Weak Pointer Analysis improves upon pre-existing approaches to concolic analysis by accelerating performance and avoiding the state explosion problem. This is done using a Bounded Model Checker (BMC), which reduces the total number of program states necessary to explore before the analysis is considered complete. Unreachable states are avoided, as they do not reflect true instances of program behavior.<\/p>\n<p>Other resource-saving measures are implemented by Weak Pointer Analysis, including a round-robin\/sliding window mechanism for assessing program states and a state caching mechanism. For the purposes of this blog post, consider Weak Pointer Analysis as an enhanced form of concolic analysis that is tailored for our segfault-finding use-case. Weak Pointer Analysis will act as a stand in for concolic analysis in general as we compare it to the other segfault-finding tools.<\/p>\n<p>To compare each of the tools, we have designed three experiments. The first experiment compares the accuracy of static analysis to concolic\/ Weak Pointer Analysis. The second and third experiments compare the performance and runtime of fuzzing to concolic\/Weak Pointer analysis.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-2 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-1 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-2\"><h2>Static Analysis: Fast, but Noisy<\/h2>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-2 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-3\"><p>For the first experiment, we have written and compiled a set of programs that allow us to measure and compare the accuracy of <em>flawfinder, cwe_checker, cppcheck<\/em>, and WPA. Each binary program contains various function definitions, all of which use the <em><code>memcpy<\/code> <\/em>function. The <em><code>memcpy<\/code> <\/em>function is potentially dangerous because it can result in a buffer overflow\/segfault. This can occur if the memory in a large buffer is copied into a smaller buffer. If <em><code>memcpy<\/code> <\/em>is used properly, it will not result in a buffer overflow\/segfault. It is up to the developer to ensure proper usage of <em><code>memcpy<\/code><\/em>. Developer error, however, can easily result in a vulnerable usage of <em><code>memcpy<\/code><\/em>.<\/p>\n<p>The source code presented tot he right illustrates one of these programs. In it, one function is unsafe and results in a segfault, while the other two are safe.<\/p>\n<p>In each sample binary program, all the functions except one are safe (they do not result in memory corruption via a buffer overflow). The size of each program is defined by the number of safe-to-use functions it defines. For example, size 10 indicates that the program contains 10 safe functions and 1 unsafe function (12 functions in total, when including <em><code>main()<\/code><\/em>). Each program calls all its defined functions in order, with the unsafe function being called last.<\/p>\n<p>Although each program has some number of potentially dangerous functions, they each only have a single use of <em><code>memcpy<\/code> <\/em>that can result in a vulnerability\/segfault. A surface level analysis would be incapable of distinguishing between a safe use of <em><code>memcpy<\/code><\/em>, and a dangerous use of <em><code>memcpy<\/code><\/em>.<\/p>\n<p>For each of these programs, we ran f<em>lawfinder, cwe_checker, cppcheck,<\/em> and WPA on either the binary or source code representation of the file (depending on the kind of input required by the tool). We recorded runtimes, total reported vulnerabilities\/weaknesses, and accuracy rates. This data is summarized in the tables below.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-3 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-4\"><div class=\"hcb_wrap\">\n<pre class=\"prism line-numbers lang-c\" data-lang=\"C\"><code>\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n\r\nconst int LARGE = 131072;\r\nconst int SMALL = 4;\r\n\r\n\/\/ causes a heap overflow and segfault\r\nvoid heap_overflow() {\r\n    printf(\"Performing unsafe heap operation...\\n\");\r\n    char* src = (char*)malloc(sizeof(char) * LARGE);\r\n    char* dst = (char*)malloc(sizeof(char) * SMALL);\r\n    memcpy(dst, src, LARGE);\r\n    free(src);\r\n    free(dst);\r\n}\r\n\r\n\/\/ performs a heap safe operation\r\nvoid heap_safe_1() {\r\n    printf(\"Performing safe heap operation...\\n\");\r\n    char* src = (char*)malloc(sizeof(char) * SMALL);\r\n    char* dst = (char*)malloc(sizeof(char) * SMALL);\r\n    memcpy(dst, src, SMALL);\r\n    free(src);\r\n    free(dst);\r\n}\r\n\r\n\/\/ performs a heap safe operation\r\nvoid heap_safe_2() {\r\n    printf(\"Performing safe heap operation...\\n\");\r\n    char* src = (char*)malloc(sizeof(char) * SMALL);\r\n    char* dst = (char*)malloc(sizeof(char) * SMALL);\r\n    memcpy(dst, src, SMALL);\r\n    free(src);\r\n    free(dst);\r\n}\r\n\r\nint main() {\r\n    heap_safe_1();\r\n    heap_safe_2();\r\n    heap_overflow();\r\n}\r\n\r\n<\/code><\/pre>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-3 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-4 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-right:0px;--awb-margin-left:0px;\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (# of functions)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Runtime (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Total Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Vulnerable Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Accuracy<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.031559<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">6<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">16.67%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.030592<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">11<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">9.09%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.034237<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">21<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">4.76%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.0363287<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">51<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.96%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.044598<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">101<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.99%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.098342<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">501<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.20%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">721<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.12650418<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">722<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.14%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span>Table 1 \u2013 flawfinder Accuracy Results<\/span><\/p>\n<\/div>\n\n<div class=\"table-1\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (# of functions)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Runtime (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Total Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Vulnerable Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Accuracy<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.0074203<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">9<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">22.22%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.009376<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">14<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">14.29%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.0119152<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">24<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">8.33%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.02241158<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">54<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">3.70%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.0396542<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">104<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.92%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.261377<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">504<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.40%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">721<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.476597<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">725<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.28%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 3 \u2013 cppcheck Accuracy Results<\/p>\n<\/div>\n<\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-5 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (# of functions)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Runtime (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Total Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Vulnerable Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Accuracy<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">6.8047869<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">19<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10.53%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.09194<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">34<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">5.88%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.124346<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">64<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">3.13%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.5739443<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">154<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.30%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">8.4504086<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">304<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.66%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">14.143265<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1504<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.13%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">721<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">17.14055538<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2167<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.09%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span>Table 2 \u2013 cwe_checker Accuracy Results<\/span><\/p>\n<\/div>\n\n<div class=\"table-1\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (# of functions)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Runtime (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Total Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Vulnerable Reported Items<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Accuracy<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">56.37603<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">63.9488<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">74.829524<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">89.03786<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">108.076774<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">292.4567799<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">721<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">312.5943696<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">100%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 4 \u2013 Weak Pointers Accuracy Results<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-4 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-6 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-5\"><p>Accuracy is measured as the number of vulnerable reported items divided by the total number of reported items. You can think of this as a measure of the &#8220;noisiness&#8221; of each tool. Out of everything the tool reports, how much of it reflects a truly troublesome vulnerability.<\/p>\n<p>As an example of what the static analyzers output, consider the output shown on the right from flawfinder when ran against the size 500 program.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-7 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"--awb-margin-top:30px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-1 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"624\" height=\"172\" title=\"Picture16\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=624%2C172&#038;ssl=1\" alt class=\"img-responsive wp-image-4874\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=200%2C55&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=300%2C83&amp;ssl=1 300w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=400%2C110&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=500%2C138&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?resize=600%2C165&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture16.png?fit=624%2C172&amp;ssl=1 624w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 624px\" \/><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-8 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-6\"><p><em>Flawfinder<\/em>, as well as each of the other static analyzers, reported all uses of <em><code>memcpy<\/code> <\/em>as being unsafe, even though only one of them was truly unsafe. Some of the static analyzers also reported the same unsafe usage of <em><code>memcpy<\/code> <\/em>twice, hence the <em>2<\/em>\u00a0in some the <em>Vulnerable Reported Items<\/em> columns in the tables above.<\/p>\n<p>This data implies that static analysis, both when using binary and source code as input, is rather noisy. Although static analysis tools are fast, they report anything and everything. This makes it quite difficult to distinguish between what is valuable from what is unimportant. This is further illustrated in the diagram below:<\/p>\n<\/div><div class=\"fusion-image-element \" style=\"text-align:center;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-2 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"626\" height=\"447\" title=\"Picture17\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=626%2C447&#038;ssl=1\" alt class=\"img-responsive wp-image-4876\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=200%2C143&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=300%2C214&amp;ssl=1 300w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=400%2C286&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=500%2C357&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?resize=600%2C428&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture17.png?fit=626%2C447&amp;ssl=1 626w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 626px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-7\"><h6 style=\"text-align: center;\"><em>Accuracy of Each Tool per Binary Size<\/em><\/h6>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-9 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-8\"><p>No matter the size of the target program, concolic analysis only reported the single truly vulnerable usage of <em><code>memcpy<\/code> <\/em>that results in a segfault. This is shown in the output from the Weak Pointers analysis to the right, which indicates that the usage of <em><code>memcpy<\/code> <\/em>found at program address <em>0x1200 <\/em>is exploitable.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-10 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"--awb-margin-top:50px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-3 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"611\" height=\"45\" title=\"Picture18\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=611%2C45&#038;ssl=1\" alt class=\"img-responsive wp-image-4878\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=200%2C15&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=300%2C22&amp;ssl=1 300w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=400%2C29&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=500%2C37&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?resize=600%2C44&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture18.png?fit=611%2C45&amp;ssl=1 611w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 611px\" \/><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-11 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-9\"><p>The reason concolic analysis is capable of this is because it models runtime behavior, whereas static analysis does not. This capability lets us differentiate the exploitable from the benign, ultimately resulting in the significantly higher accuracy rating shown in the data, albeit at a cost of performance time.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-5 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-12 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-10\"><h2>Blackbox Fuzzing: Sometimes Reliable<\/h2>\n<p>As is demonstrated, static analyzers often have a low accuracy because they fail to account for runtime behavior. Fuzzers do not have this problem: they dynamically analyze a program\u2019s behavior at runtime by generating malformed inputs. However, fuzzers often have severe performance limitations. They must explore a wide variety of potential inputs before landing on one that results in unintended program behavior.<\/p>\n<p>We designed two experiments which compare the performance of fuzzing to concolic\/Weak Pointer Analysis. For each experiment, we compiled a set of target binary samples. The first set of binaries contain broad CFGs, whereas the second contain deep CFGs. We will explain what \u201cbroad\u201d and \u201cdeep\u201d mean in this context shortly. The first experiment will use the broad CFG binaries, the second experiment will use the deep CFG binaries.<\/p>\n<p><em>NOTE: A control-flow graph (CFG) is a representation of the flow of control within a program during its execution. Each node in the CFG represents a block of code in the program. Each edge represents a potential transfer of control\/branch.<\/em><\/p>\n<p>All binary samples in both sets each contain a single poor usage of <em><code>memcpy<\/code> <\/em>that results in a segfault in one of the basic blocks in its CFG. What this means will become clearer below when we discuss the source code used to compile the samples.<\/p>\n<p>Each tool will be run against each binary. The time each tool takes to discover the vulnerable usage of <em><code>memcpy<\/code><\/em>\/vulnerability will be recorded. This will serve as a general measure of each tool\u2019s performance. It will also illustrate how differently shaped CFGs affect the performance of each tool.<\/p>\n<h3>Broad CFG<\/h3>\n<p>For this experiment, we are defining CFG breadth as the maximum number of edges which extend from a single node in the CFG. This is best understood visually:<\/p>\n<\/div><div class=\"fusion-image-element \" style=\"text-align:center;--awb-margin-bottom:20px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-4 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"822\" height=\"1024\" title=\"Picture19\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=822%2C1024&#038;ssl=1\" alt class=\"img-responsive wp-image-4879\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=200%2C249&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=241%2C300&amp;ssl=1 241w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=400%2C498&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=500%2C623&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=600%2C748&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=700%2C872&amp;ssl=1 700w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=768%2C957&amp;ssl=1 768w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=800%2C997&amp;ssl=1 800w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=822%2C1024&amp;ssl=1 822w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=1200%2C1495&amp;ssl=1 1200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?resize=1233%2C1536&amp;ssl=1 1233w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture19.png?fit=1434%2C1787&amp;ssl=1 1434w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 822px\" \/><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-13 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-11\"><p>As is shown in the figure, most nodes have only one outward edge, whereas a single node has numerous outward edges. This CFG is considered to have a breadth of 10, as the single node with the maximum number of outward edges has 10 in total.<\/p>\n<p>An easy way to produce a very broad CFG is to write a function with a very long switch-case in C. Once compiled, a large switch-case statement results in at least one node with many outward\u00a0 edges.<\/p>\n<p>To this end, we generated various binaries of differing breadth sizes according to the definition of breadth size mentioned above. For each of these binaries, one of the cases in the switch statement results in a heap buffer overflow vulnerability\/segfault. When the binary follows this case, it will produce a buffer overflow, segmentation fault, and program crash. The specific case is randomized, and different for each program.<\/p>\n<p>The source code for a program with size 5 CFG breadth is shown to the right. For this binary, the input <em>3<\/em> results in a segfault.<\/p>\n<p>Each binary reads data from stdin, before selecting the case to follow. This means that user input determines whether a segfault will occur. This makes these binaries prime candidates for fuzzing and concolic\/Weak Pointer analysis.<\/p>\n<p>For each program, we ran AFL++, Ramadsa, and Weak Pointers until they each found a segmentation fault vulnerability. We recorded the results of this effort, which are summarized in the tables below.<\/p>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-14 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-12\"><div class=\"hcb_wrap\">\n<pre class=\"prism line-numbers lang-c\" data-lang=\"C\"><code>\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;string.h&gt;\r\n\r\nconst int LARGE = 131072;\r\nconst int SMALL = 4;\r\n\r\n\/\/ causes a heap overflow and segfault\r\nvoid heap_overflow() {\r\n    printf(\"Performing unsafe heap operation...\\n\");\r\n    char* src = (char*)malloc(sizeof(char) * LARGE);\r\n    char* dst = (char*)malloc(sizeof(char) * SMALL);\r\n    memcpy(dst, src, LARGE);\r\n    free(src);\r\n    free(dst);\r\n}\r\n\r\nint main() {\r\n    char in_str[8];\r\n    fgets(in_str, 8, stdin);\r\n    switch(atoi(in_str)) {\r\n        case 1:\r\n            printf(\"1\");\r\n            break;\r\n        case 2:\r\n            printf(\"2\");\r\n            break;\r\n        case 3:\r\n            printf(\"3\");\r\n            heap_overflow();\r\n            break;\r\n        case 4:\r\n            printf(\"4\");\r\n            break;\r\n        case 5:\r\n            printf(\"5\");\r\n            break;\r\n    }\r\n}\r\n<\/code><\/pre>\n<\/div>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-6 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-15 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-top:0%;--awb-margin-right:0%;--awb-margin-bottom:0%;--awb-margin-left:0%;\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Breadth)<\/em><\/span><\/td>\n<td width=\"125\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"125\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.22705<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.229158<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.539695<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.640244<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.228709<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.229786<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">4.550136<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.633169<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.42164056<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.050192<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">19.4467412<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">18.128518<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">112.776517<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">85.526875<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">11.9792385<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">11.9792385<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">82.006280<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">82.006280<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 5 \u2013 AFL++ Broad Performance Results<\/p>\n<\/div>\n<\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-16 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-top:0%;--awb-margin-right:0%;--awb-margin-bottom:0%;--awb-margin-left:0%;\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Breadth)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.2211975<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.12884569<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.67807545<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.3554393<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.04569835<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.020627021<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">16.7256742<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">11.99373<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">13.124415<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.375611<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.6779618<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.110273<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">653.57073388<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">353.841504<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">4819.5401723<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">4819.5401723<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">629.6727004<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">629.6727004<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 6 \u2013 Radamsa Broad Performance Results<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-7 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-17 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-18 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-top:0px;--awb-margin-right:0px;--awb-margin-bottom:0px;--awb-margin-left:0px;\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Breadth)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">30.939618<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.4254662<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.5910989<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.461279<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">28.9873888<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">28.85682845<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.38255059<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.1132495<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.59618673<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">29.2723473<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">33.6372462<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">33.7710034<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.0504938<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.0986369<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">38.09562659<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">38.09562659<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">52.149712324<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">52.149712324<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 7 \u2013Weak Pointers Broad Performance Results<\/p>\n<\/div>\n<\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-19 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-8 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-20 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-13\"><p>For the most part, we ran the tools 10 times per binary to reduce the effect of randomness on the resulting data. You can see that we ran the tools only once for some of the larger binaries to save time.<\/p>\n<p>For the smaller program sizes, fuzzing performed better than concolic analysis. However, these performance differences begin to invert towards the larger sizes. This is especially true in the case of Radamsa, which took over an hour for the size 5,000 program.<\/p>\n<p>The times taken by the fuzzers also appear more spread out than those taken by concolic analysis. The standard deviation for the AFL++ mean times was 41.45 and for Radamsa the standard deviation was 1575.87. For Weak Pointers, the standard deviation was just 7.49. This is most likely because of the highly random nature of fuzzing. Fuzzing is closer in approximation to a random guess than it is to a programmatic approach like concolic analysis.<\/p>\n<p>Fuzzing is essentially an improved form of random guessing.\u00a0 Fuzzing does not guarantee that every branch of the CFG was explored. In fact, the performance of a fuzzer often has less to do with the shape\/size of the CFG than it does the relationship between input and output. For example, Radamsa took only 0.046 seconds to find the segfault present in the size 20 program. This is faster than the smaller size 5 and size 10 programs: why? This is because the input which causes the segfault in the size 20 program is by chance just the character <em>1<\/em>. The character<em> 1<\/em> is much more likely to be guessed by a fuzzer than a more arbitrary sequence like <em>4243<\/em>. In fact, <em>4243 <\/em>was the input required to segfault the size 5,000 program, which explains why Radamsa took so long to find it.<\/p>\n<p>For blackbox fuzzers, the size and shape of the program\u2019s CFG is somewhat meaningless. In the experiment, there is a positive correlation between CFG breadth and fuzzer runtime not because the CFG is any broader, but because bigger programs are more likely to contain a hard to guess sequence of bytes. For concolic analysis, the size and shape of the CFG matters much more, as that approach explores the CFG directly using symbolic execution.<\/p>\n<\/div><div class=\"fusion-image-element \" style=\"text-align:center;--awb-margin-top:20px;--awb-margin-bottom:20px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-5 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"626\" height=\"447\" title=\"Picture20\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=626%2C447&#038;ssl=1\" alt class=\"img-responsive wp-image-4887\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=200%2C143&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=300%2C214&amp;ssl=1 300w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=400%2C286&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=500%2C357&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?resize=600%2C428&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture20.png?fit=626%2C447&amp;ssl=1 626w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 626px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-14\"><h6 style=\"text-align: center;\">Mean Runtime of Each Tool per Binary CFG Breadth Size<\/h6>\n<p>There is a notable difference in performance between AFL++ and Radamsa shown in the data. This is likely caused by multiple factors. For one, AFL++ makes use of parallelization. Additionally, the input mutation algorithms used by the two tools are different. In this case, AFL++\u2019s mutation algorithm seems to perform better, but this might not be true in every case.<\/p>\n<p>Both AFL++ and Radamsa ask for an example input to permutate when fuzzing. We supplied the value <em>123<\/em> for each. This certainly had a significant impact on the resulting performance data. With this configuration, input sequences similar to <em>123<\/em> are favored when fuzzing. If a target binary segfaults on an input dissimilar to <em>123<\/em>, the fuzzers have a much harder time finding it.<\/p>\n<h3>Deep CFG<\/h3>\n<p>The final experiment is quite like the previous, this time focusing on program CFG depth instead of breadth. Once again, this is best understood visually. Below to the left is an example of a \u201cdeep\u201d CFG:<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-9 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-21 fusion_builder_column_2_5 2_5 fusion-flex-column\" style=\"--awb-padding-right:-50px;--awb-bg-size:cover;--awb-width-large:40%;--awb-margin-top-large:0px;--awb-spacing-right-large:4.8%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:4.8%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"text-align:center;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-6 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"145\" height=\"1024\" title=\"Picture21\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture21.png?resize=145%2C1024&#038;ssl=1\" alt class=\"img-responsive wp-image-4889\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture21.png?resize=145%2C1024&amp;ssl=1 145w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture21.png?resize=200%2C1411&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture21.png?fit=265%2C1870&amp;ssl=1 265w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 145px\" \/><\/span><\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-22 fusion_builder_column_3_5 3_5 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:60%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.2%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.2%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-15\"><p>An easy way to produce a binary with a very deep CFG is to write a function with a very long <em>if-else-if<\/em> statement in C. When compiled, a long <em>if-else-if<\/em> statement will produce at least one branch of the CFG that is very long. This branch corresponds to the conditions required to end up in the last <em>else-if<\/em> statement, after all other conditions were not met.<\/p>\n<div class=\"hcb_wrap\">\n<pre class=\"prism line-numbers lang-c\" data-lang=\"C\"><code>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\nconst int LARGE = 131072;\r\nconst int SMALL = 4;\r\n\r\n\/\/ causes a heap overflow and segfault\r\nvoid heap_overflow() {\r\n    printf(\"Performing unsafe heap operation...\\n\");\r\n    char* src = (char*)malloc(sizeof(char) * LARGE);\r\n    char* dst = (char*)malloc(sizeof(char) * SMALL);\r\n    memcpy(dst, src, LARGE);\r\n    free(src);\r\n    free(dst);\r\n}\r\n\r\nint main() {\r\n    char in_str[8];\r\n    fgets(in_str, 8, stdin);\r\n    in_str[strcspn(in_str, \"\\n\")] = '\\0';\r\n    if(strcmp(in_str, \"1\") == 0) {\r\n        printf(\"1\");\r\n    }\r\n    else if(strcmp(in_str, \"2\") == 0) {\r\n        printf(\"2\");\r\n       heap_overflow();\r\n    }\r\n    else if(strcmp(in_str, \"3\") == 0) {\r\n        printf(\"3\");\r\n    }\r\n    else if(strcmp(in_str, \"4\") == 0) {\r\n        printf(\"4\");\r\n    }\r\n    else if(strcmp(in_str, \"5\") == 0) {\r\n        printf(\"5\");\r\n    }\r\n}\r\n<\/string.h><\/stdlib.h><\/stdio.h><\/code><\/pre>\n<\/div>\n<\/div><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-23 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-16\"><p>We generated various binaries of differing CFG depths by compiling from source code with different sized <em>if-else-if<\/em> statements. These program samples are labeled according to the size of their <em>if-else-if<\/em> statements. For example, size 10 contains an <em>if-else-if<\/em> statement that is 10 <em>else-ifs<\/em> long, size 100 contains an <em>if-else-if<\/em> statement that is 100 <em>else-ifs<\/em> long, etc. The following source code defines a program of this nature with a CFG depth size of 5.<\/p>\n<p>Just like in the breadth experiment, a single, randomly selected block of this <em>if-else-if<\/em> statement will result in a heap overflow, segfault, and program crash. In the example above, this input is <em>2<\/em>. Each binary reads from stdin before selecting the <em>if-else-if<\/em> block to execute. User input determines whether a segfault occurs.<\/p>\n<p>For each binary program sample, we ran AFL++, Ramadsa, and Weak Pointers until they each found a segmentation fault. We recorded the results of this effort, which are summarized in the tables below.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-10 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-sizes-top:0;--awb-border-sizes-bottom:0;--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-padding-right:0px;--awb-padding-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-24 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Depth)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.229713<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.229758<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.9786429<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.9524197<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.7966087<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.366075<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.8744916<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1.551688<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.1974167<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">4.50936579<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">12.8920267<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10.11059761<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">17.2364633<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.702806949<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1069.2453219<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1069.2453219<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1195.153937<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1195.153937<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 8 \u2013 AFL++ Deep Performance Results<\/p>\n<\/div>\n<\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-25 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-bottom:0px;\">\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Depth)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.33727478<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">0.33034837<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">12.111697<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10.371287<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">3.8423036<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">2.107616<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">3.00970213<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">3.0342566<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">16.722832<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">7.03891468<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">232.0650088<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">170.8253835<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">20.4071374<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">19.534172<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">599.9072213<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">599.9072213<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1511.0234968<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1511.02349686<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 9 \u2013 Radamsa Deep Performance Results<\/p>\n<\/div>\n<\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-11 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-sizes-top:0;--awb-border-sizes-bottom:0;--awb-border-sizes-left:0;--awb-border-sizes-right:0;--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-center fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-26 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-27 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-padding-top:0px;--awb-padding-right:0px;--awb-padding-bottom:0px;--awb-padding-left:0px;--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:3.84%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:3.84%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\" data-scroll-devices=\"small-visibility,medium-visibility,large-visibility\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\">\n<div class=\"table-1\" style=\"--awb-margin-top:0px;--awb-margin-bottom:0px;\"><center><\/center><\/p>\n<table class=\"center-table\">\n<tbody>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Size (CFG Depth)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Mean Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Median Time to Find Segfault (sec)<\/em><\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\"><em>Number of Samples<\/em><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.23626985<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.74081552<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.67405188<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.46334922<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">20<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.74081552<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">31.606569886<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">50<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">34.288318991<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">34.20289182<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">100<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">36.043357849<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">34.86434209<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">500<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">41.88138661<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">41.89520418<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">1000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">50.7756350517<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">50.51226115<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">10<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">5000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">152.95043087<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">152.95043087<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"100\"><span style=\"font-size: small;\">10000<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">227.660034418<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">227.660034418<\/span><\/td>\n<td width=\"100\"><span style=\"font-size: small;\">1<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\">Table 10 \u2013 Weak Pointers Deep Performance Results<\/p>\n<\/div>\n<\/div><\/div><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-28 fusion_builder_column_1_4 1_4 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:25%;--awb-margin-top-large:0px;--awb-spacing-right-large:7.68%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:7.68%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-12 fusion-flex-container has-pattern-background has-mask-background nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:1872px;margin-left: calc(-4% \/ 2 );margin-right: calc(-4% \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-29 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-image-element \" style=\"text-align:center;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\" fusion-imageframe imageframe-none imageframe-7 hover-type-none\"><img data-recalc-dims=\"1\" decoding=\"async\" width=\"626\" height=\"447\" title=\"Picture22\" src=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=626%2C447&#038;ssl=1\" alt class=\"img-responsive wp-image-4894\" srcset=\"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=200%2C143&amp;ssl=1 200w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=300%2C214&amp;ssl=1 300w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=400%2C286&amp;ssl=1 400w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=500%2C357&amp;ssl=1 500w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?resize=600%2C428&amp;ssl=1 600w, https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/Picture22.png?fit=626%2C447&amp;ssl=1 626w\" sizes=\"(max-width: 1075px) 100vw, (max-width: 640px) 100vw, 626px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-17\"><h6 style=\"text-align: center;\">Mean Runtime of Each Tool per Binary CFG Depth Size<\/h6>\n<p>The fuzzers performed with much the same degree of randomness as in the breadth experiment. Once again, the CFG size\/shape has an insignificant impact on the performance of the fuzzers than does the relationship between input and output. The bigger sized binaries typically had more arbitrary byte sequences which resulted in segfaults. For example, the size 10,000 binary segfaults on input <em>8976<\/em>. Both Radamsa and AFL++ had quite a difficult time guessing this input, with both taking about 20 minutes.<\/p>\n<p>In the case of concolic analysis, CFG depth appears to have a more significant impact on performance than CFG breadth does. In the breadth experiment, the largest binary took only 22 seconds longer to analyze than the smallest. In the depth experiment, this difference was 196 seconds. More research is required to determine why this is the case, and if it applies in more general circumstances. In any case, concolic analysis seemed to handle the deeper sized CFGs in a more reasonable time than the fuzzers did.<\/p>\n<h2>Conclusion<\/h2>\n<p>Static analysis is a fast, but noisy approach to black box segfault detection. Static analysis typically can find segfaults, albeit in intermixed with a slew of false positives and unnoteworthy findings. Fuzzing addresses these accuracy concerns: when a segfault is found, you know exactly where it is and how to reproduce it. Fuzzing finds exactly what you want, without any noise.<\/p>\n<p>However, fuzzing can be extremely time consuming. It varies widely in terms of reliability. Sometimes it will find what you need in seconds. It might find what you need in days. Other times, it may find nothing at all.<\/p>\n<p>Although resource intensive, concolic\/weak pointer analysis offers unique benefits compared to the other approaches. Concolic\/weak pointer analysis is more reliable at exploring the potential states a binary program can be in. When the Weak Pointer analysis finishes its assessment,\u00a0 you can feel confident that most of what the target program is capable of has been explored. This is often not the case for fuzzing, where you are leaving vulnerability detection up to random chance.<\/p>\n<\/div><div style=\"text-align:center;\"><a class=\"fusion-button button-flat button-xlarge button-default fusion-button-default button-1 fusion-button-default-span fusion-button-default-type\" style=\"--button-border-radius-top-left:2px;--button-border-radius-top-right:2px;--button-border-radius-bottom-right:2px;--button-border-radius-bottom-left:2px;\" target=\"_self\" href=\"https:\/\/objectsecurity.com\/contact-us\/\"><span class=\"fusion-button-text\">Contact Us To Learn More<\/span><\/a><\/div><\/div><\/div><\/div><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":8,"featured_media":4903,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[90,89,34,87],"tags":[],"class_list":["post-4826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education","category-landingpage","category-reverse-engineering","category-tech"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches - ObjectSecurity<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/\"},\"author\":{\"name\":\"ObjectSecurity LLC\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/#\\\/schema\\\/person\\\/b95c5e028381014293b246279d5006bb\"},\"headline\":\"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches\",\"datePublished\":\"2024-05-17T22:08:58+00:00\",\"dateModified\":\"2024-05-20T15:43:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/\"},\"wordCount\":27667,\"image\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/objectsecurity.com\\\/wp-content\\\/uploads\\\/2024\\\/05\\\/image1.png?fit=600%2C337&ssl=1\",\"articleSection\":[\"Education\",\"Landing Page\",\"Reverse Engineering\",\"Technical\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/\",\"url\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/\",\"name\":\"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches - ObjectSecurity\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/objectsecurity.com\\\/wp-content\\\/uploads\\\/2024\\\/05\\\/image1.png?fit=600%2C337&ssl=1\",\"datePublished\":\"2024-05-17T22:08:58+00:00\",\"dateModified\":\"2024-05-20T15:43:45+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/#\\\/schema\\\/person\\\/b95c5e028381014293b246279d5006bb\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/objectsecurity.com\\\/wp-content\\\/uploads\\\/2024\\\/05\\\/image1.png?fit=600%2C337&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/objectsecurity.com\\\/wp-content\\\/uploads\\\/2024\\\/05\\\/image1.png?fit=600%2C337&ssl=1\",\"width\":600,\"height\":337},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/finding_segfaults\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/objectsecurity.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/#website\",\"url\":\"https:\\\/\\\/objectsecurity.com\\\/\",\"name\":\"ObjectSecurity\",\"description\":\"OT\\\/ICS Asset Binary Vulnerability Analysis and Reporting\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/objectsecurity.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/objectsecurity.com\\\/#\\\/schema\\\/person\\\/b95c5e028381014293b246279d5006bb\",\"name\":\"ObjectSecurity LLC\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g\",\"caption\":\"ObjectSecurity LLC\"},\"description\":\"ObjectSecurity LLC is a leader in solving complex, evolving defense and industrial cybersecurity and supply chain risk challenges that threaten national security and production downtime.\",\"sameAs\":[\"https:\\\/\\\/objectsecurity.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches - ObjectSecurity","robots":{"index":"noindex","follow":"follow"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#article","isPartOf":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/"},"author":{"name":"ObjectSecurity LLC","@id":"https:\/\/objectsecurity.com\/#\/schema\/person\/b95c5e028381014293b246279d5006bb"},"headline":"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches","datePublished":"2024-05-17T22:08:58+00:00","dateModified":"2024-05-20T15:43:45+00:00","mainEntityOfPage":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/"},"wordCount":27667,"image":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/image1.png?fit=600%2C337&ssl=1","articleSection":["Education","Landing Page","Reverse Engineering","Technical"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/objectsecurity.com\/finding_segfaults\/","url":"https:\/\/objectsecurity.com\/finding_segfaults\/","name":"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches - ObjectSecurity","isPartOf":{"@id":"https:\/\/objectsecurity.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#primaryimage"},"image":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/image1.png?fit=600%2C337&ssl=1","datePublished":"2024-05-17T22:08:58+00:00","dateModified":"2024-05-20T15:43:45+00:00","author":{"@id":"https:\/\/objectsecurity.com\/#\/schema\/person\/b95c5e028381014293b246279d5006bb"},"breadcrumb":{"@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/objectsecurity.com\/finding_segfaults\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#primaryimage","url":"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/image1.png?fit=600%2C337&ssl=1","contentUrl":"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/image1.png?fit=600%2C337&ssl=1","width":600,"height":337},{"@type":"BreadcrumbList","@id":"https:\/\/objectsecurity.com\/finding_segfaults\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/objectsecurity.com\/"},{"@type":"ListItem","position":2,"name":"Finding Segmentation Faults in Binary Machine Code: Comparing Different Approaches"}]},{"@type":"WebSite","@id":"https:\/\/objectsecurity.com\/#website","url":"https:\/\/objectsecurity.com\/","name":"ObjectSecurity","description":"OT\/ICS Asset Binary Vulnerability Analysis and Reporting","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/objectsecurity.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/objectsecurity.com\/#\/schema\/person\/b95c5e028381014293b246279d5006bb","name":"ObjectSecurity LLC","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/be2a06226a4b21354a1205403b77c97bbc16034deb14ef458f64ac034957bf3a?s=96&d=mm&r=g","caption":"ObjectSecurity LLC"},"description":"ObjectSecurity LLC is a leader in solving complex, evolving defense and industrial cybersecurity and supply chain risk challenges that threaten national security and production downtime.","sameAs":["https:\/\/objectsecurity.com"]}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/objectsecurity.com\/wp-content\/uploads\/2024\/05\/image1.png?fit=600%2C337&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/posts\/4826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/comments?post=4826"}],"version-history":[{"count":72,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/posts\/4826\/revisions"}],"predecessor-version":[{"id":4916,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/posts\/4826\/revisions\/4916"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/media\/4903"}],"wp:attachment":[{"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/media?parent=4826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/categories?post=4826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/objectsecurity.com\/wp-json\/wp\/v2\/tags?post=4826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}