The manual vulnerability research algorithm was described in book “Exploiting Software: How to Break Code” by Greg Hoglund and Gary McGraw. First of all, some probable vulnerability point is localized. After that researcher finds vulnerable data set and the way user data can be carried to the target point. The manual vulnerability research algorithm is shown in details in mentioned book. The general idea is that automatic venerability research has opposite approach. While manual research researcher can use its own experience to make decision. An automatic system can’t work same way, but is has its own advantages – speed and performance. So called “fuzzer”, the program that makes tests, tries to localize vulnerable point by converging of maximum part of target code with maximum set of data. It is the reason why this kind of testing called “bruit force”. Thus, fuzzing point should give ability for caring data to main part of software. The automatic vulnerability research technique must take in account this aspect. This wark introduce technique witch based on functional abilities of MaiWay (http://ufoctf.ru/ufoblog/maiway) – automatic vulnerability research system.
Next stages are needed by the technique:
Select target. Researcher need choose tested application and executable module. This step reduces analysis overheads and helps to focus on interesting peace of code.
Prior analysis. Collect information about software structure (modules, functions, line blocks) and relations. Some dataflow information also collected.
Choose data inject point. Optimal data inject point is selected based on information from previous step. Potential coverage and functions parameters are used.
Prepare tests. Tests inject data to selected point.
Test execution. Prepared tests are executed in target program address space. Tests can interact with testing software.
Results estimations. Testing results are: faults information and coverage information. The faults information can be used in additional manual analysis. The coverage information is needed to estimate testing quality.
This technique is oriented on automatic vulnerabilities research and opposite of technique of manual research its steps followed from input data research to probably vulnerable point research