Finding vulnerabilities using automatic test generation
Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesis
Software bugs are still present in modern software, and they are a major concern for every user, specially security related bugs. Classical approaches for bug detection fall short to uncover some of them, as it has been proved on several occasions when a hidden bug has been used to compromise the security of many systems. In this report an approach for automatic bug detection is presented and analysed. Using KLEE, a tool that can explore all the possible paths in a piece of code, bugs can be discovered. As an example for bug detection in a security software, the Heartbleed bug that affected the OpenSSL library is analysed. The behaviour of this bug is explained here, and KLEE is used to expose this bug. If this worked, it would be useful for developers in order to prevent dangerous bugs from staying undetected.
The results show that the tool is not ready to be used in real software due to its limitations. However, despite the difficulties these limitations pose, KLEE proves to be useful in a controlled scenario. As long as the software is kept simple, the tool can be used toeffectively execute all the code. With some improvements, it could be a major step for a future without bugs.
Place, publisher, year, edition, pages
IT, 14 044
Engineering and Technology
IdentifiersURN: urn:nbn:se:uu:diva-229586OAI: oai:DiVA.org:uu-229586DiVA: diva2:737077
Victor, BjörnGämo, Olle