Automated Explotability Reasoning

Period of Performance: 01/01/2015 - 12/31/2015


Phase 1 SBIR

Recipient Firm

Grammatech, Inc.
531 Esty Street Array
Ithaca, NY 14850
Principal Investigator


Fuzzing techniques will often produce a large enough number of crashing inputs for the program under test that it is important to prioritize them in terms of impact; one natural axis of a bug???s impact is whether it can be used in a security exploit. Determining whether a crash is exploitable however is a complex and multi-layered problem. GrammaTech proposes the Chase project, a tool suite for automatically triaging crashes reported in a program depending on the degree to which a crash appears indicative of an exploitable security vulnerability. In the long term, Chase will combine information about the crash itself, analyses to determine what data values are particularly important, computations of how much influence the attacker has over those important values (i.e., ???channel capacity???), fault localization techniques, static analysis for ???proving??? unexploitability, taint analysis, automatic exploit generation, and domain-specific knowledge about exploitability. Chase will analyze a stripped binary in the context of a particular crashing input, compute or record the above information, and produce an estimate of the likelihood that the bug is exploitable. Users of Chase can use the results to help prioritize which crashes deserve particular attention.