iwconfigutility from the Wireless Tools package, a program consisting of about 3400 lines of C source code.
iwconfighas a classic strcpy buffer overflow vulnerability in the get info function (line 15). And our system goes through the following analysis steps:
iwconfigusing symbolic arguments (
argv) as the input sources.
main → print_info → get_info, AEG reaches line 15, where it detects an out-of-bounds memory error on variable
ifr.ifr_name. AEG solves the current path constraints and generates a concrete input that will trigger the detected bug.
iwconfigbinary using the concrete input generated in step 2. It extracts runtime information about the memory layout, such as the address of the overflowed buffer (
ifr.ifr_name) and the address of the return address of the vulnerable function (
ifr.ifr_name) must contain our shellcode, and 2) the overwritten return address must contain the address of the shellcode. Next, AEG appends the generated constraints to the path constraints and queries a constraint solver for a satisfying answer.
maxthat should be provided to the program. AEG determines
maxby searching for the largest statically allocated buffers of the target program.
inputbuffer contains 42 symbolic bytes. Lines 3-4 represent a tight symbolic loop that will eventually spawn 42 different interpreters with traditional symbolic execution, each one having a different path predicate. Each path predicate will describe a different condition about the string length of the symbolic