An analysis on secure coding using symbolic execution engine

Abstract

Business' dependency on a software or computer program is getting higher. In such an environment, eliminating security vulnerabilities have become increasingly important and difficult as programs are more complicated and have greater impacts on businesses. We analyzed the security vulnerabilities of code using a symbolic execution engine that tracks data which would kill or might make the program vulnerable. We also present smart fuzzing using the data from the symbolic execution engine, an effective software vulnerability-finding testing that automatically generates inputs that crash or penetrate the program. By using symbolic execution engine, we can produce the automatically-generated data that are strong against vulnerability issues. In the case when program verification tools fail to verify a program, either the program is buggy or the report is a false alarm. In this case, the burden is put on users in manually classifying the report, which is a time-consuming, error-prone task and it does not utilize facts already proven by the analysis. We present a new technique for assisting users in classifying error reports. Our technique computes small, relevant queries presented to a user, which capture exact information that the analysis misses to either discharge or validate the error. In this paper, a methodology proper to detecting the security vulnerability is suggested by engrafting the symbol-based engine into the secure coding. Also, its effect was verified through the security vulnerability inspection test using the suggested symbolic execution engine. A notion of symbolically executing the program has been presented, which is closely related to the normal notion of program execution. It offers the advantage that one symbolic execution may represent a large, usually infinite, class of normal executions. This can be used for great advantages in the program inspecting and debugging.