{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:50:22Z","timestamp":1750308622347,"version":"3.41.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2011,9,1]],"date-time":"2011-09-01T00:00:00Z","timestamp":1314835200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61003216"],"award-info":[{"award-number":["61003216"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2011,9]]},"abstract":"<jats:p>Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program running, especially when target programs employ checksum mechanisms to verify the integrity of inputs. This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem. TaintScope has several novel features: (1) TaintScope is a checksum-aware fuzzing tool. It can identify checksum fields in inputs, accurately locate checksum-based integrity checks by using branch profiling techniques, and bypass such checks via control flow alteration. Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level. Based on fine-grained dynamic taint tracing, TaintScope identifies the \u201chot bytes\u201d in a well-formed input that are used in security-sensitive operations (e.g., invoking system\/library calls), and then focuses on modifying such bytes with random or boundary values. (3) TaintScope is also a symbolic-execution-based fuzzing tool. It can symbolically evaluate a trace, reason about all possible values that can execute the trace, and then detect potential vulnerabilities on the trace.<\/jats:p>\n          <jats:p>We evaluate TaintScope on a number of large real-world applications. Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. TaintScope has already found 30 previously unknown vulnerabilities in several widely used applications, including Adobe Acrobat, Flash Player, Google Picasa, and Microsoft Paint. Most of these severe vulnerabilities have been confirmed by Secunia and oCERT, and assigned CVE identifiers (such as CVE-2009-1882, CVE-2009-2688). Vendor patches have been released or are in preparation based on our reports.<\/jats:p>","DOI":"10.1145\/2019599.2019600","type":"journal-article","created":{"date-parts":[[2011,10,4]],"date-time":"2011-10-04T13:24:18Z","timestamp":1317734658000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":21,"title":["Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution"],"prefix":"10.1145","volume":"14","author":[{"given":"Tielei","family":"Wang","sequence":"first","affiliation":[{"name":"Peking University"}]},{"given":"Tao","family":"Wei","sequence":"additional","affiliation":[{"name":"Peking University"}]},{"given":"Guofei","family":"Gu","sequence":"additional","affiliation":[{"name":"Texas A&amp;M University"}]},{"given":"Wei","family":"Zou","sequence":"additional","affiliation":[{"name":"Peking University"}]}],"member":"320","published-online":{"date-parts":[[2011,9]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1749608.1749612"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/11836810_25"},{"volume-title":"PNG Specification. RFC","year":"1997","author":"Boutell T.","key":"e_1_2_1_3_1"},{"volume-title":"Bitscope: Automatically dissecting malicious binaries. Tech. rep. CMU-CS-07-133","year":"2007","author":"Brumley D.","key":"e_1_2_1_4_1"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2007.17"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.17"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315286"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653737"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866354"},{"volume-title":"Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201908)","author":"Cadar C.","key":"e_1_2_1_10_1"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455518.1455522"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572301"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.14"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.50"},{"volume-title":"Proceedings of 16th USENIX Security Symposium (SS\u201907)","author":"Cui W.","key":"e_1_2_1_17_1"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455820"},{"volume-title":"RFC","year":"1950","author":"Deutsch P.","key":"e_1_2_1_19_1"},{"volume-title":"Proceedings of the 1st USENIX Workshop on Offensive Technologies (WOOT\u201907)","author":"Drewry W.","key":"e_1_2_1_20_1"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference (ATC\u201907)","author":"Egele M.","key":"e_1_2_1_21_1"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572288"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2009.5070546"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065036"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1375581.1375607"},{"volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium.","author":"Godefroid P.","key":"e_1_2_1_26_1"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.41"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1655148.1655151"},{"key":"e_1_2_1_29_1","doi-asserted-by":"crossref","unstructured":"Korn D. MacDonald J. Mogul J. and Vo K. 2002. The VCDIFF generic differencing and compression data format. RFC 3284 Internet Engineering Task Force.   Korn D. MacDonald J. Mogul J. and Vo K. 2002. The VCDIFF generic differencing and compression data format. RFC 3284 Internet Engineering Task Force.","DOI":"10.17487\/rfc3284"},{"volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium.","author":"Lin Z.","key":"e_1_2_1_30_1"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065034"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287708"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/96267.96279"},{"key":"e_1_2_1_34_1","unstructured":"MoBB. 2006. http:\/\/browserfun.blogspot.com.  MoBB. 2006. http:\/\/browserfun.blogspot.com."},{"key":"e_1_2_1_35_1","unstructured":"MoKB. 2006. Month of Kernel Bugs. http:\/\/projects.info-pull.com\/mokb\/.  MoKB. 2006. Month of Kernel Bugs. http:\/\/projects.info-pull.com\/mokb\/."},{"volume-title":"Proceedings of the 18th USENIX Security Symposium.","author":"Molnar D.","key":"e_1_2_1_36_1"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180444"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.55"},{"key":"e_1_2_1_41_1","doi-asserted-by":"crossref","unstructured":"Postel J. 1981. Internet protocol. RFC 791 Internet Engineering Task Force.  Postel J. 1981. Internet protocol. RFC 791 Internet Engineering Task Force.","DOI":"10.17487\/rfc0791"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081706.1081750"},{"volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium.","author":"Sharif M.","key":"e_1_2_1_43_1"},{"edition":"4","volume-title":"Cryptography and Network Security","author":"Stallings W.","key":"e_1_2_1_44_1"},{"volume-title":"Fuzzing: Brute Force Vulnerability Discovery","year":"2007","author":"Sutton M.","key":"e_1_2_1_45_1"},{"volume-title":"Proceedings of the 16th Annual Network and Distributed System Security Symposium.","author":"Wang T.","key":"e_1_2_1_46_1"},{"volume-title":"Proceedings of the 14th European Conference on Research in Computer Security (ESORICS\u201909)","author":"Wang Z.","key":"e_1_2_1_47_1"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2007.203"},{"volume-title":"Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID\u201907)","author":"Wilhelm J.","key":"e_1_2_1_49_1"},{"volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS\u201908)","author":"Wondracek G.","key":"e_1_2_1_50_1"},{"volume-title":"Bunny-the-fuzzer: Instrumented c code security fuzzer","year":"2007","author":"Zalewski M.","key":"e_1_2_1_51_1"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2019599.2019600","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2019599.2019600","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T19:07:42Z","timestamp":1750273662000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2019599.2019600"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,9]]},"references-count":50,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2011,9]]}},"alternative-id":["10.1145\/2019599.2019600"],"URL":"https:\/\/doi.org\/10.1145\/2019599.2019600","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2011,9]]},"assertion":[{"value":"2010-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2011-04-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2011-09-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}