Dowser: a guided fuzzer to find buffer overflow vulnerabilities

Dowseris a ’guided’ fuzzer that combines taint tracking, program analysis and symbolic execution to find buffer overflow vulnerabilities buried deep in the program’s logic. Intuitively, a piece of code with convoluted pointer arithmetic instructions may be more prone to memory errors than straightforward array accesses. More importantly, the more complex the bugs and the more convoluted the pointer arithmetic, the harder it will be to find using existing techniques like random fuzzing, and static analysis. Dowserranks pointer dereference instructions according to their complexity, and then uses symbolic execution to zoom in on the most interesting operations. Zooming in on individual operations allows Dowser to severely reduce the search space necessary to cover the application. Instead of traditional code coverage, the symbolic execution phase employs a novel search algorithm which aims to maximize pointer coverage. We steer the execution along branches that show more potential to manipulate the value of a pointer. As a result,Dowser finds deep bugs in real programs. Moreover, it achieves it significantly faster than other tools.