Hercules: Reproducing Crashes in Real-World Application Binaries

One of the core issues in software testing, debugging, verification, and security, is to comprehend software systems, to get insights into program structure and semantics. Symbolic execution, one of the approaches for getting these insights, concisely captures program semantics as first order logic formulae over symbolic program input, and, as of today, provides a solid foundation for development of efficient tools for software verification and analysis. This work is pushing this frontier further by leveraging and enhancing symbolic execution based approaches for solving difficult problems in the field of security, such as vulnerability detection and reproducing crashes in real-world application binaries.


Binary analysis is a well-investigated area in software engineering and security. Given real-world program binaries, generating test inputs which cause the binaries to crash is crucial. Generation of crashing inputs has many applications including off-line analysis of software prior to deployment, or online analysis of software patches as they are inserted. In this work, we present a method for generating inputs which reach a given “potentially crashing” location. Such potentially crashing locations can be found by a separate static analysis (or by gleaning crash reports submitted by internal / external users) and serve as the input to our method. The test input generated by our method serves as a witness of the crash. Our method is particularly suited for binaries of programs which take in complex structured inputs. Experiments on real-life applications such as the Adobe Reader and the Windows Media Player demonstrate that our Hercules tool built on selective symbolic execution engine S2E can generate crashing inputs within few hours, where symbolic approaches (as embodied by S2E) or blackbox fuzzing approaches (as embodied by the commercial tool PeachFuzzer) failed.

Download PDF preprint

Bibtex record

	Author = {Pham, Van-Thuan and Ng, Wei Boon and Rubinov, Konstantin and Roychoudhury, Abhik},
	Booktitle = {Proc. of 37th Int. Conf. on Software Engineering (ICSE)},
	Doi = {10.1109/ICSE.2015.99},
	Pages = {891--901},
	Title = {Hercules: Reproducing Crashes in Real-World Application Binaries},
	Year = {2015},
	Url = {http://dx.doi.org/10.1109/ICSE.2015.99}} 

Published and presented at the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering