Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries

Models of security-sensitive code enable reasoning about the security implications of code. In this paper we present an approach for extracting models of security-sensitive operations directly from program binaries, which lets third-party analysts reason about a program when the source code is not available. Our approach is based on string-enhanced white-box exploration, a new technique that improves the effectiveness of current white-box exploration techniques on programs that use strings, by reasoning directly about string operations, rather than about the individual byte-level operations that comprise them. We implement our approach and use it to extract models of the closed-source content sniffing algorithms of two popular browsers: Internet Explorer 7 and Safari 3.1. We use the generated models to automatically find recently studied content-sniffing XSS attacks, and show the benefits of stringenhanced white-box exploration over current byte-level exploration techniques.