Unfortunately, coverage tools are generally more useful to the software developer
than to the vulnerability researcher. They can point out the fact that you have or
have not reached a particular section of code, but indicate nothing about the correctness
of that code. Further complicating matters, commercial coverage tools often integrate
into the compilation phase of program development. This is obviously a problem if you
are conducting black box analysis of a binary program, as you will not be in possession
of the original source code.
There are two principal cases in which code coverage tools can assist in exploit development.
One case arises when a researcher has located a vulnerability by some other means
and wishes to understand exactly how that vulnerability can be triggered by understanding
how data flows through the program. The second case is in conjunction with fuzzing
tools to understand what percentage of an application has been reached via generated
fuzzing inputs. In the second case, the fuzzing process can be tuned to attempt to reach
code that is not getting executed initially. Here the code coverage tool becomes an essential
feedback tool used to evaluate the effectiveness of the fuzzing effort.
Pages:
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614