• Corpus ID: 18723765

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution

  title={Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution},
  author={Brian Pak},
Random mutational fuzz testing (fuzzing) and symbolic executions are program testing techniques that have been gaining popularity in the security research community. [] Key Method Our current implementation supports programs with linear path predicates and can automatically generate preconditioned random inputs from a polytope model of the input space extracted from binaries. These preconditioned random inputs can then be used with any fuzzer. Experiments show that our implementation is efficient in both…

Discover deeper bugs with dynamic symbolic execution and coverage-based fuzz testing

A novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid testing are introduced and a distance-based seed selection method to rearrange the seed queue of the fuzzer engine in order to achieve higher coverage is proposed.

Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach

Munch, an open-source framework implementing two hybrid techniques based on fuzzing and symbolic execution, is presented and empirically shows that overall, Munch achieves higher (in-depth) function coverage than symbolic execution or fuzzing alone.

Compositional Fuzzing Aided by Targeted Symbolic Execution

It is shown that Wildfire, as a result of the increased coverage, finds more true-positives than baseline symbolic execution and fuzzing tools, as well as state-of-the-art coverage-guided tools, in only 10% of the analysis time taken by them.

A hybrid symbolic execution assisted fuzzing method

  • Li ZhangV. Thing
  • Computer Science
    TENCON 2017 - 2017 IEEE Region 10 Conference
  • 2017
A new automated method for efficient detection of security vulnerabilities in binary programs that can effectively prevent the fuzzing guided exploration from converging to the less interesting but easy-to-fuzz branches.

Strong Optimistic Solving for Dynamic Symbolic Execution

This work proposes strong optimistic solving method that eliminates irrelevant path predicate constraints for target branch inversion and separately handle symbolic branches that have nested control transfer instructions that pass control beyond the parent branch scope.

SAVIOR: Towards Bug-Driven Hybrid Testing

This work proposes SAVIOR, a new hybrid testing framework pioneering a bug-driven principle that outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage.

Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection

This study provides an overview of key concepts along with the taxonomy of existing hybrid fuzzing tools, problems, and solutions that have been developed in this sphere and includes evaluations of the proposed approaches and a number of suggestions for the development of Hybrid fuzzing in the future.

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

EBF, a technique that combines Bounded Model Checking and Gray-Box Fuzzing to find software vulnerabilities in concurrent programs, detects a data race in the open-source wolfMqtt library and reproduces known bugs in several other real-world programs, which demonstrates its effectiveness in finding vulnerabilities in real- world software.

Ffuzz: Towards full system high coverage fuzz testing on binary executables

Ffuzz is a hybrid automatic bug finding tool on top of fuzz testing and selective symbolic execution that targets full system software stack testing including both the user space and kernel space and proposes two key optimizations to improve the efficiency of full system testing.

Search-based Fuzzing

Search-based fuzzing is proposed, which is much more targeted than today’s fuzzers, yet significantly faster than symbolic execution techniques, and can achieve significantly more coverage than state-of-the-art tools for fuzzing and symbolic execution.



Automated Whitebox Fuzz Testing

This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.

Random testing for security: blackbox vs. whitebox fuzzing

An overview of the recent work on whitebox fuzzing is presented, with an emphasis on the key algorithms and techniques needed to make this approach effective and scalable.

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing.

Grammar-based whitebox fuzzing

Results of the experiments show that grammar-based whitebox fuzzing explores deeper program paths and avoids dead-ends due to non-parsable inputs and increased coverage of the code generation module of the IE7 JavaScript interpreter from 53% to 81% while using three times fewer tests.

Unleashing Mayhem on Binary Code

This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level.

EXE: Automatically Generating Inputs of Death

This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP.

Enhancing bug hunting using high-level symbolic simulation

This paper proposes an innovative methodology that reuses existing constrained-random testbenches for formal bug hunting, and presents several techniques to enhance RTL symbolic simulation, and integrates state-of-the-art word-level and Boolean-level verification techniques into a common framework called BugHunter.

Symbolic execution and program testing

A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language.

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs

A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.

CUTE: a concolic unit testing engine for C

A method to represent and track constraints that capture the behavior of a symbolic execution of a unit with memory graphs as inputs is developed and an efficient constraint solver is proposed to facilitate incremental generation of such test inputs.