Corpus ID: 18723765

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution

@inproceedings{Pak2012HybridFT,
  title={Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution},
  author={Brian Pak},
  year={2012}
}
Random mutational fuzz testing (fuzzing) and symbolic executions are program testing techniques that have been gaining popularity in the security research community. [...] Key Method Our current implementation supports programs with linear path predicates and can automatically generate preconditioned random inputs from a polytope model of the input space extracted from binaries. These preconditioned random inputs can then be used with any fuzzer. Experiments show that our implementation is efficient in both…Expand
Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach
TLDR
Munch, an open-source framework implementing two hybrid techniques based on fuzzing and symbolic execution, is presented and empirically shows that overall, Munch achieves higher (in-depth) function coverage than symbolic execution or fuzzing alone. Expand
Compositional Fuzzing Aided by Targeted Symbolic Execution
TLDR
It is shown that Wildfire, as a result of the increased coverage, finds more true-positives than baseline symbolic execution and fuzzing tools, as well as state-of-the-art coverage-guided tools, in only 10% of the analysis time taken by them. Expand
An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing
TLDR
A gap analysis in research of hybrid techniques to improve both, plain symbolic execution and fuzzing, and propose new ideas for hybrid test-case generation techniques is performed. Expand
A hybrid symbolic execution assisted fuzzing method
  • L. Zhang, V. Thing
  • Computer Science
  • TENCON 2017 - 2017 IEEE Region 10 Conference
  • 2017
TLDR
A new automated method for efficient detection of security vulnerabilities in binary programs that can effectively prevent the fuzzing guided exploration from converging to the less interesting but easy-to-fuzz branches. Expand
SAVIOR: Towards Bug-Driven Hybrid Testing
TLDR
This work proposes SAVIOR, a new hybrid testing framework pioneering a bug-driven principle that outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage. Expand
Ffuzz: Towards full system high coverage fuzz testing on binary executables
TLDR
Ffuzz is a hybrid automatic bug finding tool on top of fuzz testing and selective symbolic execution that targets full system software stack testing including both the user space and kernel space and proposes two key optimizations to improve the efficiency of full system testing. Expand
Driller: Augmenting Fuzzing Through Selective Symbolic Execution
TLDR
Driller is presented, a hybrid vulnerability excavation tool which leverages fuzzing and selective concolic execution in a complementary manner, to find deeper bugs and mitigate their weaknesses, avoiding the path explosion inherent in concolic analysis and the incompleteness of fuzzing. Expand
HFL: Hybrid Fuzzing on the Linux Kernel
TLDR
HFL is proposed, which not only combines fuzzing with symbolic execution for hybrid fuzzing but also addresses kernel-specific fuzzing challenges via three distinct features: 1) converting indirect control transfers to direct transfers, 2) inferring system call sequence to build a consistent system state, and 3) identifying nested arguments types of system calls. Expand
QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
TLDR
A fast concolic execution engine, called QSYM, to support hybrid fuzzing, which does not just outperform state-of-the-art fuzzers, but also found 13 previously unknown security bugs in eight real-world programs like Dropbox Lepton, ffmpeg, and OpenJPEG. Expand
Learning Inputs in Greybox Fuzzing
TLDR
This paper presents a technique that extends greybox fuzzing with a method for learning new inputs based on already explored program executions that can guide exploration toward specific executions, for instance, ones that increase path coverage or reveal vulnerabilities. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 54 REFERENCES
Automated Whitebox Fuzz Testing
TLDR
This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications. Expand
Random testing for security: blackbox vs. whitebox fuzzing
TLDR
An overview of the recent work on whitebox fuzzing is presented, with an emphasis on the key algorithms and techniques needed to make this approach effective and scalable. Expand
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
TLDR
Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing. Expand
Grammar-based whitebox fuzzing
TLDR
Results of the experiments show that grammar-based whitebox fuzzing explores deeper program paths and avoids dead-ends due to non-parsable inputs and increased coverage of the code generation module of the IE7 JavaScript interpreter from 53% to 81% while using three times fewer tests. Expand
Unleashing Mayhem on Binary Code
TLDR
This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level. Expand
EXE: Automatically Generating Inputs of Death
TLDR
This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Expand
Enhancing bug hunting using high-level symbolic simulation
TLDR
This paper proposes an innovative methodology that reuses existing constrained-random testbenches for formal bug hunting, and presents several techniques to enhance RTL symbolic simulation, and integrates state-of-the-art word-level and Boolean-level verification techniques into a common framework called BugHunter. Expand
Symbolic execution and program testing
TLDR
A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language. Expand
A Smart Fuzzer for x86 Executables
TLDR
This paper describes a new approach for the identification of vulnerabilities in object code called smart fuzzing, which restricts the input space by using a preliminary static analysis of the program, then refined by monitoring each execution. Expand
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs
TLDR
A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented. Expand
...
1
2
3
4
5
...