• Corpus ID: 18723765

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution

@inproceedings{Pak2012HybridFT,
  title={Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution},
  author={Brian Pak},
  year={2012},
  url={https://api.semanticscholar.org/CorpusID:18723765}
}
This thesis presents the attempt to attain the best of both worlds by combining fuzzing with symbolic execution in a novel manner, called hybrid fuzzing, which supports programs with linear path predicates and can automatically generate preconditioned random inputs from a polytope model of the input space extracted from binaries.
reports-archive.adm.cs.cmu.edu
83 Citations
Highly Influential Citations
6
Background Citations
43
Methods Citations
28
Results Citations
2

Figures and Tables from this paper

83 Citations

Discover deeper bugs with dynamic symbolic execution and coverage-based fuzz testing

A novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid testing are introduced and a distance-based seed selection method to rearrange the seed queue of the fuzzer engine in order to achieve higher coverage is proposed.

Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach

Munch, an open-source framework implementing two hybrid techniques based on fuzzing and symbolic execution, is presented and empirically shows that overall, Munch achieves higher (in-depth) function coverage than symbolic execution or fuzzing alone.

Compositional Fuzzing Aided by Targeted Symbolic Execution

It is shown that Wildfire, as a result of the increased coverage, finds more true-positives than baseline symbolic execution and fuzzing tools, as well as state-of-the-art coverage-guided tools, in only 10% of the analysis time taken by them.

An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing

A gap analysis in research of hybrid techniques to improve both, plain symbolic execution and fuzzing, and propose new ideas for hybrid test-case generation techniques is performed.

A hybrid symbolic execution assisted fuzzing method

A new automated method for efficient detection of security vulnerabilities in binary programs that can effectively prevent the fuzzing guided exploration from converging to the less interesting but easy-to-fuzz branches.

SAVIOR: Towards Bug-Driven Hybrid Testing

This work proposes SAVIOR, a new hybrid testing framework pioneering a bug-driven principle that outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage.

Strong Optimistic Solving for Dynamic Symbolic Execution

This work proposes strong optimistic solving method that eliminates irrelevant path predicate constraints for target branch inversion and separately handle symbolic branches that have nested control transfer instructions that pass control beyond the parent branch scope.

Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection

This study provides an overview of key concepts along with the taxonomy of existing hybrid fuzzing tools, problems, and solutions that have been developed in this sphere and includes evaluations of the proposed approaches and a number of suggestions for the development of Hybrid fuzzing in the future.

Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs

EBF, a technique that combines Bounded Model Checking and Gray-Box Fuzzing to find software vulnerabilities in concurrent programs, detects a data race in the open-source wolfMqtt library and reproduces known bugs in several other real-world programs, which demonstrates its effectiveness in finding vulnerabilities in real- world software.

Ffuzz: Towards full system high coverage fuzz testing on binary executables

Ffuzz is a hybrid automatic bug finding tool on top of fuzz testing and selective symbolic execution that targets full system software stack testing including both the user space and kernel space and proposes two key optimizations to improve the efficiency of full system testing.
...

47 References

Automated Whitebox Fuzz Testing

This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.

Random testing for security: blackbox vs. whitebox fuzzing

An overview of the recent work on whitebox fuzzing is presented, with an emphasis on the key algorithms and techniques needed to make this approach effective and scalable.

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing.

Grammar-based whitebox fuzzing

Results of the experiments show that grammar-based whitebox fuzzing explores deeper program paths and avoids dead-ends due to non-parsable inputs and increased coverage of the code generation module of the IE7 JavaScript interpreter from 53% to 81% while using three times fewer tests.

Unleashing Mayhem on Binary Code

This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level.

EXE: automatically generating inputs of death

This paper presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code instead of running code on manually or randomly constructed input, and solves the current path constraints to find concrete values using its own co-designed constraint solver, STP.

Enhancing bug hunting using high-level symbolic simulation

This paper proposes an innovative methodology that reuses existing constrained-random testbenches for formal bug hunting, and presents several techniques to enhance RTL symbolic simulation, and integrates state-of-the-art word-level and Boolean-level verification techniques into a common framework called BugHunter.

Symbolic execution and program testing

A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language.

A Smart Fuzzer for x86 Executables

This paper describes a new approach for the identification of vulnerabilities in object code called smart fuzzing, which restricts the input space by using a preliminary static analysis of the program, then refined by monitoring each execution.

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs

A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.