• Corpus ID: 18723765

Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution

  title={Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution},
  author={Brian Pak},
Random mutational fuzz testing (fuzzing) and symbolic executions are program testing techniques that have been gaining popularity in the security research community. [] Key Method Our current implementation supports programs with linear path predicates and can automatically generate preconditioned random inputs from a polytope model of the input space extracted from binaries. These preconditioned random inputs can then be used with any fuzzer. Experiments show that our implementation is efficient in both…

Discover deeper bugs with dynamic symbolic execution and coverage-based fuzz testing

A novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid testing are introduced and a distance-based seed selection method to rearrange the seed queue of the fuzzer engine in order to achieve higher coverage is proposed.

Improving function coverage with munch: a hybrid fuzzing and directed symbolic execution approach

Munch, an open-source framework implementing two hybrid techniques based on fuzzing and symbolic execution, is presented and empirically shows that overall, Munch achieves higher (in-depth) function coverage than symbolic execution or fuzzing alone.

Compositional Fuzzing Aided by Targeted Symbolic Execution

It is shown that Wildfire, as a result of the increased coverage, finds more true-positives than baseline symbolic execution and fuzzing tools, as well as state-of-the-art coverage-guided tools, in only 10% of the analysis time taken by them.

An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing

A gap analysis in research of hybrid techniques to improve both, plain symbolic execution and fuzzing, and propose new ideas for hybrid test-case generation techniques is performed.

SAVIOR: Towards Bug-Driven Hybrid Testing

This work proposes SAVIOR, a new hybrid testing framework pioneering a bug-driven principle that outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage.

Strong Optimistic Solving for Dynamic Symbolic Execution

This work proposes strong optimistic solving method that eliminates irrelevant path predicate constraints for target branch inversion and separately handle symbolic branches that have nested control transfer instructions that pass control beyond the parent branch scope.

Exploratory Review of Hybrid Fuzzing for Automated Vulnerability Detection

This study provides an overview of key concepts along with the taxonomy of existing hybrid fuzzing tools, problems, and solutions that have been developed in this sphere and includes evaluations of the proposed approaches and a number of suggestions for the development of Hybrid fuzzing in the future.

Ffuzz: Towards full system high coverage fuzz testing on binary executables

Ffuzz is a hybrid automatic bug finding tool on top of fuzz testing and selective symbolic execution that targets full system software stack testing including both the user space and kernel space and proposes two key optimizations to improve the efficiency of full system testing.

Search-based Fuzzing

Search-based fuzzing is proposed, which is much more targeted than today’s fuzzers, yet significantly faster than symbolic execution techniques, and can achieve significantly more coverage than state-of-the-art tools for fuzzing and symbolic execution.

DeepDiver: Diving into Abysmal Depth of the Binary for Hunting Deeply Hidden Software Vulnerabilities

DeepDiver is designed, a novel transformational hybrid fuzzing tool that explores deeply hidden software vulnerabilities by negating roadblock checks (RC) in the program, and outperformed existing software testing tools, including the patching-based fuzzer and state-of-the-art Hybrid fuzzing techniques.



Automated Whitebox Fuzz Testing

This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.

Random testing for security: blackbox vs. whitebox fuzzing

An overview of the recent work on whitebox fuzzing is presented, with an emphasis on the key algorithms and techniques needed to make this approach effective and scalable.

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

Experimental results show that TaintScope can accurately locate the checksum checks in programs and dramatically improve the effectiveness of fuzz testing.

Unleashing Mayhem on Binary Code

This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level.

EXE: Automatically Generating Inputs of Death

This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP.

Enhancing bug hunting using high-level symbolic simulation

This paper proposes an innovative methodology that reuses existing constrained-random testbenches for formal bug hunting, and presents several techniques to enhance RTL symbolic simulation, and integrates state-of-the-art word-level and Boolean-level verification techniques into a common framework called BugHunter.

Symbolic execution and program testing

A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language.

A Smart Fuzzer for x86 Executables

This paper describes a new approach for the identification of vulnerabilities in object code called smart fuzzing, which restricts the input space by using a preliminary static analysis of the program, then refined by monitoring each execution.

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs

A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.

CUTE: a concolic unit testing engine for C

A method to represent and track constraints that capture the behavior of a symbolic execution of a unit with memory graphs as inputs is developed and an efficient constraint solver is proposed to facilitate incremental generation of such test inputs.