Discover deeper bugs with dynamic symbolic execution and coverage-based fuzz testing

作     者：Zhang, Bin Feng, Chao Herrera, Adrian Chipounov, Vitaly Candea, George Tang, Chaojing 

作者机构：Natl Univ Def Technol Sch Elect Sci & Engn Changsha Hunan Peoples R China Ecole Polytech Fed Lausanne Sch Comp & Commun Sci Lausanne Switzerland Cyberhaven Inc 401 Pk DrSuite 811 Boston MA 02215 USA 

出 版 物：《IET SOFTWARE》 (IET软件)

年 卷 期：2018年第12卷第6期

页      面：507-519页

核心收录：

学科分类：0808[工学-电气工程] 08[工学] 0835[工学-软件工程] 

主　　题：program testing security of data program debugging fuzzy set theory symbolic loop bucket optimisation seed selection method execution paths vanilla fuzz testing popular program testing techniques dynamic symbolic execution hybrid testing methods lazy symbolic pointer concretisation method deeper bugs coverage-based fuzz testing modern software complexity program structures seed files off-the-shelf vulnerability detection tools 

摘      要：Coverage-based fuzz testing and dynamic symbolic execution are both popular program testing techniques. However, on their own, both techniques suffer from scalability problems when considering the complexity of modern software. Hybrid testing methods attempt to mitigate these problems by leveraging dynamic symbolic execution to assist fuzz testing. Unfortunately, the efficiency of such methods is still limited by specific program structures and the schedule of seed files. In this study, the authors introduce a novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid testing. They also propose a distance-based seed selection method to rearrange the seed queue of the fuzzer engine in order to achieve higher coverage. They implemented a prototype and evaluate its ability to find vulnerabilities in software and cover new execution paths. They show on different benchmarks that it can find more crashes than other off-the-shelf vulnerability detection tools. They also show that the proposed method can discover 43% more unique paths than vanilla fuzz testing.