Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis 2018
DOI: 10.1145/3213846.3213868
|View full text |Cite
|
Sign up to set email alerts
|

Badger: complexity analysis with fuzzing and symbolic execution

Abstract: Hybrid testing approaches that involve fuzz testing and symbolic execution have shown promising results in achieving high code coverage, uncovering subtle errors and vulnerabilities in a variety of software applications. In this paper we describe Badgera new hybrid approach for complexity analysis, with the goal of discovering vulnerabilities which occur when the worst-case time or space complexity of an application is significantly higher than the average case.Badger uses fuzz testing to generate a diverse se… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
37
0

Year Published

2019
2019
2021
2021

Publication Types

Select...
5
1
1

Relationship

1
6

Authors

Journals

citations
Cited by 48 publications
(37 citation statements)
references
References 32 publications
0
37
0
Order By: Relevance
“…Recent techniques for improving code coverage during fuzz testing include introducing selective symbolic execution [58], control-and data-flow analysis on the program under test [50], reducing collisions in code coverage measurements [23], and altering the program under test [46]. Prior work applies existing fuzz testers to discover AC vulnerabilities in whole programs [37], [47], and in Java programs by combining fuzz testing with symbolic execution [43] or seeding black box fuzzing with information taken from program traces [40]. In contrast, HotFuzz micro-fuzzes individual methods and uses a genetic algorithm on individual Java objects in order to find inputs to these methods that demonstrate the presence of AC vulnerabilities.…”
Section: Fuzz Testingmentioning
confidence: 99%
See 1 more Smart Citation
“…Recent techniques for improving code coverage during fuzz testing include introducing selective symbolic execution [58], control-and data-flow analysis on the program under test [50], reducing collisions in code coverage measurements [23], and altering the program under test [46]. Prior work applies existing fuzz testers to discover AC vulnerabilities in whole programs [37], [47], and in Java programs by combining fuzz testing with symbolic execution [43] or seeding black box fuzzing with information taken from program traces [40]. In contrast, HotFuzz micro-fuzzes individual methods and uses a genetic algorithm on individual Java objects in order to find inputs to these methods that demonstrate the presence of AC vulnerabilities.…”
Section: Fuzz Testingmentioning
confidence: 99%
“…Recent work has adapted existing state-of-the-art fuzz testers such as AFL [64] and libFuzzer [7] to automatically slow down programs with known performance problems. These approaches include favoring inputs that maximize the length of an input's execution in a program's Control Flow Graph (CFG) [47], incorporating multi-dimensional feedback that provides AFL with more visibility into the portions of the CFG each test case executes the most [37], and augmenting AFL with symbolic execution to maximize a Java program's resource consumption [43]. These recent advances demonstrate that modern fuzzers can automatically slow down programs such as sorting routines, hash table operations, and common Unix utilities.…”
Section: Introductionmentioning
confidence: 99%
“…On the one hand, there is a large field of fuzz testing [Forrester and Miller 2000;Godefroid et al 2008] and symbolic execution [Godefroid et al 2005;. Combinations of these methods have been recently studied for dynamic worst-case analysis [Burnim et al 2009;Noller et al 2018;Petsios et al 2017]. These dynamic approaches are quite universal in the sense that they can be applied to arbitrary programs implemented in a widely used programming language such as Java, but they usually do not formally guarantee that the resulting input exposes the worst resource usage.…”
Section: :2 DI Wang and Jan Hoffmannmentioning
confidence: 99%
“…Example 2: Sequential Insertions in a Hash Table. We implement an OCaml program that models the hash table function from Badger [Noller et al 2018]. We insert an expression tick(1.0) when a hash collision happens.…”
Section: Case Studiesmentioning
confidence: 99%
See 1 more Smart Citation