Dynamic Symbolic Execution Guided by Data Dependency Analysis for High Structural Coverage

Do, TheAnh; Fong, A.C.M.; Pears, Russel

doi:10.1007/978-3-642-45422-6_1

Cited by 3 publications

(2 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SE plays a vital role in the directed fuzzer due to its path examination method. Therefore, the majority of proposed directed fuzzers [39][40][41][42] are whitebox fuzzing grounded on SE. Basically, they assemble symbolic path constraints while executing the program and run constraint solving modules to produce efficient inputs that can dive deeper into uncovered paths.…”

Section: Introductionmentioning

confidence: 99%

“…Basically, they assemble symbolic path constraints while executing the program and run constraint solving modules to produce efficient inputs that can dive deeper into uncovered paths. As an example, Do et al [39] apply an extended chaining method and information dependence analysis to construct event sequences main to the target locations and demonstrate directed concolic execution to produce aim-based test cases. To reach the specified target site and analyze programming patches, KATCH [20] associates a SE tool named KLEE [30] with numerous innovative heuristics.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

BugMiner: Mining the Hard-to-Reach Software Vulnerabilities through the Target-Oriented Hybrid Fuzzer

Rustamov

Kim

et al. 2020

Electronics

View full text Add to dashboard Cite

Greybox Fuzzing is the most reliable and essentially powerful technique for automated software testing. Notwithstanding, a majority of greybox fuzzers are not effective in directed fuzzing, for example, towards complicated patches, as well as towards suspicious and critical sites. To overcome these limitations of greybox fuzzers, Directed Greybox Fuzzing (DGF) approaches were recently proposed. Current DGFs are powerful and efficient approaches that can compete with Coverage-Based Fuzzers. Nevertheless, DGFs neglect to accomplish stability between usefulness and proficiency, and random mutations make it hard to handle complex paths. To alleviate this problem, we propose an innovative methodology, a target-oriented hybrid fuzzing tool that utilizes a fuzzer and dynamic symbolic execution (also referred to as a concolic execution) engine. Our proposed method aims to generate inputs that can quickly reach the target sites in each sequence and trigger potential hard-to-reach vulnerabilities in the program binary. Specifically, to dive deep into the target binary, we designed a proposed technique named BugMiner, and to demonstrate the capability of our implementation, we evaluated it comprehensively on bug hunting and crash reproduction. Evaluation results showed that our proposed implementation could not only trigger hard-to-reach bugs 3.1, 4.3, 2.9, 2.0, 1.8, and 1.9 times faster than Hawkeye, AFLGo, AFL, AFLFast, QSYM, and ParmeSan respectively but also scale to several real-world programs.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%