Just fuzz it: solving floating-point constraints using coverage-guided fuzzing

Liew, Daniel; Cadar, Cristian; Donaldson, Alastair F.; Stinnett, J. Ryan

doi:10.1145/3338906.3338921

Cited by 26 publications

(11 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, the constraint solver performs in a greybox manner, e.g., it utilizes linear functions to approximate constraint behaviors. Interestingly, researchers have paid attention to solving path constraints via fuzzing [24,108]. For example, JFS [108] translates SMT formulas to a program and utilizes coverage-guided fuzzing to explore the program.…”

Section: Concolic Executionmentioning

confidence: 99%

See 1 more Smart Citation

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various applications. Although effective, there lacks systematic analysis of gaps faced by fuzzing. As a technique of defect detection, fuzzing is required to narrow down the gaps between the entire input space and the defect space. Without limitation on the generated inputs, the input space is infinite. However, defects are sparse in an application, which indicates that the defect space is much smaller than the entire input space. Besides, because fuzzing generates numerous test cases to repeatedly examine targets, it requires fuzzing to perform in an automatic manner. Due to the complexity of applications and defects, it is challenging to automatize the execution of diverse applications. In this paper, we systematically review and analyze the gaps as well as their solutions, considering both breadth and depth. This survey can be a roadmap for both beginners and advanced developers to better understand fuzzing.

show abstract

Section: Concolic Executionmentioning

confidence: 99%

“…Interestingly, researchers have paid attention to solving path constraints via fuzzing [24,108]. For example, JFS [108] translates SMT formulas to a program and utilizes coverage-guided fuzzing to explore the program. The SMT formulas are solved when a fuzzing-generated input reaches speciic locations of the corresponding program.…”

Section: Concolic Executionmentioning

confidence: 99%

Fuzzing: A Survey for Roadmap

et al. 2022

View full text Add to dashboard Cite

show abstract

“…To show that Fu z z y -Sa t can be used in other frameworks, we integrate it also in QSYM [4]. In our experimental evaluation: 1) we compare Fu z z y -Sa t to the SMT solver Z3 [7] and the approximate solver JFS [8 ] on queries issued by QSYM, which we use as a mature baseline. o u r results suggest that Fu z z y -Sa t can provide a nice tradeoff between speed and solving effectiveness, i.e., the number of queries found satisfiable by a solver.…”

Section: Contributionsmentioning

confidence: 99%

“…A different direction is instead taken by JFS [8 ], which builds on the experimental observation that SMT solvers can struggle on queries that involve floating-point values. JFS thus proposes to turn the query into a program, which is then analyzed using coverage-based grey-box fuzzing.…”

Section: Concolic Executionmentioning

confidence: 99%

See 1 more Smart Citation

Fuzzing Symbolic Expressions

Borzacchiello

Coppa

Demetrescu

2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Recent years have witnessed a wide array of results in software testing, exploring different approaches and methodologies ranging from fuzzers to symbolic engines, with a full spectrum of instances in between such as concolic execution and hybrid fuzzing. A key ingredient of many of these tools is Satisfiability Modulo Theories (SMT) solvers, which are used to reason over symbolic expressions collected during the analysis. In this paper, we investigate whether techniques borrowed from the fuzzing domain can be applied to check whether symbolic formulas are satisfiable in the context of concolic and hybrid fuzzing engines, providing a viable alternative to classic SMT solving techniques. We devise a new approximate solver, Fu z z y -Sa t , and show that it is both competitive with and complementary to state-of-the-art solvers such as Z3 with respect to handling queries generated by hybrid fuzzers.

show abstract

An SMT Theory of Fixed-Point Arithmetic

Baranowski

Lechner

et al. 2020

Automated Reasoning

View full text Add to dashboard Cite

Just fuzz it: solving floating-point constraints using coverage-guided fuzzing

Cited by 26 publications

References 53 publications

Fuzzing: A Survey for Roadmap

Fuzzing: A Survey for Roadmap

Fuzzing Symbolic Expressions

An SMT Theory of Fixed-Point Arithmetic

Contact Info

Product

Resources

About