Open AccessDiscover deeper bugs with dynamic symbolic execution and coverage‐based fuzz testing
Author(s) -
Zhang Bin,
Feng Chao,
Herrera Adrian,
Chipounov Vitaly,
Candea George,
Tang Chaojing
Publication year - 2018
Publication title -
iet software
Language(s) - English
Resource type - Journals
ISSN - 1751-8814
DOI - 10.1049/iet-sen.2017.0200
Subject(s) - fuzz testing , symbolic execution , computer science , concolic testing , code coverage , software testing , white box testing , schedule , scalability , test case , software , programming language , software development , operating system , machine learning , software construction , regression analysis
Coverage‐based fuzz testing and dynamic symbolic execution are both popular program testing techniques. However, on their own, both techniques suffer from scalability problems when considering the complexity of modern software. Hybrid testing methods attempt to mitigate these problems by leveraging dynamic symbolic execution to assist fuzz testing. Unfortunately, the efficiency of such methods is still limited by specific program structures and the schedule of seed files. In this study, the authors introduce a novel lazy symbolic pointer concretisation method and a symbolic loop bucket optimisation to mitigate path explosion caused by dynamic symbolic execution in hybrid testing. They also propose a distance‐based seed selection method to rearrange the seed queue of the fuzzer engine in order to achieve higher coverage. They implemented a prototype and evaluate its ability to find vulnerabilities in software and cover new execution paths. They show on different benchmarks that it can find more crashes than other off‐the‐shelf vulnerability detection tools. They also show that the proposed method can discover 43% more unique paths than vanilla fuzz testing.