BanditFuzz: A Reinforcement-Learning Based Performance Fuzzer for SMT Solvers

Satisfiability Modulo Theories (SMT) solvers are fundamental tools that are used widely in software engineering, verification, and security research. Precisely because of their widespread use, it is imperative we develop efficient and systematic methods to test them. To this end, we present a reinforcement-learning based fuzzing system, BanditFuzz, that learns grammatical constructs of well-formed inputs that may cause performance slowdown in SMT solvers. To the best of our knowledge, BanditFuzz is the first machine-learning based performance fuzzer for SMT solvers. BanditFuzz takes the following as input: a grammar G describing wellformed inputs to a set of distinct solvers (say, a target solver T and a reference solver R) that implement the same specification, and a fuzzing objective (e.g., aim to maximize the relative performance difference between T and R). BanditFuzz outputs a list of grammatical constructs that are ranked in descending order by how likely they are to increase the performance difference between solvers T and R. Using BanditFuzz, we constructed two benchmark suites (with 400 floating-point and 300 string instances) that expose performance issues in all considered solvers, namely, Z3, CVC4, Colibri, MathSAT, Z3seq, and Z3str3. We also performed a comparison of BanditFuzz against random, mutation, and evolutionary fuzzing methods and observed up to a 81% improvement based on PAR-2 scores used in SAT competitions. That is, relative to other fuzzing methods considered, BanditFuzz was found to be more efficient at constructing inputs with wider performance margin between a target and a set of reference solvers.

[1]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[2]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[3]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[4]  Federico Mora,et al.  StringFuzz: A Fuzzer for String Solvers , 2018, CAV.

[5]  François Bobot,et al.  Real Behavior of Floating Point , 2017, SMT.

[6]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[7]  Yunhui Zheng,et al.  ZSstrS: A string solver with theory-aware heuristics , 2017, 2017 Formal Methods in Computer Aided Design (FMCAD).

[8]  James Demmel,et al.  IEEE Standard for Floating-Point Arithmetic , 2008 .

[9]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[10]  Cyrille Artho,et al.  Iterative delta debugging , 2009, International Journal on Software Tools for Technology Transfer.

[11]  Armin Biere,et al.  Model-Based API Testing for SMT Solvers , 2017, SMT.

[12]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[13]  Zachary N. J. Peterson,et al.  Analysis of Mutation and Generation-Based Fuzzing , 2007 .

[14]  K. Rustan M. Leino,et al.  The Boogie Verification Debugger (Tool Paper) , 2011, SEFM.

[15]  Dawn Xiaodong Song,et al.  PerfFuzz: automatically generating pathological inputs , 2018, ISSTA.

[16]  Peter Müller,et al.  Automatically Testing String Solvers , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[17]  Benjamin Van Roy,et al.  A Tutorial on Thompson Sampling , 2017, Found. Trends Mach. Learn..

[18]  Philipp Rümmer,et al.  An SMT-LIB Theory of Binary Floating-Point Arithmetic ∗ , 2010 .

[19]  Armin Biere,et al.  Fuzzing and delta-debugging SMT solvers , 2009, SMT '09.

[20]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[21]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Csaba Szepesvári,et al.  Algorithms for Reinforcement Learning , 2010, Synthesis Lectures on Artificial Intelligence and Machine Learning.

[23]  Annibale Panichella,et al.  A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls , 2018, IEEE Transactions on Reliability.

[24]  Richard J. Cleary Handbook of Beta Distribution and Its Applications , 2006 .

[25]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[26]  Vidroha Debroy,et al.  Genetic Programming , 1998, Lecture Notes in Computer Science.

[27]  Cesare Tinelli,et al.  An efficient SMT solver for string constraints , 2016, Formal Methods Syst. Des..

[28]  Rishabh Singh,et al.  Deep Reinforcement Fuzzing , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[29]  David Brumley,et al.  Optimizing Seed Selection for Fuzzing , 2014, USENIX Security Symposium.

[30]  Fuyuan Zhang,et al.  Detecting critical bugs in SMT solvers using blackbox mutational fuzzing , 2020, ESEC/SIGSOFT FSE.

[31]  Groupe Pdmia Markov Decision Processes In Artificial Intelligence , 2009 .

[32]  Susan Baldwin,et al.  Compute Canada: Advancing Computational Research , 2012 .

[33]  Roger Lee,et al.  A Framework for File Format Fuzzing with Genetic Algorithms , 2012 .

[34]  Aditya Kanade,et al.  Greybox fuzzing as a contextual bandits problem , 2018, ArXiv.

[35]  David S. Rosenberg,et al.  Adaptive Grey-Box Fuzz-Testing with Thompson Sampling , 2018, AISec@CCS.

[36]  Richard S. Sutton,et al.  Reinforcement Learning: An Introduction , 1998, IEEE Trans. Neural Networks.

[37]  Sumit Gulwani,et al.  Program analysis as constraint solving , 2008, PLDI '08.

[38]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[39]  Aina Niemetz ddSMT : A Delta Debugger for the SMT-LIB v 2 Format ∗ , 2013 .

[40]  Zhendong Su,et al.  HDD: hierarchical delta debugging , 2006, ICSE.

[41]  Cesare Tinelli,et al.  An Automatable Formal Semantics for IEEE-754 Floating-Point Arithmetic , 2015, 2015 IEEE 22nd Symposium on Computer Arithmetic.

[42]  Choongwoo Han,et al.  Fuzzing: Art, Science, and Engineering , 2018, ArXiv.

[43]  Alberto Griggio,et al.  The MathSAT5 SMT Solver , 2013, TACAS.