CSEFuzz: Fuzz Testing Based on Symbolic Execution

Fuzz testing has been successful in finding defects of various software packages. These defects include file parsing, image processing, Internet browsers, and network protocols. However, the quality of the initial seed test cases greatly influences the coverage and defect detection capability of fuzz testing. To address this issue, we propose CSEFuzz, a fuzz testing approach based on symbolic execution for defect detection. First, CSEFuzz generates candidate test cases by symbolic execution and collects coverage information of the test cases. Then, CSEFuzz extracts the test-case templates of the test cases and selects a set of test-case templates according to specific coverage criteria. Finally, CSEFuzz selects test cases according to the selected test-case templates, and the selected test cases are used as initial seed test cases for fuzz testing. Experiments are conducted on 11 open-source programs. The results show that in comparison with afl-cmin, which is the test-case selection command of Kelinci, CSEFuzz with a path coverage criterion reduces the time costs of the initial seed test selection and verification by 94.26%. In addition, compared with afl-cmin, 32 more paths are covered and 16 more defects are detected by CSEFuzz.

[1]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[2]  Roland Groz,et al.  A Taint Based Approach for Smart Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[3]  Gerhard Weikum,et al.  KLEE: A Framework for Distributed Top-k Query Algorithms , 2005, VLDB.

[4]  Corina S. Pasareanu,et al.  Badger: complexity analysis with fuzzing and symbolic execution , 2018, ISSTA.

[5]  Saurabh Bagchi,et al.  How Reliable is My Wearable: A Fuzz Testing-Based Study , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[6]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Yong Tang,et al.  LearnAFL: Greybox Fuzzing With Knowledge Enhancement , 2019, IEEE Access.

[8]  Peng Jia,et al.  InsFuzz: Fuzzing Binaries With Location Sensitivity , 2019, IEEE Access.

[9]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[10]  Tai-Myung Chung,et al.  Dynamic binary analyzer for scanning vulnerabilities with taint analysis , 2014, Multimedia Tools and Applications.

[11]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[12]  Corina S. Pasareanu,et al.  Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis , 2013, Automated Software Engineering.

[13]  Chao Zhang,et al.  Fuzzing: a survey , 2018, Cybersecur..

[14]  Paul H. J. Kelly,et al.  Symbolic crosschecking of floating-point and SIMD code , 2011, EuroSys '11.

[15]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[16]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[17]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[18]  Hui Ye,et al.  DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag , 2013, MoMM '13.

[19]  Corina S. Pasareanu,et al.  POSTER: AFL-based Fuzzing for Java with Kelinci , 2017, CCS.

[20]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[21]  Lei Ma,et al.  DeepHunter: a coverage-guided fuzz testing framework for deep neural networks , 2019, ISSTA.

[22]  Zvonimir Rakamaric,et al.  JDart: A Dynamic Symbolic Analysis Framework , 2016, TACAS.

[23]  Haisheng Li,et al.  Optimizing Seed Inputs in Fuzzing with Machine Learning , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion).

[24]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[25]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[26]  Taeshik Shon,et al.  Network protocol fuzz testing for information systems and applications: a survey and taxonomy , 2016, Multimedia Tools and Applications.

[27]  Roland Groz,et al.  Finding Software Vulnerabilities by Smart Fuzzing , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[28]  Sarfraz Khurshid,et al.  Test input generation with java PathFinder , 2004, ISSTA '04.

[29]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[30]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.