Sequence Coverage Directed Greybox Fuzzing

Existing directed fuzzers are not efficient enough. Directed symbolic-execution-based whitebox fuzzers, e.g. BugRedux, spend lots of time on heavyweight program analysis and constraints solving at runtime. Directed greybox fuzzers, such as AFLGo, perform well at runtime, but considerable calculation during instrumentation phase hinders the overall performance. In this paper, we propose Sequence-coverage Directed Fuzzing (SCDF), a lightweight directed fuzzing technique which explores towards the user-specified program statements efficiently. Given a set of target statement sequences of a program, SCDF aims to generate inputs that can reach the statements in each sequence in order and trigger bugs in the program. Moreover, we present a novel energy schedule algorithm, which adjusts on demand a seed's energy according to its ability of covering the given statement sequences calculated on demand. We implement the technique in a tool LOLLY in order to achieve efficiency both at instrumentation time and at runtime. Experiments on several real-world software projects demonstrate that LOLLY outperforms two well-established tools on efficiency and effectiveness, i.e., AFLGo–a directed greybox fuzzer and BugRedux–a directed symbolic-execution-based whitebox fuzzer.

[1]  A. Vargha,et al.  A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong , 2000 .

[2]  Phil McMinn,et al.  Evolutionary Testing Using an Extended Chaining Approach , 2006, Evolutionary Computation.

[3]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[4]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[5]  Nikolai Tillmann,et al.  DyTa: dynamic symbolic execution guided with static verification results , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[6]  Michael Hicks,et al.  Directed Symbolic Execution , 2011, SAS.

[7]  Alessandro Orso,et al.  BugRedux: Reproducing field failures for in-house debugging , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[8]  Richard McNally,et al.  Fuzzing: The State of the Art , 2012 .

[9]  Alvis Cheuk M. Fong,et al.  Dynamic Symbolic Execution Guided by Data Dependency Analysis for High Structural Coverage , 2012, ENASE.

[10]  Cristian Cadar,et al.  KATCH: high-coverage testing of software patches , 2013, ESEC/FSE 2013.

[11]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[12]  Heejo Lee,et al.  Software Vulnerability Detection Using Backward Trace Analysis and Symbolic Execution , 2013, 2013 International Conference on Availability, Reliability and Security.

[13]  Junfeng Yang,et al.  Verifying systems rules using rule-directed symbolic execution , 2013, ASPLOS '13.

[14]  Gul A. Agha,et al.  Targeted test input generation using symbolic-concrete backward execution , 2014, ASE.

[15]  Siau-Cheng Khoo,et al.  Goal-oriented dynamic test generation , 2015, Inf. Softw. Technol..

[16]  Eric Bodden,et al.  Using targeted symbolic execution for reducing false-positives in dataflow analysis , 2015, SOAP@PLDI.

[17]  Soumya Paul,et al.  A Probabilistic Analysis of the Efficiency of Automated Software Testing , 2016, IEEE Transactions on Software Engineering.

[18]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[19]  Yu Jiang,et al.  SAFL: Increasing and Accelerating Testing Coverage with Symbolic Execution and Guided Fuzzing , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[20]  Zest: Validity Fuzzing and Parametric Generators for Effective Random Testing , 2018, 1812.00078.

[21]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[23]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[24]  Andrew E. Santosa,et al.  Smart Greybox Fuzzing , 2018, IEEE Transactions on Software Engineering.