Badger: Complexity Analysis with Fuzzing and Symbolic Execution

06/08/2018
by   Yannic Noller, et al.
0

Hybrid testing approaches that involve fuzz testing and symbolic execution have shown promising results in achieving high code coverage, uncovering subtle errors and vulnerabilities in a variety of software applications. In this paper we describe Badger - a new hybrid approach for complexity analysis, with the goal of discovering vulnerabilities which occur when the worst-case time or space complexity of an application is significantly higher than the average case. Badger uses fuzz testing to generate a diverse set of inputs that aim to increase not only coverage but also a resource-related cost associated with each path. Since fuzzing may fail to execute deep program paths due to its limited knowledge about the conditions that influence these paths, we complement the analysis with a symbolic execution, which is also customized to search for paths that increase the resource-related cost. Symbolic execution is particularly good at generating inputs that satisfy various program conditions but by itself suffers from path explosion. Therefore, Badger uses fuzzing and symbolic execution in tandem, to leverage their benefits and overcome their weaknesses. We implemented our approach for the analysis of Java programs, based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java applications, showing that our approach is significantly faster in generating worst-case executions compared to fuzzing or symbolic execution on their own.

READ FULL TEXT

Authors

page 1

page 2

page 3

page 4

11/26/2017

Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach

Fuzzing and symbolic execution are popular techniques for finding vulner...
04/30/2018

Concolic Testing for Deep Neural Networks

Concolic testing alternates between CONCrete program execution and symbO...
03/15/2022

Safe Neurosymbolic Learning with Differentiable Symbolic Execution

We study the problem of learning worst-case-safe parameters for programs...
12/19/2021

An Architecture for Exploiting Native User-Land Checkpoint-Restart to Improve Fuzzing

Fuzzing is one of the most popular and widely used techniques to find vu...
02/05/2018

Shadow Symbolic Execution with Java PathFinder

Regression testing ensures that a software system when it evolves still ...
11/16/2018

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Side-channel attacks allow an adversary to uncover secret program data b...
11/10/2021

Symbolic Security Predicates: Hunt Program Weaknesses

Dynamic symbolic execution (DSE) is a powerful method for path explorati...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.