Badger: Complexity Analysis with Fuzzing and Symbolic Execution

by   Yannic Noller, et al.

Hybrid testing approaches that involve fuzz testing and symbolic execution have shown promising results in achieving high code coverage, uncovering subtle errors and vulnerabilities in a variety of software applications. In this paper we describe Badger - a new hybrid approach for complexity analysis, with the goal of discovering vulnerabilities which occur when the worst-case time or space complexity of an application is significantly higher than the average case. Badger uses fuzz testing to generate a diverse set of inputs that aim to increase not only coverage but also a resource-related cost associated with each path. Since fuzzing may fail to execute deep program paths due to its limited knowledge about the conditions that influence these paths, we complement the analysis with a symbolic execution, which is also customized to search for paths that increase the resource-related cost. Symbolic execution is particularly good at generating inputs that satisfy various program conditions but by itself suffers from path explosion. Therefore, Badger uses fuzzing and symbolic execution in tandem, to leverage their benefits and overcome their weaknesses. We implemented our approach for the analysis of Java programs, based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java applications, showing that our approach is significantly faster in generating worst-case executions compared to fuzzing or symbolic execution on their own.



page 1

page 2

page 3

page 4


Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach

Fuzzing and symbolic execution are popular techniques for finding vulner...

Concolic Testing for Deep Neural Networks

Concolic testing alternates between CONCrete program execution and symbO...

Safe Neurosymbolic Learning with Differentiable Symbolic Execution

We study the problem of learning worst-case-safe parameters for programs...

An Architecture for Exploiting Native User-Land Checkpoint-Restart to Improve Fuzzing

Fuzzing is one of the most popular and widely used techniques to find vu...

Shadow Symbolic Execution with Java PathFinder

Regression testing ensures that a software system when it evolves still ...

DifFuzz: Differential Fuzzing for Side-Channel Analysis

Side-channel attacks allow an adversary to uncover secret program data b...

Symbolic Security Predicates: Hunt Program Weaknesses

Dynamic symbolic execution (DSE) is a powerful method for path explorati...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.