DeepAI AI Chat
Log In Sign Up

Reviewing KLEE's Sonar-Search Strategy in Context of Greybox Fuzzing

by   Saahil Ognawala, et al.

Automatic test-case generation techniques of symbolic execution and fuzzing are the most widely used methods to discover vulnerabilities in, both, academia and industry. However, both these methods suffer from fundamental drawbacks that stop them from achieving high path coverage that may, consequently, lead to discovering vulnerabilities at the numerical scale of static analysis. In this presentation, we examine systems-under-test (SUTs) at the granularity level of functions and postulate that achieving higher function coverage (execution of functions in a program at least once) than, both, symbolic execution and fuzzing may be a necessary condition for discovering more vulnerabilities than both. We will start this presentation with the design of a targeted search strategy for KLEE, sonar-search, that prioritizes paths leading to a target function, rather than maximizing overall path coverage in the program. Then, we will show that examining SUTs at the level of functions (compositional analysis) leads to discovering more vulnerabilities than symbolic execution from a single entry point. Using this finding, we will, then, demonstrate a greybox fuzzing method that can achieve higher function coverage than symbolic execution. Finally, we will present a framework to effectively manage vulnerabilities and assess their severities.


page 1

page 2


Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach

Fuzzing and symbolic execution are popular techniques for finding vulner...

Presentation: SymDefFix – Sound Automatic Repair Using Symbolic Execution

In this presentation, we introduce our constraint-based repair approach,...

Discovering ePassport Vulnerabilities using Bisimilarity

We uncover privacy vulnerabilities in the ICAO 9303 standard implemented...

An Architecture for Exploiting Native User-Land Checkpoint-Restart to Improve Fuzzing

Fuzzing is one of the most popular and widely used techniques to find vu...

Compositional Fuzzing Aided by Targeted Symbolic Execution

Guided fuzzing has, in recent years, been able to uncover many new vulne...

Enhancing Dynamic Symbolic Execution by Automatically Learning Search Heuristics

We present a technique to automatically generate search heuristics for d...

On the Generation of Initial Contexts for Effective Deadlock Detection

It has been recently proposed that testing based on symbolic execution c...