Concolic Execute Fuzzing Based on Control-Flow Analysis.

In particular, we present techniques 1) that identify rare paths using quantitative symbolic analysis, and 2) generate inputs that can explore these rare paths using path-guided concolic execution. ... ., program paths with path constraints that are unlikely to be satisfied by random input generation), and then, generating inputs/seeds that trigger rare-paths, one can improve the coverage of fuzzing ... We guide concolic execution tool CREST [11] using the rare paths we collect from our control flow analysis. ...

arXiv:2212.09004v1 fatcat:xvefnssl45hgvf2rbsshof62ei

Open Access

The work of this paper is to design and realize a fuzz framework based on concolic execution using C++. ... SYSTEM FRAMEWORK A fuzz framework based on the concolic execution is proposed in this paper. ... GENERATE SYMBOLIC EXECUTION TREE The symbol execution tree is derived from the control flow chart (CFG). ...

doi:10.12783/dtcse/csae2017/17478 fatcat:5jr6s535cjdehnlhx2a64f4l7e

In this work, we leverage the power of greybox fuzzing combined with concolic execution to explore deeper segments of design and uncover stealthy trojans. ... Experimental results show that our proposed framework is able to automatically detect trojans faster with fewer test cases, while attaining notable branch coverage, without any manual pre-processing analysis ... by automated injection of control flow statements on every conditional statement in run time, and generates executable. ...

arXiv:2111.00805v1 fatcat:f3go4fgc5zgnrlyevu2dxbl5wm

Open Access

However, there is a limitation that some paths with complex constraints cannot be tested even after long execution. Fuzzers based on concolic execution have emerged to address this issue. ... The concolic execution fuzzers also have limitations in scalability. Recently, the gradient-based fuzzers that use a gradient to mutate inputs have been introduced. ... Control Flow Graph and Call Graph The best way to understand the execution flow of programs is to construct the Control Flow Graph (CFG) and the Call Graph. ...

doi:10.3390/electronics10010011 fatcat:yw6i624a7ral7hqtl7ypqu3fou

DOAJ

It searches for unsafe API calls and automatically executes to the program block that have an unsafe API call. Also, we showed that BugHunter is more efficient than angr through experiments. ... Using search-based concolic execution, it can explore only suspicious execution flows. • BugHunter does not work on program source code but program executables. ... BugHunter uses the search-based concolic execution to avoid unnecessary execution paths. First, it constructs a Control Flow Graph (CFG) by parsing the program binary. ...

doi:10.1587/transinf.2018edl8052 fatcat:2u7rdjj6rja53dc3aksul4hqhe

We combine AFL++ and concolic execution engine and leveraged the trace analyzer approach to construct the tree for each input to detect RCs. ... Overall, DeepDiver outperformed existing software testing tools, including the patching-based fuzzer and state-of-the-art hybrid fuzzing techniques. ... Another option is using control flow analysis and complex data flow to track cohesion between the complex conditional jump and input. ...

doi:10.3390/fi12040074 fatcat:ixy3b7ff7jecxj2mgexbqiygsm

DOAJ Szczepanski

Concolic testing, which generates all feasible inputs of a program by using symbolic execution and tests the program with the generated inputs, is one of the most promising approaches to solve this problem ... We applied CAB-FUZZ to Windows 7 and Windows Server 2008 and found 21 undisclosed unique crashes, including two local privilege escalation vulnerabilities (CVE-2015-6098 and CVE-2016-0040) and one information ... In this paper, we propose CAB-FUZZ (Context-Aware and Boundary-focused), a practical system specialized to detect vulnerabilities in COTS OSes based on concolic testing. ...

dblp:conf/usenix/KimLYXLYK17 fatcat:dm3o7kkcdnao7i7i32kg274q4u

MEUZZ's learning is based on a series of features extracted via code reachability and dynamic analysis, which incurs negligible runtime overhead (in microseconds). ... MEUZZ determines which new seeds are expected to produce better fuzzing yields based on the knowledge learned from past seed scheduling decisions made on the same or similar programs. ... that flow between fuzzer and concolic executor. ...

arXiv:2002.08568v2 fatcat:as2xekj7rnfltbm4ok25aculhe

Multiple Versions

Hybrid testing combines fuzz testing and concolic execution. ... It leverages fuzz testing to test easy-to-reach code regions and uses concolic execution to explore code blocks guarded by complex branch conditions. ... Our further analysis so far reveals at least 25 of them are exploitable for goals such as information leak and control flow manipulation. ...

doi:10.1109/sp40000.2020.00002 dblp:conf/sp/ChenLXGZZWL20 fatcat:5kieeedzrzbetkohcjwwv3abqy

In this paper, we discuss challenges to widespread adoption of concolic testing in an industrial setting and highlight further opportunities where concolic testing can find renewed applicability. ... Although concolic testing is increasingly being explored as a viable software verification technique, its adoption in mainstream software development and testing in the industry is not yet extensive. ... To counter this, control flow obfuscation techniques that aim to confuse the automated analyzers by obfuscating the programs' control flow structures are used to defend against software cracking and piracy ...

doi:10.1109/naecon.2015.7443099 fatcat:n757pypszveyhefimvoy6r3xte

Recently, hybrid fuzzing has been proposed to address the limitations of fuzzing and concolic execution by combining both approaches. ... To overcome this problem, we design a fast concolic execution engine, called QSYM, to support hybrid fuzzing. ... By adopting this, concolic executors can automatically truncate such complex yet irrelevant logic and stay focused on the input fields that determine a program's control flow. ...

dblp:conf/uss/Yun0XJK18 fatcat:grc2p5imfzhk3a4sfiobl3y24m

One key challenge in DSE is to find proper paths in the huge program execution space to generate effective inputs. ... This paper reviews and compares the main search strategies of DSE in recent years, including the Generational strategy, CarFast, Control-Flow ... Firstly, Control-Flow Directed Search generates the control flow graph of the program, then assigns values to each edge. ...

doi:10.1051/itmconf/20171203025 fatcat:oererg6dwbgvbfnn3vwgufsywe

DOAJ

Hybrid fuzzing which combines fuzzing and concolic execution, has proved its ability to achieve higher code coverage and therefore find more bugs. ... The evaluation results showed that EPfuzzer was much more efficient and scalable than the state-of-the-art concolic execution engine (QSYM). ... Target-guided concolic execution is based on the concolic execution engine QSYM. ...

doi:10.3837/tiis.2020.09.018 fatcat:eundhnx44bgunbj33u6nbmxbwy

These challenges have made binary analysis an important area of research in computer science and has emphasized the need for building automated analysis systems that can operate at scale, speed and efficacy ... This growing dependence on technology and the increasing complexity software has serious security implications as it means we are potentially surrounded by software that contain exploitable vulnerabilities ... Fig. 1 . 1 Example of simple control flow graph (adapted) • Disassembly and intermediate-representation lifting • Program instrumentation • Symbolic execution • Control-flow analysis • Data-dependency ...

arXiv:1702.06162v4 fatcat:3rhzbmq6yve2jkcx2mv73pjnre

Multiple Versions

Previous works first detected heap vulnerabilities and then searched for exploitable states by using symbolic execution and fuzzing techniques on binary programs. ... In this paper, we present a solution DEPA to detect exploit primitives based on primitive-crucial-behavior model for heap vulnerabilities. ... As shown in Figure 3 , the DEPA system contains three modules: (1) primitive-crucial-behavior analysis module, (2) fuzzing module based on generation, and (3) concolic execution module. ...

arXiv:2212.13990v1 fatcat:ztnudgmq6ba5jfakx6fz3u2cj4

Rare-Seed Generation for Fuzzing [article]

Preserved Fulltext

Research on Fuzz Testing Framework based on Concolic Execution

Preserved Fulltext

FuCE: Fuzzing+Concolic Execution guided Trojan Detection in Synthesizable Hardware Designs [article]

Preserved Fulltext

MaxAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique

Preserved Fulltext

Search-Based Concolic Execution for SW Vulnerability Discovery

Preserved Fulltext

DeepDiver: Diving into Abysmal Depth of the Binary for Hunting Deeply Hidden Software Vulnerabilities

Preserved Fulltext

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems

Preserved Fulltext

MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing [article]

Preserved Fulltext

Other Versions

SAVIOR: Towards Bug-Driven Hybrid Testing

Preserved Fulltext

Challenges and opportunities with concolic testing

Preserved Fulltext

QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Preserved Fulltext

A Survey of Search Strategies in the Dynamic Symbolic Execution

Preserved Fulltext

EPfuzzer: Improving Hybrid Fuzzing with Hardest-to-reach Branch Prioritization

Preserved Fulltext

Survey of Automated Vulnerability Detection and Exploit Generation Techniques in Cyber Reasoning Systems [article]

Preserved Fulltext

Other Versions

Detecting Exploit Primitives Automatically for Heap Vulnerabilities on Binary Programs [article]

Preserved Fulltext