2 research outputs found
Strong Optimistic Solving for Dynamic Symbolic Execution
Dynamic symbolic execution (DSE) is an effective method for automated program
testing and bug detection. It is increasing the code coverage by the complex
branches exploration during hybrid fuzzing. DSE tools invert the branches along
some execution path and help fuzzer examine previously unavailable program
parts. DSE often faces over- and underconstraint problems. The first one leads
to significant analysis complication while the second one causes inaccurate
symbolic execution.
We propose strong optimistic solving method that eliminates irrelevant path
predicate constraints for target branch inversion. We eliminate such symbolic
constraints that the target branch is not control dependent on. Moreover, we
separately handle symbolic branches that have nested control transfer
instructions that pass control beyond the parent branch scope, e.g. return,
goto, break, etc. We implement the proposed method in our dynamic symbolic
execution tool Sydr.
We evaluate the strong optimistic strategy, the optimistic strategy that
contains only the last constraint negation, and their combination. The results
show that the strategies combination helps increase either the code coverage or
the average number of correctly inverted branches per one minute. It is optimal
to apply both strategies together in contrast with other configurations
Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle
Nowadays automated dynamic analysis frameworks for continuous testing are in
high demand to ensure software safety and satisfy the security development
lifecycle~(SDL) requirements. The security bug hunting efficiency of
cutting-edge hybrid fuzzing techniques outperforms widely utilized
coverage-guided fuzzing. We propose an enhanced dynamic analysis pipeline to
leverage productivity of automated bug detection based on hybrid fuzzing. We
implement the proposed pipeline in the continuous fuzzing toolset Sydr-Fuzz
which is powered by hybrid fuzzing orchestrator, integrating our DSE tool Sydr
with libFuzzer and AFL++. Sydr-Fuzz also incorporates security predicate
checkers, crash triaging tool Casr, and utilities for corpus minimization and
coverage gathering. The benchmarking of our hybrid fuzzer against alternative
state-of-the-art solutions demonstrates its superiority over coverage-guided
fuzzers while remaining on the same level with advanced hybrid fuzzers.
Furthermore, we approve the relevance of our approach by discovering 85 new
real-world software flaws within the OSS-Sydr-Fuzz project. Finally, we open
Casr source code to the community to facilitate examination of the existing
crashes