1 research outputs found
Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle
Nowadays automated dynamic analysis frameworks for continuous testing are in
high demand to ensure software safety and satisfy the security development
lifecycle~(SDL) requirements. The security bug hunting efficiency of
cutting-edge hybrid fuzzing techniques outperforms widely utilized
coverage-guided fuzzing. We propose an enhanced dynamic analysis pipeline to
leverage productivity of automated bug detection based on hybrid fuzzing. We
implement the proposed pipeline in the continuous fuzzing toolset Sydr-Fuzz
which is powered by hybrid fuzzing orchestrator, integrating our DSE tool Sydr
with libFuzzer and AFL++. Sydr-Fuzz also incorporates security predicate
checkers, crash triaging tool Casr, and utilities for corpus minimization and
coverage gathering. The benchmarking of our hybrid fuzzer against alternative
state-of-the-art solutions demonstrates its superiority over coverage-guided
fuzzers while remaining on the same level with advanced hybrid fuzzers.
Furthermore, we approve the relevance of our approach by discovering 85 new
real-world software flaws within the OSS-Sydr-Fuzz project. Finally, we open
Casr source code to the community to facilitate examination of the existing
crashes