Branch coverage guided symbolic execution for hybrid fuzz testing of software binaries
First Claim
1. A computer-implemented method for branch coverage guided symbolic execution for hybrid fuzzing, the method comprising:
- receiving, at a symbolic execution engine, a seed input of a binary program under analysis (BPUA) that is discovered during testing of the BPUA by a greybox fuzzer;
concretely executing, at the symbolic execution engine, the BPUA using the seed input;
collecting a trace resulting from the concrete execution by the symbolic execution engine of the BPUA using the seed input;
determining a number of new branches discovered by the concrete execution of the BPUA using the seed input by comparing branches executed in the trace to a bitmap indicative of discovered branches previously discovered during prior executions of the BPUA by the greybox fuzzer and the symbolic execution engine; and
responsive to a determination that the concrete execution of the BPUA using the seed input discovers at least one new branch;
updating the bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer and the symbolic execution engine during the testing of the BPUA to maintain a record of discovered branches in the BPUA;
assigning a priority to the seed input based on the number of new branches discovered;
providing the seed input to a priority queue;
after obtaining the seed input from the priority queue according to the assigned priority, symbolically executing the BPUA along the trace using a symbol of the seed input;
collecting one or more constraints satisfied along the trace symbolically executed through the BPUA, wherein at least one of the one or more constraints is used to transform the seed input; and
providing the transformed seed input to the greybox fuzzer.
1 Assignment
0 Petitions
Accused Products
Abstract
According to some examples, computer-implemented methods for branch coverage guided symbolic execution for hybrid fuzzing are described. An example computer-implemented method may include receiving a seed input of a binary program under analysis (BPUA) that is discovered during testing by a greybox fuzzer. The method may also include concretely executing the seed input in the BPUA, and collecting a trace resulting from the concrete execution of the seed input. The method may further include determining whether the concrete execution of the seed input discovers a new branch. The method may include, responsive to a determination that the concrete execution of the seed input discovers a new branch, updating a bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer to maintain a record of discovered branches in BPUA, and providing the seed input to the greybox fuzzer.
-
Citations
13 Claims
-
1. A computer-implemented method for branch coverage guided symbolic execution for hybrid fuzzing, the method comprising:
-
receiving, at a symbolic execution engine, a seed input of a binary program under analysis (BPUA) that is discovered during testing of the BPUA by a greybox fuzzer; concretely executing, at the symbolic execution engine, the BPUA using the seed input; collecting a trace resulting from the concrete execution by the symbolic execution engine of the BPUA using the seed input; determining a number of new branches discovered by the concrete execution of the BPUA using the seed input by comparing branches executed in the trace to a bitmap indicative of discovered branches previously discovered during prior executions of the BPUA by the greybox fuzzer and the symbolic execution engine; and responsive to a determination that the concrete execution of the BPUA using the seed input discovers at least one new branch; updating the bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer and the symbolic execution engine during the testing of the BPUA to maintain a record of discovered branches in the BPUA; assigning a priority to the seed input based on the number of new branches discovered; providing the seed input to a priority queue; after obtaining the seed input from the priority queue according to the assigned priority, symbolically executing the BPUA along the trace using a symbol of the seed input; collecting one or more constraints satisfied along the trace symbolically executed through the BPUA, wherein at least one of the one or more constraints is used to transform the seed input; and providing the transformed seed input to the greybox fuzzer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product including one or more non-transitory machine-readable mediums encoded with instruction that when executed by one or more processors cause a process to be carried out for branch coverage guided symbolic execution for hybrid fuzzing, the process comprising:
-
receiving, by a symbolic execution engine, a seed input of a binary program under analysis (BPUA) that is discovered during testing of the BPUA by a greybox fuzzer; concretely executing, by the symbolic execution engine, the BPUA using the seed input; collecting, by the symbolic execution engine, a trace resulting from the concrete execution of the BPUA using the seed input; determining, by the symbolic execution engine, a number of new branches discovered by the concrete execution of the BPUA using the seed input by comparing branches executed in the trace to a bitmap indicative of discovered branches previously discovered during prior executions of the BPUA by the greybox fuzzer and the symbolic execution engine; and responsive to a determination that the concrete execution of the BPUA using the seed input discovers at least one new branch; updating, by the symbolic execution engine, the bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer and the symbolic execution engine during the testing of the BPUA to maintain a record of discovered branches in BPUA; assigning a priority to the seed input based on the number of new branches discovered; providing the seed input to a priority queue; after obtaining the seed input from the priority queue according to the assigned priority, symbolically executing the BPUA along the trace using a symbol of the seed input; collecting one or more constraints satisfied along the trace symbolically executed through the BPUA, wherein at least one of the one or more constraints is used to transform the seed input; placing the transformed seed input in a fuzzing queue; and providing the transformed seed input to the greybox fuzzer. - View Dependent Claims (7, 8, 9)
-
-
10. A system to perform branch coverage guided symbolic execution for hybrid fuzzing, the system comprising:
-
one or more non-transitory machine-readable mediums configured to store instructions; and one or more processors configured to execute the instructions stored on the one or more non-transitory machine-readable mediums, wherein execution of the instructions causes the one or more processors to; receive a seed input of a binary program under analysis (BPUA) that is discovered during testing of the BPUA by a greybox fuzzer; concretely execute the BPUA using the seed input; collect a trace resulting from the concrete execution of the BPUA using the seed input; determine a number of new branches discovered by the concrete execution of the BPUA using the seed input by comparing branches executed in the trace to a bitmap indicative of discovered branches previously discovered during prior executions of the BPUA by the greybox fuzzer; and responsive to a determination that the concrete execution of the BPUA using the seed input discovers at least one new branch; update a bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer during the testing of the BPUA to maintain a record of discovered branches in BPUA; assign a priority to the seed input based on the number of new branches discovered; provide the seed input to a priority queue; after obtaining the seed input from the priority queue according to the assigned priority, symbolically execute the BPUA along the trace using a symbol of the seed input; collect one or more constraints satisfied along the trace symbolically executed through the BPUA, wherein at least one of the one or more constraints is used to transform the seed input; place the transformed seed input in a fuzzing queue; and provide the transformed seed input to the greybox fuzzer. - View Dependent Claims (11, 12, 13)
-
Specification