Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
175 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

FuSeBMC v4: Improving code coverage with smart seeds via BMC, fuzzing and static analysis (2206.14068v4)

Published 28 Jun 2022 in cs.SE

Abstract: Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existent methods to cover large areas in target code. We propose FuSeBMC v4, a test generator that synthesizes seeds with useful properties, that we refer to as smart seeds, to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. FuSeBMC works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so-called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage / find bugs. During both seed generation and normal running, coordination between the engines is aided by the Tracer subsystem. This subsystem carries out additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the Tracer evaluates test cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (76)
  1. 2015. Clang Documentation. Retrieved 08-2019 from http://clang.llvm.org/docs/index.html
  2. 2021. American Fuzzy Lop, https://lcamtuf.coredump.cx/afl/.
  3. Combining BMC and Fuzzing Techniques for Finding Software Vulnerabilities in Concurrent Programs. IEEE Access 10 (2022), 121365–121384.
  4. FuSeBMC: An Energy-Efficient Test Generator for Finding Security Vulnerabilities in C Programs. In International Conference on Tests and Proofs (TAP). Springer, 85–105.
  5. FuSeBMC v4: Smart Seed Generation for Hybrid Fuzzing. In Proceedings of the 25th International Conference on Fundamental Approaches to Software Engineering (FASE). Springer, 336–340.
  6. FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs. In Proceedings of 24th International Conference on Fundamental Approaches to Software Engineering (FASE). Springer, 363–367.
  7. Enhancing Symbolic Execution with Veritesting. In Proceedings of the 36th International Conference on Software Engineering (ICSE). ACM, 1083–1094.
  8. A Survey of Symbolic Execution Techniques. ACM Comput. Surv. 51, 3, Article 50 (May 2018), 39 pages.
  9. Efficient Leveraging of Symbolic Execution to Advanced Coverage Criteria. In Proceedsings of Seventh International Conference on Software Testing, Verification and Validation (ICST). IEEE, 173–182.
  10. Fault Injection Experiments Using FIAT. IEEE Trans. Comput. 39, 4 (1990), 575–582.
  11. Dirk Beyer. 2020. Second Competition on Software Testing: Test-Comp 2020. In International Conference on Fundamental Approaches to Software Engineering (FASE), Heike Wehrheim and Jordi Cabot (Eds.). Springer, 505–519.
  12. Dirk Beyer. 2021a. Software Verification: 10th Comparative Evaluation (SV-COMP 2021). In International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACSAS). Springer, 401–422.
  13. Dirk Beyer. 2021b. Status Report on Software Testing: Test-Comp 2021. In Fundamental Approaches to Software Engineering (FASE). 505–519.
  14. Dirk Beyer. 2022. Advances in Automatic Software Testing: Test-Comp 2022. In Fundamental Approaches to Software Engineering (FASE). Springer, 341–357.
  15. Dirk Beyer and Marie-Christine Jakobs. 2019. CoVeriTest: Cooperative Verifier-Based Testing.. In Fundamental Approaches to Software Engineering (FASE). Springer, 389–408.
  16. Dirk Beyer and M Erkan Keremoglu. 2011. CPAchecker: A Tool for Configurable Software Verification. In International Conference on Computer Aided Verification (CAV). Springer, 184–190.
  17. Dirk Beyer and Thomas Lemberger. 2019. TestCov: Robust Test-Suite Execution and Coverage Measurement. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 1074–1077.
  18. Armin Biere. 2009. Bounded Model Checking. In Handbook of Satisfiability, Armin Biere, Marijn Heule, Hans van Maaren, and Toby Walsh (Eds.). Frontiers in Artificial Intelligence and Applications, Vol. 185. IOS Press, 457–481.
  19. Directed Greybox Fuzzing. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 2329–2344.
  20. Coverage-Based Greybox Fuzzing as Markov Chain. IEEE Transactions on Software Engineering 45, 5 (2017), 489–506.
  21. BAP: A Binary Analysis Platform. In International Conference on Computer Aided Verification (CAV). Springer, 463–469.
  22. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Operating Systems Design and Implementation (OSDI), Vol. 8. USENIX Association, 209–224.
  23. Program-adaptive mutational fuzzing. In IEEE Symposium on Security and Privacy. IEEE, 725–741.
  24. Symbiotic 8: Parallel and Targeted Test Generation. In Fundamental Approaches to Software Engineering (FASE). Springer, 368–372.
  25. Marek Chalupa. 2020. DG: Analysis and Slicing of LLVM Bitcode. In Automated Technology for Verification and Analysis (ATVA). Springer, 557–563.
  26. Marek Chalupa. 2021. Slowbeast. Retrieved 30-09-2021 from https://gitlab.fi.muni.cz/xchalup4/slowbeast/
  27. Symbiotic 8: Beyond Symbolic Execution. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 453–457.
  28. VeriFuzz: Program aware fuzzing. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 244–249.
  29. Tavis Ormandy Chris Evans, Matt Moore. 2011. Fuzzing at Scale. Retrieved 10-02-2023 from https://security.googleblog.com/2011/08/fuzzing-at-scale.html
  30. A Tool for Checking ANSI-C Programs. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 168–176.
  31. Model checking. MIT Press, London, Cambridge.
  32. SMT-Based Bounded Model Checking for Embedded ANSI-C Software. IEEE Trans. Software Eng. 38, 4 (2012), 957–974.
  33. Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 337–340.
  34. Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures using Separation Logic. In Computer Aided Verification (CAV). Springer, 372–378.
  35. Bruno Dutertre. 2014. Yices 2.2. In Computer Aided Verification (CAV). Springer, 737–744.
  36. ESBMC: Scalable and Precise Test Generation based on the Floating-Point Theory:(Competition Contribution). In Fundamental Approaches to Software Engineering (FASE). Springer, 525–529.
  37. ESBMC v6. 0: Verifying C Programs Using k-Induction and Invariant Inference. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 209–213.
  38. ESBMC 5.0: an Industrial-Strength C Model Checker. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering. ACM, 888–891.
  39. Grammar-Based Whitebox Fuzzing. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 206–215.
  40. DART: Directed Automated Random Testing. In Proceedings of the 2005 ACM SIGPLAN conference on Programming Language Design and Implementation (PLDI). ACM, 213–223.
  41. SAGE: Whitebox Fuzzing for Security Testing: SAGE has had a remarkable impact at Microsoft. Queue 10, 1 (2012), 20–27.
  42. Automated Whitebox Fuzz Testing. In Network and Distributed System Security Symposium (NDSS). 151–166.
  43. Serge Gorbunov and Arnold Rosenbloom. 2010. Autofuzz: Automated Network Protocol Fuzzing Framework. International Journal of Computer Science and Network Security (IJCSNS) 10, 8 (2010), 239.
  44. Learning to Fuzz From Symbolic Execution with Application to Smart Contracts. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 531–548.
  45. Hadi Hemmati. 2015. How Effective Are Code Coverage Criteria?. In Proceedings of IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 151–156.
  46. Instrim: Lightweight Instrumentation for Coverage-Guided Fuzzing. In Symposium on Network and Distributed System Security (NDSS), Workshop on Binary Analysis Research.
  47. Code Coverage at Google. In Proceedings of the 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE). ACM, 955–963.
  48. TRACER: A Symbolic Execution Tool for Verification. In International Conference on Computer Aided Verification (CAV). Springer, 758–766.
  49. Youngjoon Kim and Jiwon Yoon. 2020. MaxaAFL: Maximizing Code Coverage with a Gradient-Based Optimization Technique. Electronics 10, 1 (2020), 11.
  50. Daniel Kroening and Michael Tautschnig. 2014. CBMC–C bounded model checker. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). 389–391.
  51. Chris Lattner and Vikram Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation. In International Symposium on Code Generation and Optimization (CGO). IEEE, 75–88.
  52. Hoang M Le. 2019. KLUZZER: Whitebox Fuzzing on top of LLVM. In Automated Technology for Verification and Analysis (ATVA). Springer, 246–252.
  53. Hoang M Le. 2020. LLVM-based Hybrid Fuzzing with LibKluzzer (Competition Contribution).. In Fundamental Approaches to Software Engineering (FASE). Springer, 535–539.
  54. Caroline Lemieux and Koushik Sen. 2018. Fairfuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE). IEEE, 475–485.
  55. Fuzzing: a Survey. Cybersecurity 1, 1 (2018), 1–13.
  56. GTFuzz: Guard Token Directed Grey-Box Fuzzing. In IEEE 25th Pacific Rim International Symposium on Dependable Computing (PRDC). IEEE, 160–170.
  57. Generic and Effective Specification of Structural Test Objectives. In IEEE International Conference on Software Testing, Verification and Validation (ICST). IEEE, 436–441.
  58. SHFuzz: Selective Hybrid Fuzzing with Branch Scheduling Based on Binary Instrumentation. Applied Sciences 10, 16 (2020), 5449.
  59. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 245–258.
  60. Boolector 2.0. J. Satisf. Boolean Model. Comput. 9, 1 (2014), 53–58.
  61. Badger: Complexity Analysis with Fuzzing and Symbolic Execution. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (STA). ACM, 322–332.
  62. Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (SAC). ACM, 1475–1482.
  63. Brian S Pak. 2012. Hybrid Fuzz Testing: Discovering Software Bugs via Fuzzing and Symbolic Execution. Master’s thesis. School of Computer Science Carnegie Mellon University.
  64. Corina S Păsăreanu and Neha Rungta. 2010. Symbolic PathFinder: Symbolic Execution of Java Bytecode. In Proceedings of the IEEE/ACM international conference on Automated software engineering (ASE). ACM, 179–180.
  65. Smart Greybox Fuzzing. IEEE Transactions on Software Engineering 47, 9 (2019), 1980–1997.
  66. VUzzer: Application-Aware Evolutionary Fuzzing. In Symposium on Network and Distributed System Security (NDSS). 1–14.
  67. Optimizing Seed Selection for Fuzzing. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, 861–875.
  68. Integration Testing of Protocol Implementations using Symbolic Distributed Execution. In International Conference on Network Protocols (ICNP). IEEE, 1–6.
  69. Kostya Serebryany. 2015. libFuzzer–a library for coverage-guided fuzz testing. LLVM project (2015).
  70. SYMBEXNET: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications. IEEE Transactions on Software Engineering 40, 7 (2014), 695–709.
  71. BitBlaze: A New Approach to Computer Security via Binary Analysis. In International conference on information systems security (ISS). Springer, 1–25.
  72. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Network and Distributed System Security Symposium (NDSS). 1–16.
  73. Fuzzing:Brute Force Vulnerability Discovery. Pearson Education.
  74. Skyfire: Data-Driven Seed Generation for Fuzzing. In Symposium on Security and Privacy (SP). IEEE, 579–594.
  75. SAFL: Increasing and Accelerating Testing Coverage with Symbolic Execution and Guided Fuzzing. In Proceedings of the 40th International Conference on Software Engineering : Companion (ICSE-Companion). IEEE, 61–64.
  76. Peach improvement on profinet-DCP for industrial control system vulnerability detection. In 2015 2nd International Conference on Electrical, Computer Engineering and Electronics. Atlantis Press, 1622–1627.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets