Paper Info
Title
Reviewing KLEE's Sonar-Search Strategy in Context of Greybox Fuzzing.
Abstract
Automatic test-case generation techniques of symbolic execution and fuzzing are the most widely used methods to discover vulnerabilities in, both, academia and industry. However, both these methods suffer from fundamental drawbacks that stop them from achieving high path coverage that may, consequently, lead to discovering vulnerabilities at the numerical scale of static analysis. In this presentation, we examine systems-under-test (SUTs) at the granularity level of functions and postulate that achieving higher function coverage (execution of functions in a program at least once) than, both, symbolic execution and fuzzing may be a necessary condition for discovering more vulnerabilities than both. We will start this presentation with the design of a targeted search strategy for KLEE, sonar-search, that prioritizes paths leading to a target function, rather than maximizing overall path coverage in the program. Then, we will show that examining SUTs at the level of functions (compositional analysis) leads to discovering more vulnerabilities than symbolic execution from a single entry point. Using this finding, we will, then, demonstrate a greybox fuzzing method that can achieve higher function coverage than symbolic execution. Finally, we will present a framework to effectively manage vulnerabilities and assess their severities.
Year
Venue
Field
2018
arXiv: Software Engineering
Fuzz testing,Software engineering,Computer science,Path coverage,Entry point,Static analysis,Sonar,Theoretical computer science,Symbolic execution,Granularity,Vulnerability
DocType
Volume
Citations 
Journal
abs/1803.04881
0
PageRank 
References 
Authors
0.34
3
5
Name
Order
Citations
PageRank
Saahil Ognawala1224.05
Alexander Pretschner21585137.50
Thomas Hutzelmann300.68
Eirini Psallida400.34
Ricardo Nales Amato500.34