Abstract:Symbolic execution and fuzz testing are effective approaches for program analysis, thanks to their evolving path exploration approaches. The state-of-the-art symbolic execution and fuzzing techniques are able to generate valid program inputs to satisfy the conditional statements. However, they have very limited ability to explore the finite-state-machine models implemented by real-world programs. This is because such state machines contain program-state-dependent branches (state-dependent branches in this paper) which depend on earlier program execution instead of the current program inputs. This paper is the first attempt to thoroughly explore the state-dependent branches in real-world programs. We introduce program-state-aware symbolic execution, a novel technique that guides symbolic execution engines to efficiently explore the state-dependent branches. As we show in this paper, state-dependent branches are prevalent in many important programs because they implement state machines to fulfill their application logic. Symbolically executing arbitrary programs with state-dependent branches is difficult, since there is a lack of unified specifications for their state machine implementation. Faced with this challenging problem, this paper recognizes widely-existing data dependency between current program states and previous inputs in a class of important programs. Our insights into these programs help us take a successful first step on this task. We design and implement a tool Ferry, which efficiently guides symbolic execution engine by automatically recognizing program states and exploring state-dependent branches. By applying Ferry to 13 different real-world programs and the comprehensive dataset Google FuzzBench, Ferry achieves higher block and branch coverage than two state-of-the-art symbolic execution engines and manages to locate three 0-day vulnerabilities in jhead. Our further investigation shows that Ferry is able to cover more hard-to-reach code compared with existing symbolic executors and fuzzers. Further, we show that Ferry is able to reach more program-state-dependent vulnerabilities than existing symbolic executors and fuzzing approaches with 15 collected state-dependent vulnerabilities and a test suite of six prominent programs. Finally, we test Ferry on LAVA-M dataset to understand its strengths and limitations.

Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths

VIDEZZO: Dependency-aware Virtual Device Fuzzing

Effective code coverage in compositional systematic dynamic testing

EXAMINER-PRO: Testing Arm Emulators Across Different Privileges

StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing

Deep Learning-Based Hybrid Fuzz Testing

Steering Symbolic Execution to Less Traveled Paths

Dependence Guided Symbolic Execution.

A model-guided symbolic execution approach for network protocol implementations and vulnerability detection

Revery

Tunter: Assessing Exploitability of Vulnerabilities with Taint-Guided Exploitable States Exploration

SAFL: increasing and accelerating testing coverage with symbolic execution and guided fuzzing.

Steelix: program-state based binary fuzzing

Towards Efficient Data-flow Test Data Generation

Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution

Revery: From Proof-Of-Concept To Exploitable (One Step Towards Automatic Exploit Generation)

AFL++: A Vulnerability Discovery and Reproduction Framework

VisFuzz: understanding and intervening fuzzing with interactive visualization

Symbolic execution of floating-point programs: How far are we?

SynFuzz: Efficient Concolic Execution via Branch Condition Synthesis

Westworld: Fuzzing-Assisted Remote Dynamic Symbolic Execution of Smart Apps on IoT Cloud Platforms