Path Exploration Strategy for Symbolic Execution Based on Multi-strategy Active Learning

Lianying He,Dalin Zhang,Dongqing Zhu,Junwen Zhang,Rui Wang,Jiqiang Liu
DOI: https://doi.org/10.1145/3671016.3671403
2024-01-01
Abstract:This paper proposes a novel symbolic execution path exploration strategy named MS-ALS (Multi-strategy Active Learning Search). MS-ALS integrates multiple heuristic methods and introduces a machine learning model to learn symbolic states of program paths from the training set, aiming to predict the reward of symbolic states of program paths for selecting the optimal states. To obtain an accurate predictive model, this paper employs an active learning approach based on multiple query strategies. It selects symbolic states of program paths with high uncertainty, representativeness, and low redundancy from the pool of states to annotate, feeding back the state samples to the model to guide it towards more accurate predictions. This enables symbolic execution tools to explore input programs more efficiently. Experiments show that MS-ALS achieves higher code coverage and identifies more security violations compared to baseline methods. Additionally, test cases generated by MS-ALS also exhibit higher quality, improving AFL's path discovery in fuzz testing when used as initial seeds.
What problem does this paper attempt to address?