Research on Fuzz Testing and Symbolic Execution at NUS
Software almost always has vulnerabilities. Many of these cause serious
problems such as software crash and leaking sensitive user
information. To fix bugs, software engineers have been
fighting an endless battle with bugs. The cost of this battle is
enormous—$312 billion per year globally as of 2012 according to Cambridge
University research (in comparison, the GDP of Singapore is $308 billion
as of 2014). This high cost is due to that software developers spend about 50%
of their time debugging. We are conducting research on automatically finding
vulnerabilities in program binaries by combining black-box or grey-box fuzzing
with symbolic execution approaches. In black-box or grey-box fuzzing, the logic
of the program is not analyzed, whereas symbolic execution approaches proceed by
a semantic analysis of the program behavior. A lot of our research can be seen
as a targeted search where we are trying to reach target locations, either to
reproduce a crash or to uncover more behavior so that vulnerabilities can be
One of the key innovations in our approach is that the analysis for finding vulnerabilities works directly on the program binaries - no source code is needed. Another key innovation is the development of scalable search strategies to guide the symbolic analysis for common file-format processing programs such as PDF, PNG, WAV. We are also working on improving grey-box fuzzing technology in its weak-point, namely behavioral coverage. Grey-box fuzzing technology generates many inputs with the goal to crash the program, but may end up covering few paths in the program since no semantic analysis is involved. In our latest work, we have improved the search heuristics inside fuzzers to drastically improve the coverage without resorting to costly symbolic analysis. Thus, our approach for finding vulnerabilities is two pronged - improve the scalability of the symbolic execution or semantic approaches, and improve the behavioral coverage of fuzzing or syntactic approaches.
Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Razvan Caciulescu, Abhik Roychoudhury
IEEE Transactions on Software Engineering, To appear.
Partition-based Regression Verification (pdf
ACM/IEEE International Conference on Software Engineering (ICSE) 2013.
Path Exploration based on Symbolic Output (pdf
The later parts of the research are integrated as part of an umbrella project, TSUNAMi, funded by a substantial research grant from NRF (National Research Foundation, Singapore). This support is gratefully acknowledged.
|National University of Singapore | School of Computing | National Research Foundation|