Труды Института системного программирования РАН (Feb 2019)

Combining dynamic symbolic execution, code static analysis and fuzzing

  • A. Yu. Gerasimov,
  • S. S. Sargsyan,
  • S. F. Kurmangaleev,
  • J. A. Hakobyan,
  • S. A. Asryan,
  • M. K. Ermakov

DOI
https://doi.org/10.15514/ISPRAS-2018-30(6)-2
Journal volume & issue
Vol. 30, no. 6
pp. 25 – 38

Abstract

Read online

This paper describes a new approach for dynamic code analysis. It combines dynamic symbolic execution and static code analysis with fuzzing to increase efficiency of each component. During fuzzing we recover indirect function calls and pass that information to the static analysis engine. This improves static path detection in the control flow graph of a program. Detected paths are used in dynamic symbolic execution to construct inputs which will cover new paths during execution. These inputs are used by the fuzzing tool to improve test-case generation and increase code coverage. The proposed approach can be used for classic fuzzing when the main goal is achieving high code coverage. As well it can be used for targeted analysis of paths and code fragments in the program. In this case the fuzzing tool accepts a set of programs addresses with potential defects and passes them to the static analysis engine. The engine constructs all paths connecting program entry point to the given addresses. Finally, dynamic symbolic execution is used to construct the set of inputs, which will cover these paths. Experimental results have shown that the proposed method can effectively detect different program defects.

Keywords