Many researchers have been fair of work and research did in order to provide better ways to discover software vulnerabilities and exploits. Most of the research focuses on how to improve the code coverage and speed to find the crash code. There is some popular technique to discover vulnerabilities such as symbolic execution and fuzzing. However, both technique needs some improvement to tackle some weakness. In this research, we combine both techniques to leverage each benefit. We proposed confuzz tool that using some techniques to provide high-coverage test case generator to produce some initial inputs for fuzzing and develop test case prioritization to prioritize and exercise only the useful test cases. We tested confuzz with jpeg v.9a and compare with previous research. These results confirm that our approach can improve path execution coverage by up to 20% more than AFLFast. Besides, we found two vulnerabilities that exposed as CVE-2018-11213 and CVE-2018-11212.

Many researchers have been fair of work and research did in order to provide better ways to discover software vulnerabilities and exploits. Most of the research focuses on how to improve the code coverage and speed to find the crash code. There is some popular technique to discover vulnerabilities such as symbolic execution and fuzzing. However, both technique needs some improvement to tackle some weakness. In this research, we combine both techniques to leverage each benefit. We proposed confuzz tool that using some techniques to provide high-coverage test case generator to produce some initial inputs for fuzzing and develop test case prioritization to prioritize and exercise only the useful test cases. We tested confuzz with jpeg v.9a and compare with previous research. These results confirm that our approach can improve path execution coverage by up to 20% more than AFLFast. Besides, we found two vulnerabilities that exposed as CVE-2018-11213 and CVE-2018-11212.

[1] J. Li, B. Zhao, and C. Zhang, “Fuzzing: a survey,” Cybersecurity, vol. 1, no. 1, p. 6, 2018.
[2] S. Quadri and S. Umar Farooq, “Software Testing-Goals, Principles, and Limitations,” 2010.
[3] M. Zalewsky, “American Fuzzy Lop,” 2013. [Online]. Available: http://lcamtuf.coredump.cx/afl/. [Accessed: 21-Oct-2018].
[4] “libFuzzer – a library for coverage-guided fuzz testing. — LLVM 8 documentation.” [Online]. Available: https://llvm.org/docs/LibFuzzer.html. [Accessed: 21-Oct-2018].
[5] “Radamsa - OUSPG.” [Online]. Available: https://www.ee.oulu.fi/roles/ouspg/Radamsa. [Accessed: 21-Oct-2018].
[6] G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating Fuzz Testing,” p. 16, 2018.
[7] G. Yang, C. Feng, and C. Tang, “Static analysis assisted vulnerability-oriented evolutionary fuzzing,” AIP Conf. Proc., vol. 1820, p. 20194, 2017.
[8] Y. Shoshitaishvili, R. Wang, … C. S.-S. and P., and U. 2016, “Sok:(state of) the art of war: Offensive techniques in binary analysis,” 2016.
[9] C. Cadar, D. Dunbar, and D. R. Engler, “KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs,” 2008.
[10] P. Godefroid, M. Y. Levin, and D. a. Molnar, “Automated Whitebox Fuzz Testing,” 2008.
[11] R. Baldoni, E. Coppa, D. C. D’Elia, C. Demetrescu, and I. Finocchi, “A Survey of Symbolic Execution Techniques,” ACM Comput. Surv., vol. 51, no. 3, 2018.
[12] D. Trabish, A. Mattavelli, N. Rinetzky, and C. Cadar, “Chopped Symbolic Execution,” p. 11, 2018.
[13] S. Krishnamoorthy, M. S. Hsiao, and L. Lingappan, “Tackling the path explosion problem in symbolic execution-driven test generation for programs,” Proc. Asian Test Symp., pp. 59–64, 2010.
[14] C. Cadar and K. Sen, “[CS-CACM13] Symbolic Execution for Software Testing - Three Decades Later,” 2013.
[15] S. Anand, “Techniques to facilitate symbolic execution of real-worls programs,” 2012.
[16] V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea, Efficient state merging in symbolic execution, vol. 47, no. 6. 2012.
[17] J. C. King, “A new approach to program testing,” 1975.
[18] R Hastings and B Joyce, “Purify : Fast Detection of Memory Leaks and Access Errors,” 1992.
[19] N. Nethercote and J. Seward, Valgrind - a framework for heavyweight dynamic binary instrumentation. 2007.
[20] P. Godefroid, M. Y. Levin, and D. Molnar, “Sage,” 2012.
[21] P. Godefroid, N. Klarlund, and K. Sen, “DART: Directed Automated Random Testing,” 2005.
[22] C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, “EXE: Automatically Generating Inputs of Death,” 2006.
[23] I. Hjelt, “The future of grey-box fuzzing,” 2017.
[24] G. Zhang and X. Zhou, AFL Extended with Test Case Prioritization Techniques, vol. 8. 2018.
[25] M. Böhme, V.-T. Pham, M.-D. Nguyen, and A. Roychoudhury, “Directed Greybox Fuzzing,” Proc. 2017 ACM SIGSAC Conf. Comput. Commun. Secur. - CCS ’17, pp. 2329–2344, 2017.
[26] N. Stephens et al., “Driller: Augmenting Fuzzing Through Selective Symbolic Execution,” 2016.
[27] B. Shastry, F. Maggi, F. Yamaguchi, K. Rieck, and J.-P. Seifert, “Static Exploration of Taint-Style Vulnerabilities Found by Fuzzing,” 2017.
[28] M. Böhme, V.-T. Pham, and A. Roychoudhury, “Coverage-based Greybox Fuzzing as Markov Chain.”
[29] C. Lemieux and K. Sen, “FairFuzz: Targeting Rare Branches to Rapidly Increase Greybox Fuzz Testing Coverage,” 2017.
[30] M. Rajpal, W. Blum, and R. Singh, “Not all bytes are equal: Neural byte sieve for fuzzing,” pp. 1–10, 2017.
[31] P. Chen and H. Chen, “Angora: Efficient Fuzzing by Principled Search,” 2018.
[32] B. S. B et al., “Research in Attacks, Intrusions, and Defenses,” vol. 7462, pp. 26–47, 2012.
[33] J. Seyster, K. Dixit, and X. Huang, “INTERASPECT : Aspect-Oriented Instrumentation with GCC,” 2012.
[34] C. Lattner and V. Adve, “LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation,” 2004.
[35] H. Blasum, “Gcov on an embedded system,” 2007.
[36] N. Stephens et al., “Driller: Augmenting Fuzzing Through Selective Symbolic Execution,” Proc. 2016 Netw. Distrib. Syst. Secur. Symp., 2016.
[37] “Overview - rpms/gdb-exploitable - src.fedoraproject.org.” [Online]. Available: https://src.fedoraproject.org/rpms/gdb-exploitable. [Accessed: 02-Dec-2018].
[38] “Linux Test Project: http://sourceforge.net/projects/ltp/.” [Online]. Available: http://ltp.sourceforge.net/coverage/lcov.php. [Accessed: 03-Dec-2018].
[39] “Quick-start: Fuzzing with AFL – Fuzz Stati0n – Medium.” [Online]. Available: https://medium.com/fuzzstation/quick-start-fuzzing-with-afl-ac7bb8fcae52. [Accessed: 28-Nov-2018].