Abstract: According to an aspect of an embodiment, a method may include obtaining a computer-readable program and analyzing the computer-readable program to identify a constant in code of the computer-readable program. The method may also include obtaining context data associated with the constant from a portion of the code that includes an occurrence of the constant. The method may also include determining a location in the computer-readable program of the occurrence of the constant and analyzing the context data to identify a property of potential inputs to the computer-readable program at the location. The method may also include generating an input for the computer-readable program based on the constant and the identified property and providing the generated input to the computer-readable program during execution of the computer-readable program when execution of the computer-readable program reaches the location.

Abstract: According to an aspect of an embodiment, a method may include obtaining a computer-readable program and analyzing the computer-readable program to identify a constant in code of the computer-readable program. The method may also include obtaining context data associated with the constant from a portion of the code that includes an occurrence of the constant. The method may also include determining a location in the computer-readable program of the occurrence of the constant and analyzing the context data to identify a property of potential inputs to the computer-readable program at the location. The method may also include generating an input for the computer-readable program based on the constant and the identified property and providing the generated input to the computer-readable program during execution of the computer-readable program when execution of the computer-readable program reaches the location.

Abstract: According to some examples, computer-implemented methods for branch coverage guided symbolic execution for hybrid fuzzing are described. An example computer-implemented method may include receiving a seed input of a binary program under analysis (BPUA) that is discovered during testing by a greybox fuzzer. The method may also include concretely executing the seed input in the BPUA, and collecting a trace resulting from the concrete execution of the seed input. The method may further include determining whether the concrete execution of the seed input discovers a new branch. The method may include, responsive to a determination that the concrete execution of the seed input discovers a new branch, updating a bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer to maintain a record of discovered branches in BPUA, and providing the seed input to the greybox fuzzer.

Abstract: A method of detecting concurrency vulnerabilities is provided. A method may include instrumenting read and write access for a program to a shared memory. The method may also include identifying, via a greybox fuzzer, a test case for the program. Further, the method may include analyzing, via the greybox fuzzer and based on the test case, two or more branches of the program that include sets of racing pairs to determine if the test case is a priority test case. In response to the test case being a priority test case, the method may include providing the test case from the greybox fuzzer to a concurrency verification module. The method may also include testing, via the concurrency verification module, the test case with one or more scheduling policies to identify one or more concurrency vulnerabilities.

Abstract: According to some examples, computer-implemented methods for branch coverage guided symbolic execution for hybrid fuzzing are described. An example computer-implemented method may include receiving a seed input of a binary program under analysis (BPUA) that is discovered during testing by a greybox fuzzer. The method may also include concretely executing the seed input in the BPUA, and collecting a trace resulting from the concrete execution of the seed input. The method may further include determining whether the concrete execution of the seed input discovers a new branch. The method may include, responsive to a determination that the concrete execution of the seed input discovers a new branch, updating a bitmap to indicate that the new branch is discovered, wherein the bitmap is utilized by the greybox fuzzer to maintain a record of discovered branches in BPUA, and providing the seed input to the greybox fuzzer.

Abstract: A method of detecting concurrency vulnerabilities is provided. A method may include instrumenting read and write access for a program to a shared memory. The method may also include identifying, via a greybox fuzzer, a test case for the program. Further, the method may include analyzing, via the greybox fuzzer and based on the test case, two or more branches of the program that include sets of racing pairs to determine if the test case is a priority test case. In response to the test case being a priority test case, the method may include providing the test case from the greybox fuzzer to a concurrency verification module. The method may also include testing, via the concurrency verification module, the test case with one or more scheduling policies to identify one or more concurrency vulnerabilities.

Abstract: A method of branch exploration in fuzz testing of software binaries includes receiving a set of inputs of a binary program under analysis (BPUA) discovered during testing by a grey box fuzzer. The method includes re-executing the set of inputs. The method includes re-executing a concrete execution of the set of inputs in the BPUA and formation of a constraints tree in which path constraints along paths of the BPUA and conditions at branch points are recorded and marked as explored or unexplored. The method includes selecting a particular number of the unexplored branches of the BPUA. The method includes solving the particular number of unexplored branches with a constraint solver to generate a new set of the particular number of inputs. The method includes communicating the new set of the particular number of inputs to the grey box fuzzer for exploration of different branches of the BPUA.

Abstract: A method of branch exploration in fuzz testing of software binaries includes receiving a set of inputs of a binary program under analysis (BPUA) discovered during testing by a grey box fuzzer. The method includes re-executing the set of inputs. The method includes re-executing a concrete execution of the set of inputs in the BPUA and formation of a constraints tree in which path constraints along paths of the BPUA and conditions at branch points are recorded and marked as explored or unexplored. The method includes selecting a particular number of the unexplored branches of the BPUA. The method includes solving the particular number of unexplored branches with a constraint solver to generate a new set of the particular number of inputs. The method includes communicating the new set of the particular number of inputs to the grey box fuzzer for exploration of different branches of the BPUA.