Probabilistic Path Prioritization for Hybrid Fuzzing

Abstract

Hybrid fuzzing that combines fuzzing and concolic execution has become an advanced technique for software vulnerability detection. Based on the observation that fuzzing and concolic execution are complementary in nature, state-of-the-art hybrid fuzzing systems deploy “optimal concolic testing” and “demand launch” strategies. Although these ideas sound intriguing, we point out several fundamental limitations in them, due to unrealistic or oversimplified assumptions. Further, we propose a novel “discriminative dispatch” strategy and design a probabilistic hybrid fuzzing system to better utilize the capability of concolic execution. Specifically, we design a Monte Carlo-based probabilistic path prioritization model to quantify each path’s difficulty, and then prioritize them for concolic execution. Our model assigns the most difficult paths to concolic execution. We implement a prototype named <inline-formula><tex-math notation="LaTeX">${\sf DigFuzz}$</tex-math></inline-formula> and evaluate our system with two representative datasets and real-world programs. Results show that the concolic execution in <inline-formula><tex-math notation="LaTeX">${\sf DigFuzz}$</tex-math></inline-formula> outperforms than those in state-of-the-art hybrid fuzzing systems in every major aspect. In particular, the concolic execution in <inline-formula><tex-math notation="LaTeX">${\sf DigFuzz}$</tex-math></inline-formula> contributes to discovering more vulnerabilities (12 versus 5) and producing more code coverage (18.9 versus 3.8 percent) on the CQE dataset than the concolic execution in Driller.