SILK: Constraint-guided Hybrid Fuzzing

Hybrid fuzzing combines fuzzing and concolic execution which leverages the high-throughput feature of fuzzing to explore easy-to-reach code, and the powerful constraint solving capability of concolic execution to explore code wrapped in complex constraints. Based on our observations, existing hybrid fuzzers are still not efficient for the following two reasons. First, fuzzing often gets stuck in deep paths leading to the delayed discovery of vulnerabilities. Second, coarse-grained interaction strategies cannot effectively launch concolic execution. To solve the above problems, we propose a constraint-guided hybrid fuzzing approach (CGHF) that leverages the constraints’ static analysis information and dynamic execution information. CGHF contains two main techniques: an evolutionary algorithm based on path exploration difficulty and an interaction strategy guided by the execution state of constraints. Specifically, in the fuzzing phase, we evaluate the path exploration difficulty and guide the fuzzer to explore in the order of difficulty from low to high. In addition, we design a coordinator to monitor the constraints’ dynamic execution information and select the most deserving constraints to be solved for the concolic execution. We implement a prototype called SILK and compare its effectiveness on eight open source programs with other state-of-the-art fuzzers. The results show that SILK improved path coverage by 10%-45% and branch coverage by 5%-10% compared with other fuzzers.