Kaled Alshmrany, Mohannad Aldughaim, Ahmed Bhayat, Lucas Cordeiro
{"title":"FuSeBMC v4:通过 BMC、模糊处理和静态分析利用智能种子提高代码覆盖率","authors":"Kaled Alshmrany, Mohannad Aldughaim, Ahmed Bhayat, Lucas Cordeiro","doi":"10.1145/3665337","DOIUrl":null,"url":null,"abstract":"<p>Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existent methods to cover large areas in target code. We propose <i>FuSeBMC</i> v4, a test generator that synthesizes seeds with useful properties, that we refer to as <i>smart seeds</i>, to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. <i>FuSeBMC</i> works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so–called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage / find bugs. During seed generation and normal running, the <i>Tracer</i> subsystem aids coordination between the engines. This subsystem conducts additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the <i>Tracer</i> evaluates test-cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"40 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2024-05-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"FuSeBMC v4: Improving code coverage with smart seeds via BMC, fuzzing and static analysis\",\"authors\":\"Kaled Alshmrany, Mohannad Aldughaim, Ahmed Bhayat, Lucas Cordeiro\",\"doi\":\"10.1145/3665337\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existent methods to cover large areas in target code. We propose <i>FuSeBMC</i> v4, a test generator that synthesizes seeds with useful properties, that we refer to as <i>smart seeds</i>, to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. <i>FuSeBMC</i> works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so–called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage / find bugs. During seed generation and normal running, the <i>Tracer</i> subsystem aids coordination between the engines. This subsystem conducts additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the <i>Tracer</i> evaluates test-cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.</p>\",\"PeriodicalId\":50432,\"journal\":{\"name\":\"Formal Aspects of Computing\",\"volume\":\"40 1\",\"pages\":\"\"},\"PeriodicalIF\":1.4000,\"publicationDate\":\"2024-05-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Formal Aspects of Computing\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1145/3665337\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Formal Aspects of Computing","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3665337","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0
摘要
有界模型检查(BMC)和模糊技术是检测软件错误和安全漏洞的最有效方法之一。然而,由于现有方法无法覆盖目标代码中的大面积区域,因此在检测这些错误方面仍存在不足。我们提出的 FuSeBMC v4 是一种测试生成器,它能合成具有有用特性的种子(我们称之为智能种子),以提高混合模糊器的性能,从而实现 C 程序的高覆盖率。FuSeBMC 的工作原理是,首先分析并逐步向给定的 C 程序中注入目标标签,以指导 BMC 和进化模糊引擎。然后,在初始阶段使用引擎生成所谓的智能种子。最后,以这些智能种子作为起始种子,再次运行引擎,试图实现最大的代码覆盖率/发现错误。在种子生成和正常运行期间,跟踪子系统会帮助引擎之间进行协调。该子系统会进行额外的覆盖率分析,并更新共享内存中有关迄今为止所覆盖目标的信息。此外,跟踪器还动态评估测试用例,将案例转化为种子,供后续测试模糊处理使用。因此,BMC 引擎可以提供种子,让模糊引擎绕过复杂的数学防护(如输入验证)。因此,在第四届国际软件测试竞赛(Test-Comp 2022)中,我们获得了三个奖项,在包括覆盖率在内的每个类别中都超越了所有最先进的工具。
FuSeBMC v4: Improving code coverage with smart seeds via BMC, fuzzing and static analysis
Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existent methods to cover large areas in target code. We propose FuSeBMC v4, a test generator that synthesizes seeds with useful properties, that we refer to as smart seeds, to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. FuSeBMC works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so–called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage / find bugs. During seed generation and normal running, the Tracer subsystem aids coordination between the engines. This subsystem conducts additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the Tracer evaluates test-cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.
期刊介绍:
This journal aims to publish contributions at the junction of theory and practice. The objective is to disseminate applicable research. Thus new theoretical contributions are welcome where they are motivated by potential application; applications of existing formalisms are of interest if they show something novel about the approach or application.
In particular, the scope of Formal Aspects of Computing includes:
well-founded notations for the description of systems;
verifiable design methods;
elucidation of fundamental computational concepts;
approaches to fault-tolerant design;
theorem-proving support;
state-exploration tools;
formal underpinning of widely used notations and methods;
formal approaches to requirements analysis.