CRAXfuzz: Target-Aware Symbolic Fuzz Testing

Abstract

Vulnerabilities are caused by implementation bugs, such as buffer overflow, integer overflow, uncontrolled format strings, and command injection flaws. They are often exploited to intrude software systems. In order to reduce software bugs, testing techniques are proposed. The recent technique to discover security-related bugs is fuzz testing. However, traditional fuzzers can only find bugs when program exceptions, especially crashes, raised. Some security threats may pass these tests due to insufficient code coverage. In this paper, we introduce a software testing framework based on symbolic execution using (SE)-E-2, a whole system symbolic execution engine. When a program executes our pre-defined security sensitive functions, such as malloc, strcpy or printf, our framework will initiate a triage process. The process will determine whether any related security vulnerabilities would possibly occur in these functions automatically. We successfully and efficiently reproduce 12 previously known vulnerabilities from normal input data within 100 seconds for large applications such as Tiff, VIM, and MPlayer. Our tool can help developers locate bugs faster, and improve the efficiency of software quality maintenance.