Developing secure and bug-free software is an extraordinarily challenging task. Due to the devastating effects vulnerabilities may have on financial, security, or an individualâs well-being. Detecting such issues is difficult because (i) many bugs manifest themselves only after a lengthy operation, and (ii) the search space to be explored becomes complex and extremely extensive. In this thesis, we describe and evaluate approaches for detecting vulnerabilities and achieving high coverage in C software using the combination of bounded model checking (BMC) and fuzzing. We present three significant novel contributions. First, we develop a method that generates initial inputs (seeds) that bypass sophisticated guards to enhance the fuzzerâs exploration more profound into the target program. Furthermore, this method decreases the burden of the fuzzer in mutation processes through static analysis. As part of this contribution, we propose and design a tracer subsystem, which coordinates and analyses the processes and the connection between the employed techniques. Second, we present our new fuzzer, which has the benefit of per- forming a lightweight static program analysis to identify input verification. This improved fuzzer has the benefit of performing a lightweight static program analysis to identify input verification and to ensure that only seeds satisfying the conditions are chosen. This procedure reduces our methodâs dependence on a computationally expensive bounded model checker to discover high-quality seeds. Also, the improved fuzzer analyses the target program and identifies potential infinite loops using heuristics. The loops are then constrained to speed up the fuzzing process, depending on an approximate estimate of the number of program paths. In addition, we describe our new approach: a selective fuzzer that learns from test cases produced by BMC and a modified fuzzer to generate new test cases that successfully detect software vulnerabilities. Finally, we develop and evaluate FuSeBMC, an automated testing tool that exploits the combination of BMC and fuzzing to test software and increase code coverage. FuSeBMC has demonstrated advantages in resource management and consequently reduces the consumption of CPU and memory by exchanging essential information between engines in a manner that maximises the benefit of their cooperation. Additionally, it decreases the generation processes for execution paths that BMC may not reach or cause path explosion problems. As a result, FuSeBMC can mitigate the negative impact, generate effective seeds, and avoid the path explosion issue. FuSeBMC has been evaluated exhaustively and competitively by participating in the most prominent and competitive international software testing competition for two years, 2021 and 2022, winning six international prizes. FuSeBMC is currently the leading state-of-the-art software testing tool for C programs. We further hypothesise that FuSeBMC is currently the most robust automated testing tool in the literature.
| Date of Award | 23 Jan 2023 |
|---|
| Original language | English |
|---|
| Awarding Institution | - The University of Manchester
|
|---|
| Supervisor | Lucas Cordeiro (Supervisor) & Ning Zhang (Supervisor) |
|---|
- Code Coverage - Coverage Branches - Automated Test Generation - Bounded Model Checking - Fuzzing - Security - Seeds - Cyber Security - vulnerabilities
Efficient Hybrid Fuzzing for Detecting Vulnerabilities and Achieving High Coverage in Software
Alshmrany, K. (Author). 23 Jan 2023
Student thesis: Phd