南京大学计算机科学与技术系软件新技术与产业化协同创新中心

摘 要：

Hybrid testing combines fuzz testing and concolic execution. It leverages fuzz testing to test easy-to-reach code regions and uses concolic execution to explore code blocks guarded by complex branch conditions. As a result, hybrid testing is able to reach deeper into program state space than fuzz testing or concolic execution alone. Recently, hybrid testing has seen significant advancement. However, its code coverage-centric design is inefficient in vulnerability detection. We propose SAVIOR, a new hybrid testing framework pioneering a bug-driven principle. Unlike the existing hybrid testing tools, SAVIOR prioritizes the concolic execution of the seeds that are likely to uncover more vulnerabilities. Moreover, SAVIOR verifies all vulnerable program locations along the executing program path. By modeling faulty situations using SMT constraints, SAVIOR reasons the feasibility of vulnerabilities and generates concrete test cases as proofs. Our evaluation shows that the bug-driven approach outperforms mainstream automated testing techniques, including state-of-the-art hybrid testing systems driven by code coverage. On average, SAVIOR detects vulnerabilities 43.4% faster than DRILLER and 44.3% faster than QSYM, leading to the discovery of 88 and 76 more unique bugs, respectively. According to the evaluation on 11 well fuzzed benchmark programs, within the first 24 hours, SAVIOR triggers 481 UBSAN violations, among which 243 are real bugs.

报告人简介:

Shengjian Guo is a Security Scientist working for the Baidu Research Institute，Silicon Valley. His research focuses on automated software vulnerability detection and mitigation with program analysis techniques including symbolic/concolic execution, fuzz testing, formal verification,and constraint-solving based modeling and analysis. He earned a Ph.D. degree from the ECE Department of Virginia Tech, co-advised by Prof. Chao Wang and Prof. Michael Hsiao.

时间： 11月2日(星期六)11:00

地点：计算机科学技术楼230室