The course teaches learners about hybrid fuzzing, a method that combines fuzzing and concolic execution to find security bugs in software. The course aims to help students understand the limitations of traditional fuzzing and concolic execution and how hybrid fuzzing can address these challenges. Students will learn about the QSYM concolic execution engine, which integrates symbolic emulation with native execution to improve performance. The course covers topics such as intermediate representations, state forking, constraint solving, and system call modeling. The teaching method includes theoretical explanations, case studies, and performance evaluations. This course is intended for cybersecurity professionals, software developers, and researchers interested in improving bug-finding techniques in real-world software applications.
QSYM - A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
Overview
Syllabus
Intro
Two popular ways to find security bugs: Fuzzing & Concolic execution
Fuzzing and Concolic execution have their own pros and cons
Hybrid fuzzing can address their problems
Hybrid fuzzing has achieved great success in small- scale study
However, current hybrid fuzzing suffers from problems to scale to real-world applications
Our system, QSYM, addresses these issues by introducing several key ideas
Overview: Hybrid fuzzing in general
Intermediate representations (IR) are good to make implementations easier
Execute instructions directly without using intermediate layer
QSYM reduces the number of instructions to execute symbolically
State forking can reduce re-execution overhead for constraint generation
Re-execute to use concrete environment instead of kernel state forking
Models minimal system calls and uses concrete values
incomplete constraints
Solve constraints optimistically
Our decision: Solve only the last constraint in the path
In hybrid fuzzing, generating incorrect inputs are fine due to fuzzing
Evaluation questions
QSYM scales to real-world software
QSYM can generate test cases that fuzzing is hard to find
Compare QSYM with Driller, a state-of-the-art hybrid fuzzing
QSYM achieved more code coverage due to its better performance
Driller achieved more code coverage if nested branches exist
Taught by
USENIX
