Driller: Augmenting Fuzzing Through Selective Symbolic Execution presented at NDSS 2016

by Christopher Kruegel, Giovanni Vigna, Ruoyu Wang, Yan Shoshitaishvili, Jacopo Corbetta, Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher,

Summary : Memory corruption vulnerabilities are an ever-present risk in software, which attackers can exploit to obtain private information or monetary gain.
As products with access to sensitive data are becoming more prevalent, the number of potentially exploitable systems is also increasing, resulting in a greater need for automated software vetting tools. DARPA recently funded a competition, with millions of dollars in prize money, to further research of automated vulnerability finding and patching, showing the importance of research in this area. Current techniques for finding potential bugs include static, dynamic, and concolic analysis systems, which each have their own advantages and disadvantages. Systems designed to create inputs which trigger vulnerabilities typically only find shallow bugs and struggle to exercise deeper paths in executables.
We present Driller, a hybrid vulnerability excavation tool which leverages fuzzing and selective concolic execution, in a complementary manner, to find deeper bugs.
Inexpensive fuzzing is used to exercise compartments of an application, while concolic execution is used to generate inputs which satisfy the complex checks separating the compartments. By combining the strengths of the two techniques, we mitigate their weaknesses, avoiding the path explosion inherent in concolic analysis and the incompleteness of fuzzing. Driller uses selective concolic execution to explore only the paths deemed interesting by the instrumented fuzzer and to generate inputs for conditions that the fuzzer could not satisfy. We evaluate Driller on 126 applications released in the qualifying event of the DARPA Cyber Grand Challenge and show its efficacy by identifying the same number of vulnerabilities, in the same time, as the top-scoring team of the qualifying event.