Towards Tightly-coupled Hybrid Fuzzing via Excavating Input Specifications

Hybrid fuzzing, which combines fuzzing and concolic execution based on the observation that these two types of techniques are complementary, has recently become a research focus. Several hybrid fuzzing studies have shown that concolic execution can assist fuzzing in exploring deeper program states and discovering more vulnerabilities. Despite advances in hybrid fuzzing, most existing techniques employ a result-oriented scheme in which fuzzing and concolic execution cooperate by synchronizing generated test cases. Such cooperation underestimates the sophisticated analysis of concolic execution on the program. Based on the observation that concolic execution can generate abundant program states, which are desirable to be investigated for improving the performance of hybrid fuzzing, we propose a tightly-coupled hybrid fuzzing technique by excavating input specifications from concolic execution. Specifically, we define and excavate three input specification types: critical region, critical value, and type inference. We further design new fuzzing mutation algorithms to leverage them to guide the exploration of the program states. We implement three prototypes, Gear-Driller , Gear-DigFuzz and Gear-QSYM , on top of Driller, DigFuzz and QSYM, respectively. Experimental results show that Gear-Driller , Gear-DigFuzz and Gear-QSYM outperform Driller, DigFuzz and QSYM with larger code coverage, more discovered vulnerabilities, and higher efficiency in finding vulnerabilities.