Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach

TL;DR

Munch is a hybrid fuzzing and symbolic execution framework that improves function coverage and efficiency in testing large programs by combining the strengths of both techniques.

Contribution

This paper introduces Munch, a novel hybrid approach that enhances function coverage and efficiency over standalone fuzzing or symbolic execution.

Findings

Munch achieves higher function coverage than individual methods.

Munch is more efficient in terms of analysis time and SMT queries.

Empirical results on nine large programs validate the approach.

Abstract

Fuzzing and symbolic execution are popular techniques for finding vulnerabilities and generating test-cases for programs. Fuzzing, a blackbox method that mutates seed input values, is generally incapable of generating diverse inputs that exercise all paths in the program. Due to the path-explosion problem and dependence on SMT solvers, symbolic execution may also not achieve high path coverage. A hybrid technique involving fuzzing and symbolic execution may achieve better function coverage than fuzzing or symbolic execution alone. In this paper, we present Munch, an open source framework implementing two hybrid techniques based on fuzzing and symbolic execution. We empirically show using nine large open-source programs that overall, Munch achieves higher (in-depth) function coverage than symbolic execution or fuzzing alone. Using metrics based on total analyses time and number of queries issued to the SMT solver, we also show that Munch is more efficient at achieving better function coverage.