Badger: Complexity Analysis with Fuzzing and Symbolic Execution

TL;DR

Badger is a hybrid testing approach combining fuzzing and symbolic execution to efficiently identify worst-case complexity vulnerabilities in software applications, especially Java programs.

Contribution

Introduces Badger, a novel hybrid method that leverages fuzzing and symbolic execution for effective complexity analysis and vulnerability detection.

Findings

Faster generation of worst-case executions compared to individual methods.

Effective in discovering complexity-related vulnerabilities in Java applications.

Combines strengths of fuzzing and symbolic execution to overcome their limitations.

Abstract

Hybrid testing approaches that involve fuzz testing and symbolic execution have shown promising results in achieving high code coverage, uncovering subtle errors and vulnerabilities in a variety of software applications. In this paper we describe Badger - a new hybrid approach for complexity analysis, with the goal of discovering vulnerabilities which occur when the worst-case time or space complexity of an application is significantly higher than the average case. Badger uses fuzz testing to generate a diverse set of inputs that aim to increase not only coverage but also a resource-related cost associated with each path. Since fuzzing may fail to execute deep program paths due to its limited knowledge about the conditions that influence these paths, we complement the analysis with a symbolic execution, which is also customized to search for paths that increase the resource-related cost. Symbolic execution is particularly good at generating inputs that satisfy various program conditions but by itself suffers from path explosion. Therefore, Badger uses fuzzing and symbolic execution in tandem, to leverage their benefits and overcome their weaknesses. We implemented our approach for the analysis of Java programs, based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java applications, showing that our approach is significantly faster in generating worst-case executions compared to fuzzing or symbolic execution on their own.