FuSeBMC v.4: Smart Seed Generation for Hybrid Fuzzing

TL;DR

FuSeBMC v.4 enhances hybrid fuzzing by generating smart seeds through combined Bounded Model Checking and Evolutionary Fuzzing, significantly improving code coverage and vulnerability detection in C programs.

Contribution

Introduces a new FuSeBMC version that uses both engines with smart seed generation and a novel tracing subsystem to improve fuzzing effectiveness.

Findings

Achieved higher code coverage than previous versions.

Outperformed all competing tools in recent competition.

Effectively guided fuzzing with smart seed strategies.

Abstract

FuSeBMC is a test generator for finding security vulnerabilities in C programs. In earlier work [4], we described a previous version that incrementally injected labels to guide Bounded Model Checking (BMC) and Evolutionary Fuzzing engines to produce test cases for code coverage and bug finding. This paper introduces a new version of FuSeBMC that utilizes both engines to produce smart seeds. First, the engines are run with a short time limit on a lightly instrumented version of the program to produce the seeds. The BMC engine is particularly useful in producing seeds that can pass through complex mathematical guards. Then, FuSeBMC runs its engines with more extended time limits using the smart seeds created in the previous round. FuSeBMC manages this process in two main ways using its Tracer subsystem. Firstly, it uses shared memory to record the labels covered by each test case. Secondly, it evaluates test cases, and those of high impact are turned into seeds for subsequent test fuzzing. As a result, we significantly increased our code coverage score from last year, outperforming all tools that participated in this year's competition in every single category.