PathFuzzing: Worst Case Analysis by Fuzzing Symbolic-Execution Paths

TL;DR

PathFuzzing innovatively combines fuzzing and symbolic execution to estimate worst-case resource consumption in software, effectively addressing code coverage and path explosion challenges through evolutionary search on transformed programs.

Contribution

The paper introduces PathFuzzing, a novel method that integrates fuzzing and symbolic execution for worst-case analysis by transforming programs into symbolic forms and applying evolutionary fuzzing techniques.

Findings

PathFuzzing outperforms baseline methods in benchmark tests.

It effectively explores high resource-consuming paths.

The approach improves coverage and path exploration efficiency.

Abstract

Estimating worst-case resource consumption is a critical task in software development. The worst-case analysis (WCA) problem is an optimization-based abstraction of this task. Fuzzing and symbolic execution are widely used techniques for addressing the WCA problem. However, improving code coverage in fuzzing or managing path explosion in symbolic execution within the context of WCA poses significant challenges. In this paper, we propose PathFuzzing, aiming to combine the strengths of both techniques to design a WCA method. The key idea is to transform a program into a symbolic one that takes an execution path (encoded as a binary string) and interprets the bits as branch decisions. PathFuzzing then applies evolutionary fuzzing techniques to the transformed program to search for binary strings that represent satisfiable path conditions and lead to high resource consumption. We evaluate the performance of PathFuzzing experimentally on a benchmark suite that consists of prior work's benchmarks and some added by us. Results show that PathFuzzing generally outperforms a fuzzing and a symbolic-execution baseline.