Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

QSYM - A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

USENIX via YouTube

Overview

Explore a Distinguished Paper Award-winning conference talk on QSYM, a practical concolic execution engine designed for hybrid fuzzing. Delve into the limitations of traditional fuzzing and concolic execution methods, and discover how QSYM addresses these issues by combining both approaches. Learn about the key ideas behind QSYM's design, including tight integration of symbolic emulation with native execution, loosened soundness requirements, and performance optimizations. Examine the evaluation results showcasing QSYM's superior performance compared to state-of-the-art fuzzers, including its ability to find previously unknown security bugs in real-world programs. Gain insights into the implementation details, such as direct instruction execution, reduced symbolic execution, and optimistic constraint solving. Understand how QSYM scales to complex software and generates test cases that are challenging for traditional fuzzing methods.

Syllabus

Intro
Two popular ways to find security bugs: Fuzzing & Concolic execution
Fuzzing and Concolic execution have their own pros and cons
Hybrid fuzzing can address their problems
Hybrid fuzzing has achieved great success in small- scale study
However, current hybrid fuzzing suffers from problems to scale to real-world applications
Our system, QSYM, addresses these issues by introducing several key ideas
Overview: Hybrid fuzzing in general
Intermediate representations (IR) are good to make implementations easier
Execute instructions directly without using intermediate layer
QSYM reduces the number of instructions to execute symbolically
State forking can reduce re-execution overhead for constraint generation
Re-execute to use concrete environment instead of kernel state forking
Models minimal system calls and uses concrete values
incomplete constraints
Solve constraints optimistically
Our decision: Solve only the last constraint in the path
In hybrid fuzzing, generating incorrect inputs are fine due to fuzzing
Evaluation questions
QSYM scales to real-world software
QSYM can generate test cases that fuzzing is hard to find
Compare QSYM with Driller, a state-of-the-art hybrid fuzzing
QSYM achieved more code coverage due to its better performance
Driller achieved more code coverage if nested branches exist

Taught by

USENIX

Reviews

Start your review of QSYM - A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.