File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1109/TDSC.2025.3530010
- Scopus: eid_2-s2.0-85215432349
- Find via
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Article: CherryPicker: A Parallel Solving and State Sharing Hybrid Fuzzing System
| Title | CherryPicker: A Parallel Solving and State Sharing Hybrid Fuzzing System |
|---|---|
| Authors | |
| Keywords | concolic execution hybrid fuzzing Software testing |
| Issue Date | 1-Jan-2025 |
| Publisher | Institute of Electrical and Electronics Engineers |
| Citation | IEEE Transactions on Dependable and Secure Computing, 2025, v. 22, n. 4, p. 3324-3336 How to Cite? |
| Abstract | Hybrid testing, combining fuzz testing and concolic execution, has emerged as an effective technique for bug discovery. However, concolic execution becomes the performance bottleneck when applied to real-world software. Despite numerous approaches to optimize seed scheduling, symbolic simulation, and constraint solving, concolic execution remains inefficient and ineffective due to two limitations. First, the concolic executor and fuzzer do not synchronize the testing state in real time, leading to the generation of numerous duplicate inputs in both concolic execution and the fuzzer. Second, the concolic executor overlooks the independence of constraint solving and solves constraints sequentially, which introduces significant slowdown. In this paper, we first conduct a study to identify these limitations in existing hybrid testing systems. We then propose a novel design for hybrid fuzzing, CherryPicker, where the fuzzer and concolic executor share testing states, and concolic execution runs in parallel mode. Finally, we evaluate our system using the LAVA-M benchmark and real-world software and compare it to state-of-the-art systems. The results demonstrate that CherryPicker outperforms current systems in terms of efficiency and effectiveness, delivering improved runtime performance, generating more intriguing inputs, and activating more code. Notably, CherryPicker exclusively uncovers six previously unknown bugs during the evaluation, which have been reported to developers, all of which have been confirmed with three CVEs assigned. |
| Persistent Identifier | http://hdl.handle.net/10722/361948 |
| ISSN | 2023 Impact Factor: 7.0 2023 SCImago Journal Rankings: 2.222 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Zhang, Qingyu | - |
| dc.contributor.author | Lin, Jiayi | - |
| dc.contributor.author | Sun, Chenxin | - |
| dc.contributor.author | Qian, Chenxiong | - |
| dc.contributor.author | Luo, Xiapu | - |
| dc.date.accessioned | 2025-09-17T00:32:14Z | - |
| dc.date.available | 2025-09-17T00:32:14Z | - |
| dc.date.issued | 2025-01-01 | - |
| dc.identifier.citation | IEEE Transactions on Dependable and Secure Computing, 2025, v. 22, n. 4, p. 3324-3336 | - |
| dc.identifier.issn | 1545-5971 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/361948 | - |
| dc.description.abstract | <p>Hybrid testing, combining fuzz testing and concolic execution, has emerged as an effective technique for bug discovery. However, concolic execution becomes the performance bottleneck when applied to real-world software. Despite numerous approaches to optimize seed scheduling, symbolic simulation, and constraint solving, concolic execution remains inefficient and ineffective due to two limitations. First, the concolic executor and fuzzer do not synchronize the testing state in real time, leading to the generation of numerous duplicate inputs in both concolic execution and the fuzzer. Second, the concolic executor overlooks the independence of constraint solving and solves constraints sequentially, which introduces significant slowdown. In this paper, we first conduct a study to identify these limitations in existing hybrid testing systems. We then propose a novel design for hybrid fuzzing, CherryPicker, where the fuzzer and concolic executor share testing states, and concolic execution runs in parallel mode. Finally, we evaluate our system using the LAVA-M benchmark and real-world software and compare it to state-of-the-art systems. The results demonstrate that CherryPicker outperforms current systems in terms of efficiency and effectiveness, delivering improved runtime performance, generating more intriguing inputs, and activating more code. Notably, CherryPicker exclusively uncovers six previously unknown bugs during the evaluation, which have been reported to developers, all of which have been confirmed with three CVEs assigned.</p> | - |
| dc.language | eng | - |
| dc.publisher | Institute of Electrical and Electronics Engineers | - |
| dc.relation.ispartof | IEEE Transactions on Dependable and Secure Computing | - |
| dc.subject | concolic execution | - |
| dc.subject | hybrid fuzzing | - |
| dc.subject | Software testing | - |
| dc.title | CherryPicker: A Parallel Solving and State Sharing Hybrid Fuzzing System | - |
| dc.type | Article | - |
| dc.identifier.doi | 10.1109/TDSC.2025.3530010 | - |
| dc.identifier.scopus | eid_2-s2.0-85215432349 | - |
| dc.identifier.volume | 22 | - |
| dc.identifier.issue | 4 | - |
| dc.identifier.spage | 3324 | - |
| dc.identifier.epage | 3336 | - |
| dc.identifier.eissn | 1941-0018 | - |
| dc.identifier.issnl | 1545-5971 | - |