PathFuzzing: Worst Case Analysis by Fuzzing Symbolic-Execution Paths

• URL: http://arxiv.org/abs/2507.09892v1
• Date: Mon, 14 Jul 2025 03:51:50 GMT
• Title: PathFuzzing: Worst Case Analysis by Fuzzing Symbolic-Execution Paths
• Authors: Zimu Chen, Di Wang,
• Abstract summary: Worst-case analysis problem is an optimization-based abstraction of this task.<n> Fuzzing and symbolic execution are widely used techniques for addressing the WCA problem.<n>We propose PathFuzzing, aiming to combine the strengths of both techniques to design a WCA method.
• Score: 5.1581069235093295
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Estimating worst-case resource consumption is a critical task in software development. The worst-case analysis (WCA) problem is an optimization-based abstraction of this task. Fuzzing and symbolic execution are widely used techniques for addressing the WCA problem. However, improving code coverage in fuzzing or managing path explosion in symbolic execution within the context of WCA poses significant challenges. In this paper, we propose PathFuzzing, aiming to combine the strengths of both techniques to design a WCA method. The key idea is to transform a program into a symbolic one that takes an execution path (encoded as a binary string) and interprets the bits as branch decisions. PathFuzzing then applies evolutionary fuzzing techniques to the transformed program to search for binary strings that represent satisfiable path conditions and lead to high resource consumption. We evaluate the performance of PathFuzzing experimentally on a benchmark suite that consists of prior work's benchmarks and some added by us. Results show that PathFuzzing generally outperforms a fuzzing and a symbolic-execution baseline.

Related papers

• Hybrid Approach to Directed Fuzzing [0.0]
  We propose a hybrid approach to directed fuzzing with novel seed scheduling algorithm.<n>We implement our approach in Sydr-Fuzz tool using LibAFL-DiFuzz as directed fuzzer and Sydr as dynamic symbolic executor.
  arXiv  Detail & Related papers  (2025-07-07T10:29:16Z)
• Empc: Effective Path Prioritization for Symbolic Execution with Path Cover [4.247960711260534]
  Symbolic execution can formally reason the correctness of program behaviors and detect software bugs.<n>It suffers from an inherent limitation: path explosion.<n>We propose a novel and effective path prioritization technique with path cover, named Empc.
  arXiv  Detail & Related papers  (2025-05-06T14:08:36Z)
• Efficient Symbolic Execution of Software under Fault Attacks [6.333695701603308]
  Fault attacks leverage physically injected hardware faults to break the safety of a software program.<n>Existing methods for analyzing the impact of faults on software suffer from inaccurate fault modeling and inefficient analysis algorithms.<n>We propose a fault modeling technique that leverages program transformation to add symbolic variables to the program, to accurately model the fault-induced program behavior.<n>Second, we propose a redundancy pruning technique that leverages the weakest precondition and fault saturation to mitigate path explosion.
  arXiv  Detail & Related papers  (2025-03-20T03:19:48Z)
• Beyond the Edge of Function: Unraveling the Patterns of Type Recovery in Binary Code [55.493408628371235]
  We propose ByteTR, a framework for recovering variable types in binary code.<n>In light of the ubiquity of variable propagation across functions, ByteTR conducts inter-procedural analysis to trace variable propagation and employs a gated graph neural network to capture long-range data flow dependencies for variable type recovery.
  arXiv  Detail & Related papers  (2025-03-10T12:27:05Z)
• ReF Decompile: Relabeling and Function Call Enhanced Decompile [50.86228893636785]
  The goal of decompilation is to convert compiled low-level code (e.g., assembly code) back into high-level programming languages.<n>This task supports various reverse engineering applications, such as vulnerability identification, malware analysis, and legacy software migration.
  arXiv  Detail & Related papers  (2025-02-17T12:38:57Z)
• Path-optimal symbolic execution of heap-manipulating programs [5.639904484784126]
  This paper introduces POSE, path-optimal symbolic execution, a symbolic execution algorithm that originally accomplishes path optimality against heap-manipulating programs. We formalize the POSE algorithm for a tiny, but representative object-oriented programming language, and implement the formalization into a prototype symbolic executor to experiment the algorithm against a benchmark of sample programs that take data structures as inputs.
  arXiv  Detail & Related papers  (2024-07-23T20:35:33Z)
• Finding Transformer Circuits with Edge Pruning [71.12127707678961]
  We propose Edge Pruning as an effective and scalable solution to automated circuit discovery.<n>Our method finds circuits in GPT-2 that use less than half the number of edges compared to circuits found by previous methods.<n>Thanks to its efficiency, we scale Edge Pruning to CodeLlama-13B, a model over 100x the scale that prior methods operate on.
  arXiv  Detail & Related papers  (2024-06-24T16:40:54Z)
• FoC: Figure out the Cryptographic Functions in Stripped Binaries with LLMs [51.898805184427545]
  We propose a novel framework called FoC to Figure out the Cryptographic functions in stripped binaries.<n>We first build a binary large language model (FoC-BinLLM) to summarize the semantics of cryptographic functions in natural language.<n>We then build a binary code similarity model (FoC-Sim) upon the FoC-BinLLM to create change-sensitive representations and use it to retrieve similar implementations of unknown cryptographic functions in a database.
  arXiv  Detail & Related papers  (2024-03-27T09:45:33Z)
• Rethinking PGD Attack: Is Sign Function Necessary? [131.6894310945647]
  We present a theoretical analysis of how such sign-based update algorithm influences step-wise attack performance. We propose a new raw gradient descent (RGD) algorithm that eliminates the use of sign. The effectiveness of the proposed RGD algorithm has been demonstrated extensively in experiments.
  arXiv  Detail & Related papers  (2023-12-03T02:26:58Z)
• Revisiting and Advancing Fast Adversarial Training Through The Lens of Bi-Level Optimization [60.72410937614299]
  We propose a new tractable bi-level optimization problem, design and analyze a new set of algorithms termed Bi-level AT (FAST-BAT) FAST-BAT is capable of defending sign-based projected descent (PGD) attacks without calling any gradient sign method and explicit robust regularization.
  arXiv  Detail & Related papers  (2021-12-23T06:25:36Z)
• Benchmarking Symbolic Execution Using Constraint Problems -- Initial Results [6.961253535504978]
  Symbolic execution is a powerful technique for bug finding and program testing. We transform CSP benchmarks into C programs suitable for testing the reasoning capabilities of symbolic execution tools.
  arXiv  Detail & Related papers  (2020-01-22T08:48:55Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.