Fuzzing and symbolic execution are popular techniques for findingvulnerabilities and generating test-cases for programs. Fuzzing, a blackboxmethod that mutates seed input values, is generally incapable of generatingdiverse inputs that exercise all paths in the program. Due to thepath-explosion problem and dependence on SMT solvers, symbolic execution mayalso not achieve high path coverage. A hybrid technique involving fuzzing andsymbolic execution may achieve better function coverage than fuzzing orsymbolic execution alone. In this paper, we present Munch, an open sourceframework implementing two hybrid techniques based on fuzzing and symbolicexecution. We empirically show using nine large open-source programs thatoverall, Munch achieves higher (in-depth) function coverage than symbolicexecution or fuzzing alone. Using metrics based on total analyses time andnumber of queries issued to the SMT solver, we also show that Munch is moreefficient at achieving better function coverage.
展开▼