Fuzzing SMT solvers via two-dimensional input space exploration

Peisen Yao; Heqing Huang; Wensheng Tang; Qingkai Shi; Rongxin Wu; Charles Zhang

doi:10.1145/3460319.3464803

Fuzzing SMT solvers via two-dimensional input space exploration

Peisen Yao, Heqing Huang, Wensheng Tang, Qingkai Shi, Rongxin Wu^*, Charles Zhang

^*Corresponding author for this work

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

14 Citations (Scopus)

Abstract

Satisfiability Modulo Theories (SMT) solvers serve as the core engine of many techniques, such as symbolic execution. Therefore, ensuring the robustness and correctness of SMT solvers is critical. While fuzzing is an efficient and effective method for validating the quality of SMT solvers, we observe that prior fuzzing work only focused on generating various first-order formulas as the inputs but neglected the algorithmic configuration space of an SMT solver, which leads to under-reporting many deeply-hidden bugs. In this paper, we present Falcon, a fuzzing technique that explores both the formula space and the configuration space. Combining the two spaces significantly enlarges the search space and makes it challenging to detect bugs efficiently. We solve this problem by utilizing the correlations between the two spaces to reduce the search space, and introducing an adaptive mutation strategy to boost the search efficiency. During six months of extensive testing, Falcon finds 518 confirmed bugs in CVC4 and Z3, two state-of-the-art SMT solvers, 469 of which have already been fixed. Compared to two state-of-the-art fuzzers, Falcon detects 38 and 44 more bugs and improves the coverage by a large margin in 24 hours of testing. © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Original language	English
Title of host publication	ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
Publisher	Association for Computing Machinery
Pages	322-335
ISBN (Print)	9781450384599
DOIs	https://doi.org/10.1145/3460319.3464803
Publication status	Published - 2021
Externally published	Yes
Event	30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021) - Virtual, Denmark Duration: 11 Jul 2021 → 17 Jul 2021

Publication series

Name	ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis

Conference

Conference	30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021)
Country/Territory	Denmark
Period	11/07/21 → 17/07/21

Funding

We thank the anonymous reviewers for their insightful comments. We also appreciate the developers of CVC4 and Z3 for discussing and addressing our reported bugs. Rongxin Wu is supported by the Leading-edge Technology Program of Jiangsu Natural Science Foundation (BK20202001) and NSFC61902329. Other authors are supported by the RGC16206517 and ITS/440/18FP grants from the Hong Kong Research Grant Council, and the donations from Microsoft and Huawei. Rongxin Wu is the corresponding author.

Research Keywords

Fuzz testing
SMT solvers

Access Output

10.1145/3460319.3464803

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Yao, P., Huang, H., Tang, W., Shi, Q., Wu, R., & Zhang, C. (2021). Fuzzing SMT solvers via two-dimensional input space exploration. In ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (pp. 322-335). Article 3464803 (ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis). Association for Computing Machinery. https://doi.org/10.1145/3460319.3464803

Yao, Peisen ; Huang, Heqing ; Tang, Wensheng et al. / Fuzzing SMT solvers via two-dimensional input space exploration. ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, 2021. pp. 322-335 (ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis).

@inproceedings{8f8ec93ea64c4383b91cfd08cade7cc0,

title = "Fuzzing SMT solvers via two-dimensional input space exploration",

abstract = "Satisfiability Modulo Theories (SMT) solvers serve as the core engine of many techniques, such as symbolic execution. Therefore, ensuring the robustness and correctness of SMT solvers is critical. While fuzzing is an efficient and effective method for validating the quality of SMT solvers, we observe that prior fuzzing work only focused on generating various first-order formulas as the inputs but neglected the algorithmic configuration space of an SMT solver, which leads to under-reporting many deeply-hidden bugs. In this paper, we present Falcon, a fuzzing technique that explores both the formula space and the configuration space. Combining the two spaces significantly enlarges the search space and makes it challenging to detect bugs efficiently. We solve this problem by utilizing the correlations between the two spaces to reduce the search space, and introducing an adaptive mutation strategy to boost the search efficiency. During six months of extensive testing, Falcon finds 518 confirmed bugs in CVC4 and Z3, two state-of-the-art SMT solvers, 469 of which have already been fixed. Compared to two state-of-the-art fuzzers, Falcon detects 38 and 44 more bugs and improves the coverage by a large margin in 24 hours of testing. {\textcopyright} 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM.",

keywords = "Fuzz testing, SMT solvers",

author = "Peisen Yao and Heqing Huang and Wensheng Tang and Qingkai Shi and Rongxin Wu and Charles Zhang",

year = "2021",

doi = "10.1145/3460319.3464803",

language = "English",

isbn = "9781450384599",

series = "ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis",

publisher = "Association for Computing Machinery",

pages = "322--335",

booktitle = "ISSTA {\textquoteright}21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis",

address = "United States",

note = "30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021) ; Conference date: 11-07-2021 Through 17-07-2021",

}

Yao, P, Huang, H, Tang, W, Shi, Q, Wu, R & Zhang, C 2021, Fuzzing SMT solvers via two-dimensional input space exploration. in ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis., 3464803, ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, Association for Computing Machinery, pp. 322-335, 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021), Denmark, 11/07/21. https://doi.org/10.1145/3460319.3464803

Fuzzing SMT solvers via two-dimensional input space exploration. / Yao, Peisen; Huang, Heqing; Tang, Wensheng et al.
ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery, 2021. p. 322-335 3464803 (ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Fuzzing SMT solvers via two-dimensional input space exploration

AU - Yao, Peisen

AU - Huang, Heqing

AU - Tang, Wensheng

AU - Shi, Qingkai

AU - Wu, Rongxin

AU - Zhang, Charles

PY - 2021

Y1 - 2021

N2 - Satisfiability Modulo Theories (SMT) solvers serve as the core engine of many techniques, such as symbolic execution. Therefore, ensuring the robustness and correctness of SMT solvers is critical. While fuzzing is an efficient and effective method for validating the quality of SMT solvers, we observe that prior fuzzing work only focused on generating various first-order formulas as the inputs but neglected the algorithmic configuration space of an SMT solver, which leads to under-reporting many deeply-hidden bugs. In this paper, we present Falcon, a fuzzing technique that explores both the formula space and the configuration space. Combining the two spaces significantly enlarges the search space and makes it challenging to detect bugs efficiently. We solve this problem by utilizing the correlations between the two spaces to reduce the search space, and introducing an adaptive mutation strategy to boost the search efficiency. During six months of extensive testing, Falcon finds 518 confirmed bugs in CVC4 and Z3, two state-of-the-art SMT solvers, 469 of which have already been fixed. Compared to two state-of-the-art fuzzers, Falcon detects 38 and 44 more bugs and improves the coverage by a large margin in 24 hours of testing. © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM.

AB - Satisfiability Modulo Theories (SMT) solvers serve as the core engine of many techniques, such as symbolic execution. Therefore, ensuring the robustness and correctness of SMT solvers is critical. While fuzzing is an efficient and effective method for validating the quality of SMT solvers, we observe that prior fuzzing work only focused on generating various first-order formulas as the inputs but neglected the algorithmic configuration space of an SMT solver, which leads to under-reporting many deeply-hidden bugs. In this paper, we present Falcon, a fuzzing technique that explores both the formula space and the configuration space. Combining the two spaces significantly enlarges the search space and makes it challenging to detect bugs efficiently. We solve this problem by utilizing the correlations between the two spaces to reduce the search space, and introducing an adaptive mutation strategy to boost the search efficiency. During six months of extensive testing, Falcon finds 518 confirmed bugs in CVC4 and Z3, two state-of-the-art SMT solvers, 469 of which have already been fixed. Compared to two state-of-the-art fuzzers, Falcon detects 38 and 44 more bugs and improves the coverage by a large margin in 24 hours of testing. © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM.

KW - Fuzz testing

KW - SMT solvers

UR - http://www.scopus.com/inward/record.url?scp=85111429288&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85111429288&origin=recordpage

U2 - 10.1145/3460319.3464803

DO - 10.1145/3460319.3464803

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 9781450384599

T3 - ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis

SP - 322

EP - 335

BT - ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

PB - Association for Computing Machinery

T2 - 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2021)

Y2 - 11 July 2021 through 17 July 2021

ER -

Yao P, Huang H, Tang W, Shi Q, Wu R, Zhang C. Fuzzing SMT solvers via two-dimensional input space exploration. In ISSTA ’21 - Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. Association for Computing Machinery. 2021. p. 322-335. 3464803. (ISSTA - Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis). Epub 2021 Jul 11. doi: 10.1145/3460319.3464803

Fuzzing SMT solvers via two-dimensional input space exploration

Abstract

Publication series

Conference

Funding

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this