DeepFuzz: Triggering Vulnerabilities Deeply Hidden in Binaries

(Extended Abstract)
  • Konstantin BöttingerEmail author
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


We introduce a new method for triggering vulnerabilities in deep layers of binary executables and facilitate their exploitation. In our approach we combine dynamic symbolic execution with fuzzing techniques. To maximize both the execution path depth and the degree of freedom in input parameters for exploitation, we define a novel method to assign probabilities to program paths. Based on this probability distribution we apply new path exploration strategies. This facilitates payload generation and therefore vulnerability exploitation.


Concolic execution Fuzzing Random testing 


  1. 1.
    Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014)CrossRefGoogle Scholar
  2. 2.
    Cadar, C., Sen, K.: Symbolic execution for software testing: three decades later. Commun. ACM 56(2), 82–90 (2013)CrossRefGoogle Scholar
  3. 3.
    de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Geldenhuys, J., Dwyer, M.B., Visser, W.: Probabilistic symbolic execution. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis, pp. 166–176. ACM (2012)Google Scholar
  5. 5.
    Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: ACM SIGPLAN Notices, vol. 40, pp. 213–223. ACM (2005)Google Scholar
  6. 6.
    Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Commun. ACM 55(3), 40–44 (2012)CrossRefGoogle Scholar
  7. 7.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS, vol. 8, pp. 151–166 (2008)Google Scholar
  8. 8.
    Majumdar, R., Sen, K.: Hybrid concolic testing. In: 29th International Conference on Software Engineering, 2007, ICSE 2007, pp. 416–426. IEEE (2007)Google Scholar
  9. 9.
    Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la sécurité des technologies de l’information et des communications, SSTIC, France, Rennes, 3–5 June 2015, pp. 31–54. SSTIC (2015)Google Scholar
  10. 10.
    Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: European Software Engineering Conference, pp. 263–272 (2005)Google Scholar
  11. 11.
    Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  12. 12.
    Takanen, A., Demott, J.D., Miller, C.: Fuzzing for Software Security Testing and Quality Assurance. Artech House, Norwood (2008)zbMATHGoogle Scholar
  13. 13.
    Xie, T., Tillmann, N., De Halleux, J., Schulte, W.: Fitness-guided path exploration in dynamic symbolic execution. In: IEEE/IFIP International Conference on Dependable Systems and Networks DSN 2009, pp. 359–368. IEEE (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Fraunhofer Institute for Applied and Integrated SecurityGarching (near Munich)Germany

Personalised recommendations