Exploring Deficiencies in Automatic Vuln Mining Technology

Explore the limitations of automatic vulnerability mining technology in this conference talk from the Hack In The Box Security Conference. Delve into the analysis and testing of representative tools like libFuzzer, AFL, KLEE, and QSYM, and understand why they fall short compared to manual code review. Examine example codes that demonstrate these tools' deficiencies and learn about the fundamental issues in current state-of-the-art techniques. Discover the proposed "variable constraint back propagation" method based on LLVM bitcode and STP constraint solver, which aims to address these shortcomings. Gain insights into improving software testing processes, finding untested code in fuzzed software, and potentially leveraging these deficiencies to enhance software security against automated tools.

Intro
Target
Current Reality
Feedback-driven Genetic Algorithm
Core of GA
Symbolic Execution manager contexts
Block libFuzzer and AFL
Block OSYM and KLEE
Stutter Fuzzers
Inapproximable Constraint ibFuzzer and AFL have their own methods to deal with condition statement
Feedback of libFuzzer
Distance Algorithm of libFuzzer
Massive Bug-free Paths
Discovery 1. Coverage is losing its effectiveness. 2. Selecting path is better than traversing. 3. Constraint solver is necessary.
Sufficient and necessary constraints
Variable Constraint Back Propagation Replace Symbol Expr with New Expr
Transformation of constraint expressions
Back Propagation on LLVM bitcode
Imitate manual code review 1. Make assumptions and initial constraints