I do not understand how symbolic execution is different from Whitebox fuzzing? From what I understand, Whitebox Fuzzers symbolically execute the code with some initial input format. Additionally, it will be helpful if someone could differentiate between these two forms with reference to KLEE and AFL tools.
Asked
Active
Viewed 382 times
1
-
2Symbolic execution is a (not necessarily "the") technique to implement fuzzing. Fuzzing is a way to findinputs that might lead programs to crash or exhibit unwanted behavior. It can be implemented using symbolic execution. But symbolic execution is a much wider technique, that can be used in program verification tasks amongst other things as well. So, think of "fuzzing" is an application area, and "symbolic execution" as a technique that has applications in fuzzing. – alias Oct 31 '21 at 18:49
1 Answers
1
Whitebox fuzzing can be done not only with symbolic execution. SAGE from Microsoft Research is an example of a whitebox fuzzer that uses concolic execution, also called dynamic symbolic execution, see NDSS08.
Yes, Whitebox Fuzzers get some seed/seeds (initial input/inputs) and symbolically execute the code with these. Concolic fuzzers also run the code with these inputs in parallel with symbolic execution.
KLEE is a whitebox fuzzer that uses symbolic execution.
AFL is a greybox fuzzer - it uses internal structure information only to calculate coverage and not to get new paths. There are tools for AFL that get constants from comparisions in the code and add these to AFLs dictionaries, but this is still not whitebox fuzzing.
nevilad
- 932
- 1
- 7
- 14