1

I think I understand the difference between fuzzing and symbolic execution especially when it comes to having a program that expects specific values (in this case symbolic execution will work and fuzzing probably won't).

However, is there a reason why we won't just use symbolic execution instead of fuzzing when we can (that is, if we are not really dealing with a big program) and not use fuzzing at all?

When should we use both?

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
rullzing
  • 111
  • 1
  • Simple. Symbolic execution is "hard". Format-aware dynamic analysis is much simpler to implement with good results. Not to mention, symbolic execution tends to be bad at dealing with race conditions and other non-obvious behavior. – forest Dec 14 '17 at 04:43

1 Answers1

1

when we can

that's usually the problem, here.

Even with access to the source code, it's not easy to reinterpret a program to find problem inputs.

In fact, it's one of the very hardest problems in computer science to "reverse" a program to see what input caused it to do something specific.

So, the reality is that even if it's sometimes theoretically possible to interpret the inputs to a program as symbols used in the program flow that lead to wanted (or unwanted) behaviour later on, it's usually much harder and time intense to find such symbols then just to try random input.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • I understand that, that's why I was clear that I know that it can "almost" only be done efficiently on small programs, if any. However, leaving that aside, when should we use both fuzzing and symbolic execution? and can it do the job of fuzzing by itself? – rullzing Dec 13 '17 at 23:15
  • Ok, how much do you want me to repeat what I and you just said: "only works for small programs at all"; if you understand the difference between fuzzing and symbolic backtracking, you'll notice that of course symbolic backtracking only works if all involved parts work as expected - but with fuzzing you might trigger behaviour if a program execution leads to running out of memory, or if there's nondeterministic timing behaviour etc. So, different things. You're basically asking "when should we have fries, and when ice cream, and when to have both?". There's only one answer: when adequate. – Marcus Müller Dec 13 '17 at 23:19