Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle

Nowadays automated dynamic analysis frameworks for continuous testing are in high demand to ensure software safety and satisfy the security development lifecycle (SDL) requirements. The security bug hunting efficiency of cutting-edge hybrid fuzzing techniques outperforms widely utilized coverage-guided fuzzing. We propose an enhanced dynamic analysis pipeline to leverage productivity of automated bug detection based on hybrid fuzzing. We implement the proposed pipeline in the continuous fuzzing toolset Sydr-Fuzz which is powered by hybrid fuzzing orchestrator, integrating our DSE tool Sydr with libFuzzer and AFL++. Sydr-Fuzz also incorporates security predicate checkers, crash triaging tool Casr, and utilities for corpus minimization and coverage gathering. The benchmarking of our hybrid fuzzer against alternative state-of-the-art solutions demonstrates its superiority over coverage-guided fuzzers while remaining on the same level with advanced hybrid fuzzers. Furthermore, we approve the relevance of our approach by discovering 85 new real-world software flaws within the OSS-Sydr-Fuzz project. Finally, we open Casr source code to the community to facilitate examination of the existing crashes.

1. M. Howard and S. Lipner, The security development lifecycle. Microsoft Press Redmond, 2006, vol. 8. [Online]. Available: http://msdn.microsoft.com/en-us/library/ms995349.aspx (accessed 24.09.2025).

2. ISO/IEC 15408-3:2008: Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components. 2008. [Online]. Available: https://www.iso.org/standard/46413.html (accessed 24.09.2025).

3. GOST R 56939-2016: Information protection. Secure software development. General requirements. National Standard of Russian Federation, 2016. [Online]. Available: http://protect.gost.ru/document.aspx?control=7&id=203548 (accessed 24.09.2025).

4. S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, Unleashing Mayhem on binary code, in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP '12, IEEE, 2012, pp. 380 394.

5. B. S. Pak, Hybrid fuzz testing: Discovering software bugs via fuzzing and symbolic execution, M.S. thesis, School of Computer Science Carnegie Mellon University, 2012.

6. N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, Driller: Augmenting fuzzing through selective symbolic execution, in NDSS, vol. 16, 2016, pp. 1 16.

7. I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim, QSYM: A practical concolic execution engine tailored for hybrid fuzzing, in 27th USENIX Security Symposium, 2018, pp. 745-761.

8. S. Poeplau and A. Francillon, Symbolic execution with SymCC: Don't interpret, compile! In 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 181-198.

9. S. Poeplau and A. Francillon, SymQEMU: Compilation-based symbolic execution for binaries, in Proceedings of the 2021 Network and Distributed System Security Symposium, 2021.

10. L. Borzacchiello, E. Coppa, and C. Demetrescu, FUZZOLIC: Mixing fuzzing and concolic execution, Computers & Security, vol. 108, p. 102 368, 2021.

11. J. Chen, W. Han, M. Yin, H. Zeng, C. Song, B. Lee, H. Yin, and I. Shin, SYMSAN: Time and space efficient concolic execution via dynamic data-flow analysis, in 31st USENIX Security Symposium (USENIX Security 22), USENIX Association, 2022, pp. 2531-2548.

12. R. David, J. Salwan, and J. Bourroux, From source code to crash test-cases through software testing automation, Proc. of the 28th C&ESAR, p. 27, 2021.

13. FuzzBench symbolic report, 2021. [Online]. Available: https://www.fuzzbench.com/reports/experimental/2021-07-03-symbolic/index.html (accessed 24.09.2025).

14. A. Vishnyakov, A. Fedotov, D. Kuts, A. Novikov, D. Parygina, E. Kobrin, V. Logunova, P. Belecky, and S. Kurmangaleev, "Sydr: Cutting edge dynamic symbolic execution," in 2020 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2020, pp. 46-54.

15. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, "AFL++: Combining incremental steps of fuzzing research," in 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020.

16. K. Serebryany, "Continuous fuzzing with libFuzzer and AddressSanitizer," in 2016 IEEE Cybersecurity Development (SecDev), IEEE, 2016, p. 157.

17. G. Savidov and A. Fedotov, "Casr-Cluster: Crash clustering for linux applications," in 2021 Ivannikov ISPRAS Open Conference (ISPRAS), IEEE, 2021, pp. 47-51.

18. A. Vishnyakov, V. Logunova, E. Kobrin, D. Kuts, D. Parygina, and A. Fedotov, "Symbolic security predicates: Hunt program weaknesses," in 2021 Ivannikov ISPRAS Open Conference, IEEE, 2021, pp. 76 85.

19. OSS-Sydr-Fuzz: Hybrid fuzzing for open source software. [Online]. Available: https://github.com/ispras/oss-sydr-fuzz (accessed 24.09.2025).

20. OSS-Fuzz: Continuous fuzzing for open source software. [Online]. Available: https://github.com/google/oss-fuzz (accessed 24.09.2025).

21. D. Kuts, "Towards symbolic pointers reasoning in dynamic symbolic execution," in 2021 Ivannikov Memorial Workshop (IVMEM), IEEE, 2021, pp. 42-49.

22. J. Metzman, L. Szekeres, L. Simon, R. Sprabery, and A. Arya, "FuzzBench: An open fuzzer benchmarking platform and service," in Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2021, pp. 1393-1403.

23. FuzzBench results for Sydr-Fuzz. [Online]. Available: https://sydr-fuzz.github.io/fuzzbench (accessed 24.09.2025).

24. CASR: Crash analysis and severity report. [Online]. Available: https://github.com/ispras/casr (accessed 24.09.2025).

25. L. Borzacchiello, E. Coppa, and C. Demetrescu, "Fuzzing symbolic expressions," in 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), IEEE, 2021, pp. 711-722.

26. R. Swiecki and F. Gröbert, Honggfuzz. [Online]. Available: https://github.com/google/honggfuzz (accessed 24.09.2025).

27. F. Saudel and J. Salwan, "Triton: A dynamic symbolic execution framework," in Symposium sur la sécurité des technologies de l'information et des communications, ser. SSTIC, 2015, pp. 31-54.

28. C. Lattner and V. Adve, "LLVM: A compilation framework for lifelong program analysis & transformation," in Proceedings of the 2004 International Symposium on Code Generation and Optimization (CGO'04), vol. 4, 2004, p. 75.

29. DataFlowSanitizer design document, 2018. [Online]. Available: https://clang.llvm.org/docs/DataFlowSanitizerDesign.html (accessed 24.09.2025).

30. P. Chen and H. Chen, "Angora: Efficient fuzzing by principled search," in 2018 IEEE Symposium on Security and Privacy (SP), IEEE, 2018, pp. 711-725.

31. J. Chen, J. Wang, C. Song, and H. Yin, "JIGSAW: Efficient and scalable path constraints fuzzing," in 2022 IEEE Symposium on Security and Privacy (SP), IEEE, 2022, pp. 1531-1531.

32. OneFuzz: A self-hosted fuzzing-as-a-service platform. [Online]. Available: https://github.com/microsoft/onefuzz (accessed 24.09.2025).

33. Grizzly browser fuzzing framework. [Online]. Available: https://github.com/MozillaSecurity/grizzly.

34. K. Serebryany, "OSS-Fuzz - Google's continuous fuzzing service for open source software," USENIX Association, 2017.

35. Fuzzit. [Online]. Available: https://github.com/fuzzitdev/fuzzit (accessed 24.09.2025).

36. cifuzz: Fuzz tests as easy as unit tests. [Online]. Available: https://github.com/CodeIntelligenceTesting/cifuzz (accessed 24.09.2025).

37. S. Warkentin, Getting started using Mayhem with continuous integration, 2020. [Online]. Available: https://www.brighttalk.com/webcast/17668/439580 (accessed 24.09.2025).

38. Y. Chen, Y. Jiang, F. Ma, J. Liang, M. Wang, C. Zhou, X. Jiao, and Z. Su, "EnFuzz: Ensemble fuzzing with seed synchronization among diverse fuzzers," in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1967-1983.

39. S. Österlund, E. Geretto, A. Jemmett, E. Güler, P. Görz, T. Holz, C. Giuffrida, and H. Bos, "Collabfuzz: A framework for collaborative fuzzing," in Proceedings of the 14th European Workshop on Systems Security, 2021, pp. 1-7.

40. J. D. DeMott, R. J. Enbody, and W. F. Punch, "Towards an automatic exploit pipeline," in 2011 International Conference for Internet Technology and Secured Transactions, IEEE, 2011, pp. 323-329.

41. OSS-Fuzz issue report tracker. [Online]. Available: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra&can=1 (accessed 24.09.2025).

42. Google cloud platform. [Online]. Available: https://github.com/GoogleCloudPlatform (accessed 24.09.2025).

43. M. Copeland, J. Soh, A. Puca, M. Manning, and D. Gollob, "Microsoft azure," New York, NY, USA: Apress, pp. 3-26, 2015.

44. A crash course to Radamsa. [Online]. Available: https://gitlab.com/akihe/radamsa (accessed 24.09.2025).

45. Coverage-guided fuzz testing in GitLab. [Online]. Available: https://docs.gitlab.com/ee/user/application_security/coverage_fuzzing/ (accessed 24.09.2025).

46. D. Vyukov, syzbot: Automated kernel testing, 2018. [Online]. Available: https://lpc.events/event/2/contributions/237/attachments/61/71/syzbot_automated_kernel_testing.pdf (accessed 24.09.2025).

47. D. Parygina, A. Vishnyakov, and A. Fedotov, "Strong optimistic solving for dynamic symbolic execution," in Ivannikov Memorial Workshop (IVMEM), IEEE, 2022.

48. A. Niemetz and M. Preiner, "Bitwuzla at the SMT-COMP 2020," CoRR, vol. abs/2006.01621, 2020. arXiv: 2006.01621. [Online]. Available: https://arxiv.org/abs/2006.01621 (accessed 24.09.2025).

49. T. Wang, T. Wei, Z. Lin, and W. Zou, "IntScope: Automatically detecting integer overflow vulnerability in x86 binary using symbolic execution," in NDSS, 2009.

50. GDB 'exploitable' plugin. [Online]. Available: https://github.com/jfoote/exploitable (accessed 24.09.2025).

51. Sydr-Fuzz trophy list. [Online]. Available: https://github.com/ispras/oss-sydr-fuzz/blob/master/TROPHIES.md (accessed 24.09.2025).

52. GitLab: The one devops platform. [Online]. Available: https://about.gitlab.com/ (accessed 24.09.2025).

53. D. Bruening, "Efficient, transparent, and comprehensive runtime code manipulation," Ph.D. dissertation, Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2004.