ABSTRACT

Concolic testing is a popular method based on symbolic execution and constraint solving, designed for security testing of applications. Unfortunately, the current effectiveness of concolic testing tools are limited when testing large applications due to the enormous number of control paths and limited budget. In this paper, we introduce selective symbolic execution, path selecting, random and incorrect seed input, three approaches to ease the path explosion and speed up bugs exploration. We also develop Crashmaker, a dynamic symbolic execution tool based on Valgrind and constraints solver STP, implementing our three improvement measures. To check the effectiveness and efficiency of Crashmaker, we make experiments with 7 different real-life programs, and compare with Avalanche. The evaluation results show that Crashmaker can effectively find more bugs in a more efficient way.