Statically-Guided Fork-based Symbolic Execution for Vulnerability Detection

Fork-based symbolic execution would waste large amounts of computing time and resource on invulnerable paths when applied to vulnerability detection. In this paper, we propose a statically-guided fork-based symbolic execution technique for vulnerability detection to mitigate this problem. In static analysis, we collect all valid jumps along vulnerable paths, and define the priority for each program branch based on the ratio of vulnerable paths over total paths in its subsequent program. In fork-based symbolic execution, path exploration can be restricted to vulnerable paths, and code segments with higher proportion of vulnerable paths can be analyzed in advance by utilizing the result of static analysis. We implement a prototype named SAF-SE and evaluate it with ten benchmarks from GNU Coreutils version 6.11. Experimental results show that SAF-SE outperforms KLEE in the efficiency and accuracy of vulnerability detection. Keywords-fork-based symbolic execution; static analysis; vulnerability detection; program analysis