Options
2024
Book Article
Title
Interactive Application Security Testing with Hybrid Fuzzing and Statistical Estimators
Abstract
Both static analysis and dynamic analysis are methods to identify vulnerabilities in programs. Whereas sound static analysis is strong in identifying all vulnerabilities of a certain type by analyzing all program paths, it suffers from high numbers of false positives which can make this approach infeasible for large amounts of code. In contrast, dynamic analysis, in particular fuzzing, has a low number of false positives but suffers from the inability to prove the absence of bugs since it covers only specific execution paths. Therefore, many bug-triggering paths may not be executed. This can then lead to potentially high numbers of false negatives, i.e., missing observations of bugs which are actually present in the code. Since both methods have complementary strengths and weaknesses, interactive application security testing (IAST) aims at obtaining the best from both methods by a smart and interactive combination to mutually eliminate the weaknesses of each method. For instance, fuzzing techniques can be used to discriminate the true positives and the false positives from the static analysis, and static analysis can benefit from concrete values observed during test execution to make the analysis more precise. However, interactive application security testing comes with its own challenges that need to be solved using a set of methods and techniques. In this chapter, we present an approach to both automatically assess static analysis results using fuzzing to make static analysis feasible for large-scale projects and to improve fuzzing with results from static analysis, e.g., by using results from constant propagation, such as magic bytes, to cover code fragments that are hard to reach for traditional fuzzers.
Author(s)