A research on control-flow taint information directed symbolic execution

Aiming at generation of test cases covering the potential vulnerable program points and combining generation base Fuzzing, static control flow analysis and static taint analysis, this paper proposes a directed dynamic symbolic execution method. By Fuzzing the test cases which could reach the function containing the vulnerable program points are generated, leading the symbolic execution fast towards the vulnerable functions along the denoted single path; By making a static control-flow analysis and a static taint analyses in the vulnerable functions, the control flow taint eachable slices are calculated directing the multi-path dynamic symbolic execution towards the desired vulnerable program points. Experiments prove effectiveness of the method in mitigating the path explosion problem common in symbolic execution applications and in generating test cases that trigger target vulnerability.