Fuzz testing is a popular software testing technique, often used to automatically discover severe bugs. Fuzz testing is equally useful in a security context, where any code fault that compromises memory safety or privilege separation is likely to be a security vulnerability. We have successfully used this approach to harden QEMU, where it identified several severe errors (e.g. buffer overflows) with a potential security impact. However, fuzzing has an inherent disadvantage, that is, the time required for reaching a sufficient confidence level is hard to determine. Symbolic execution on the other hand is a more systematic approach to automatic testing, focusing on generating inputs that achieve high code coverage. We apply this technique to QEMU using the state-of-the-art KLEE symbolic execution engine (https://klee.github.io).
