Guiding Symbolic Execution with A-star

Symbolic execution is widely used to detect vulnerabilities in software. The idea is to symbolically execute the program in order to find an executable path to a target instruction. For the analysis to be fully accurate, it must be performed on the binary code, which makes the well-known issue of state explosion even more critical. In this paper, we introduce a novel exploration strategy for symbolic execution aiming to limit the number of explored paths. Our strategy is inspired from the A* algorithm and steered towards least explored parts of the program. We compare our approach, using the Binsec tool, to three other classical strategies: Depth-First (DFS), Breadth-First (BFS) and Non-Uniform Random (NURS). Our experiments on real-size programs show that our approach is relevant.