Finds bugs: when find query that issues error (such as DivideByZero)
Constraints: Loops, recursion, heap, environment (such a network), coverage
Combining classic testing with automatic program analysis
We randomly generate inputs, and when we reach a branch, we solve that constraint in another iteration to cover that code.
Concolic execution makes broad and shallow searches in the program space, whereas random makes very stochastic paths.
Do random iterations, but when number of iterations, try concolic execution.
Blackbox fuzzing
Mutation based fuzzing: take valid input, perturb a bit
Generation based fuzzing: anomalies based on some protocol (RFC, etc.)