FuzzFactory: domain-specific fuzzing with waypoints

Padhye, Rohan; Lemieux, Carole; Sen, Koushik; Simon, Laurent; Vijayakumar, Hayawardh

doi:10.1145/3360600

Cited by 48 publications

(17 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition to AutoFuzz and PULSAR, which are based on traffic analysis for automated state model inference, Prospex [27] tried to use dynamic taint analysis to infer the protocol state model and message format, while PRETT [28] used binary tokens combined with network traces to build minimized state model. Besides, IJON [29] and FazzFactory [30] allowed users to annotate the specific variables in the program under test via provided APIs, using specific feedback to guide the fuzzer to perform domainspecific fuzzing. In addition to AFLNET, STATEAFL, etc.…”

Section: Program State Model Inferencementioning

confidence: 99%

See 1 more Smart Citation

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

Qin¹,

Fan²,

Zhao³

et al. 2022

Proceedings FUZZING 2022 - 1st International Fuzzing Workshop

View full text Add to dashboard Cite

As the essential component responsible for communication, network services are security-critical, and it is vital to find v u lnerabilities i n t h em. F u zzing i s c u rrently o n e o f the most popular software vulnerability discovery techniques, widely adopted due to its high efficiency and low false positives. However, existing coverage-guided fuzzers mainly aim at stateless local applications, leaving stateful network services underexplored. Recently, some fuzzers targeting network services have been proposed but have certain limitations, e.g., insufficient o r inaccurate state representation and low testing efficiency.In this paper, we propose a new fuzzing solution NSFuzz for stateful network services. Specifically, w e s t udied t y pical implementations of network service programs and figured o u t how they represent states and interact with clients, and accordingly propose (1) a program variable-based state representation scheme and (2) an efficient i n teraction s y nchronization m e chanism to improve efficiency. We have implemented a prototype of NSFuzz, which uses static analysis to identify network event loops and extract state variables, then achieves fast I/O synchronization and efficient s t ate-aware f u zzing v i a l i ghtweight compile-time instrumentation. The preliminary evaluation results show that, compared with state-of-the-art network service fuzzers AFLNET and STATEAFL, our solution NSFuzz could infer a more accurate state model during fuzzing and improve the testing throughput by up to 50x and the coverage by up to 20%.

show abstract

Section: Program State Model Inferencementioning

confidence: 99%

“…Inspired by IJON [29], etc. [30], we plan to introduce an annotation mechanism into NSFuzz as a supplement to the proposed static analyzer. We will design several APIs to help users annotate state variables and synchronization points manually in the SUT, which is expected to improve the applicability and scalability of NSFuzz.…”

Section: Future Workmentioning

confidence: 99%

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

Qin¹,

Fan²,

Zhao³

et al. 2022

Proceedings FUZZING 2022 - 1st International Fuzzing Workshop

View full text Add to dashboard Cite

show abstract

“…These approaches are not adept at exposing complex vulnerabilities such as buffer overruns that get exhibited only in runs that reach vulnerability locations with certain specific vulnerabilityinducing program states. FuzzFactory [9] is a framework for instantiating a fuzzer with domain-specific testing objectives. However, their approach does not focus on detecting vulnerabilities, and does not have the notion of how close a test run comes to exposing a vulnerability.…”

Section: Related Workmentioning

confidence: 99%

HDR-Fuzz: Detecting Buffer Overruns using AddressSanitizer Instrumentation and Fuzzing

Medicherla¹,

Nagalakshmi²,

Sharma³

et al. 2021

Preprint

View full text Add to dashboard Cite

Buffer-overruns are a prevalent vulnerability in software libraries and applications. Fuzz testing is one of the effective techniques to detect vulnerabilities in general. Greybox fuzzers such as AFL automatically generate a sequence of test inputs for a given program using a fitness-guided search process. A recently proposed approach in the literature introduced a buffer-overrun specific fitness metric called "headroom", which tracks how close each generated test input comes to exposing the vulnerabilities. That approach showed good initial promise, but is somewhat imprecise and expensive due to its reliance on conservative points-to analysis. Inspired by the approach above, in this paper we propose a new ground-up approach for detecting buffer-overrun vulnerabilities. This approach uses an extended version of ASAN (Address Sanitizer) that runs in parallel with the fuzzer, and reports back to the fuzzer test inputs that happen to come closer to exposing bufferoverrun vulnerabilities. The ASAN-style instrumentation is precise as it has no dependence on points-to analysis. We describe in this paper our approach, as well as an implementation and evaluation of the approach.

show abstract

“…Fuzzing [44]- [46] is another technique that generates new test cases by providing new random inputs to a program. Unfortunately, existing fuzzing tools for JavaScript are limited due to the dynamic typing used in JavaScript.…”

Section: Related Workmentioning

confidence: 99%

Automatically Assessing and Extending Code Coverage for NPM Packages

Sun

Rosà

Bonetta³

et al. 2021

2021 IEEE/ACM International Conference on Automation of Software Test (AST)

View full text Add to dashboard Cite

Typical Node.js applications extensively rely on packages hosted in the npm registry. As such packages may be used by thousands of other packages or applications, it is important to assess their code coverage. Moreover, increasing code coverage may help detect previously unknown issues. In this paper, we introduce TESA, a new tool that automatically assembles a test suite for any package in the npm registry. The test suite includes 1) tests written for the target package and usually hosted in its development repository, and 2) tests selected from dependent packages. The former tests allow assessing the code coverage of the target package, while the latter ones can increase code coverage by exploiting third-party tests that also exercise code in the target package. We use TESA to assess the code coverage of 500 popular npm packages. Then, we demonstrate that TESA can significantly increase code coverage by including tests from dependent packages. Finally, we show that the test suites assembled by TESA increase the effectiveness of existing dynamic program analyses to identify performance issues that are not detectable when only executing the developer's tests.

show abstract

FuzzFactory: domain-specific fuzzing with waypoints

Cited by 48 publications

References 22 publications

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

NSFuzz: Towards Efficient and State-Aware Network Service Fuzzing

HDR-Fuzz: Detecting Buffer Overruns using AddressSanitizer Instrumentation and Fuzzing

Automatically Assessing and Extending Code Coverage for NPM Packages

Contact Info

Product

Resources

About