Smart Greybox Fuzzing

Pham, Van-Thuan; Böhme, Marcel; Santosa, Andrew E.; Căciulescu, Alexandru Răzvan; Roychoudhury, Abhik

doi:10.1109/tse.2019.2941681

Cited by 102 publications

(85 citation statements)

References 36 publications

(76 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Markov chain, PSO and MAB) to help energy assignment. Note that AFLSmart [24] leverages the structure representation in seed files to guide mutation, and defines a validity-based power schedule to generate test inputs that are more likely to explore deeper program logic. Although it is close to main ideas of grammar-based and generationbased fuzzers, its application scenarios are limited due to the relatively simple chunk strategy and virtual file structure.…”

Section: A Guided Mutation-based Fuzzingmentioning

confidence: 99%

“…While, in classic mutation-based fuzzers, the influence of mutation priority and frequency has been proved to be significant ( [1] [19] [21]). Many mutation-based fuzzers have developed different approaches to optimize power schedule, such as reducing the search space of inputs ( [16], [19], [21], [23]), or modeling the process of power schedule ( [17], [18], [24]).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Fuzzing With Optimized Grammar-Aware Mutation Strategies

et al. 2021

View full text Add to dashboard Cite

Fuzzing is a widely used technique to discover vulnerabilities in software. However, for programs requiring highly structured inputs, the byte-based mutation strategies in existing fuzzers have difficulties in generating valid inputs. To resolve this challenge, Grammar-Based Fuzzing (GBF) utilizes existing grammar specifications to generate new inputs. Some GBFs perform mutation based on Abstract Syntax Trees (ASTs), which can generate inputs conforming to grammars. However, the existing GBFs neglect using feedback to optimize mutation strategies, and blindly generate inputs without considering the effectiveness of those inputs. In this paper, we use the power schedule and the subtree pool to optimize mutation strategies. Specifically, we first translate input files into ASTs, and extract subtrees from ASTs into a subtree pool. Then, we optimize the power schedule on AST nodes based on a probabilistic model. That is, we adaptively determine the time budget for mutating an AST node. Finally, we replace AST nodes along with their subtrees with the ones we select from the subtree pool. We implement a fuzzing tool to demonstrate our strategies. The experiment results show that our method outperforms the state-of-the-art methods in fuzzing efficiency.

show abstract

Section: A Guided Mutation-based Fuzzingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Fuzzing With Optimized Grammar-Aware Mutation Strategies

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Based on RedQueen [32], Grimoire [33] identifies fragments from an initial set of inputs that trigger new coverage, strips them and later splices in other parts, thus mimicking grammar combinations. Chunk-based fuzzers such as Peach [8] and AFLSmart [34] generate inputs following a tree hierarchy, using C structure-like data chunks to form individual nodes. Peach applies format-aware mutations to the initial valid input set through a user-defined input specification (called a "peach pit file").…”

Section: B Format-aware Fuzzingmentioning

confidence: 99%

SGPFuzzer: A State-Driven Smart Graybox Protocol Fuzzer for Network Protocol Implementations

Yu¹,

Chen

Gan³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

As one of the most widely used technologies in software testing, fuzzing technology has been applied to network protocol vulnerability detection, and various network protocol fuzzers have been proposed. In this study, we first analyze and summarize some typical network protocol fuzzers to highlight the challenges when addressing stateful network protocol fuzzing. Then, a state-driven smart graybox protocol fuzzer (SGPFuzzer) is proposed to deal with these challenges. Finally, we evaluate SGPFuzzer on two widely used protocol implementations (LightFTP and tinyDTLS).The results show that SGPFuzzer outperforms Boofuzz and AFL in path coverage, unique crashes and the first time crash to crash, and it triggers a known bug which can't be trigged by the other two tools, fully proving its effectiveness and practicability. INDEX TERMS stateful network protocol, graybox fuzzer, AFL, smart mutation, Boofuzz S0 S1 S2 Sn ...

show abstract

“…The STADS framework [15] is general in the sense that it does not depend on a specific programming language, or execution environment, testing objective, or test generation technique. For instance, STADS facilitates the extrapolation of statement coverage, mutation adequacy, or the number of bugs exposed for Java, C, and Python programs on Linux, Windows, and MacOS using CSmith [29], Randoop [30], or AFL [31]- [34].…”

Section: A Software Testing As Species Discoverymentioning

confidence: 99%

Assurances in Software Testing: A Roadmap

Böhme

2019

2019 IEEE/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)

View full text Add to dashboard Cite

As researchers, we already understand how to make testing more effective and efficient at finding bugs. However, as fuzzing (i.e., automated testing) becomes more widely adopted in practice, practitioners are asking: Which assurances does a fuzzing campaign provide that exposes no bugs? When is it safe to stop the fuzzer with a reasonable residual risk? How much longer should the fuzzer be run to achieve sufficient coverage?It is time for us to move beyond the innovation of increasingly sophisticated testing techniques, to build a body of knowledge around the explication and quantification of the testing process, and to develop sound methodologies to estimate and extrapolate these quantities with measurable accuracy. In our vision of the future practitioners leverage a rich statistical toolset to assess residual risk, to obtain statistical guarantees, and to analyze the cost-benefit trade-off for ongoing fuzzing campaigns. We propose a general framework as a first starting point to tackle this fundamental challenge and discuss a large number of concrete opportunities for future research. 4 In the quotes, the emphasis in italic letters is mine.

show abstract

Smart Greybox Fuzzing

Cited by 102 publications

References 36 publications

Fuzzing With Optimized Grammar-Aware Mutation Strategies

Fuzzing With Optimized Grammar-Aware Mutation Strategies

SGPFuzzer: A State-Driven Smart Graybox Protocol Fuzzer for Network Protocol Implementations

Assurances in Software Testing: A Roadmap

Contact Info

Product

Resources

About