Fuzzing: Art, Science, and Engineering

Among the many software vulnerability discovery techniques available today, fuzzing has remained highly popular due to its conceptual simplicity, its low barrier to deployment, and its vast amount of empirical evidence in discovering real-world software vulnerabilities. While researchers and practitioners alike have invested a large and diverse effort towards improving fuzzing in recent years, this surge of work has also made it difficult to gain a comprehensive and coherent view of fuzzing. To help preserve and bring coherence to the vast literature of fuzzing, this paper presents a unified, general-purpose model of fuzzing together with a taxonomy of the current fuzzing literature. We methodically explore the design decisions at every stage of our model fuzzer by surveying the related literature and innovations in the art, science, and engineering that make modern-day fuzzers effective.

[1]  Michael Pradel,et al.  Making Malory Behave Maliciously: Targeted Fuzzing of Android Execution Environments , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[2]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[3]  B. Hardekopf,et al.  Fuzzing the Rust Typechecker Using CLP , 2015 .

[4]  Sam Malek,et al.  A whitebox approach for automated security testing of Android applications on the cloud , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[5]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[6]  Gadi Evron,et al.  Open Source Fuzzing Tools , 2007 .

[7]  Erik van der Kouwe,et al.  TypeSan: Practical Type Confusion Detection , 2016, CCS.

[8]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[9]  Jiang Ming,et al.  Cryptographic Function Detection in Obfuscated Binaries via Bit-Precise Symbolic Loop Mapping , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[10]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Konrad Rieck,et al.  Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols , 2015, SecureComm.

[12]  Stephen McCamant,et al.  Transformation-aware Exploit Generation using a HI-CFG , 2013 .

[13]  Koushik Sen,et al.  A randomized dynamic program analysis technique for detecting real deadlocks , 2009, PLDI '09.

[14]  Roger Lee,et al.  A Framework for File Format Fuzzing with Genetic Algorithms , 2012 .

[15]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[16]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Yanick Fratantonio,et al.  RETracer: Triaging Crashes by Reverse Execution from Partial Memory Dumps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[18]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[19]  William E. Howden,et al.  Methodology for the Generation of Program Test Data , 1975, IEEE Transactions on Computers.

[20]  Adam Kiezun,et al.  jFuzz: A Concolic Whitebox Fuzzer for Java , 2009, NASA Formal Methods.

[21]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Richard J. Enbody,et al.  Revolutionizing the Field of Grey-box Attack Surface Testing with Evolutionary Fuzzing , 2007 .

[23]  Chao Zhang,et al.  CollAFL: Path Sensitive Fuzzing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[24]  Abhik Roychoudhury,et al.  Model-based whitebox fuzzing for program binaries , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[25]  Sebastian Schinzel,et al.  kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels , 2017, USENIX Security Symposium.

[26]  Stephen McCamant,et al.  Statically-directed dynamic automated test generation , 2011, ISSTA '11.

[27]  Chao Zhang,et al.  Fuzzing: a survey , 2018, Cybersecur..

[28]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[29]  Radu State,et al.  KiF: a stateful SIP fuzzer , 2007, IPTComm '07.

[30]  Xuejun Yang,et al.  Test-case reduction for C compiler bugs , 2012, PLDI.

[31]  Vincenzo Iozzo 0-knowledge fuzzing , 2010 .

[32]  Stephen McCamant,et al.  Path-exploration lifting: hi-fi tests for lo-fi emulators , 2012, ASPLOS XVII.

[33]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[34]  Sanjay Rawat,et al.  KameleonFuzz: evolutionary fuzzing for black-box XSS detection , 2014, CODASPY '14.

[35]  Wen Xu,et al.  Designing New Operating Primitives to Improve Fuzzing Performance , 2017, CCS.

[36]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[37]  Noam Rinetzky,et al.  Chopped Symbolic Execution , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[38]  Salvatore J. Stolfo,et al.  NEZHA: Efficient Domain-Independent Differential Testing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[39]  Insik Shin,et al.  Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing , 2018, NDSS.

[40]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[41]  Martin Vuagnoux,et al.  Autodafé: an Act of Software Torture , 2005 .

[42]  Lionel C. Briand,et al.  Random Testing: Theoretical Results and Practical Implications , 2012, IEEE Transactions on Software Engineering.

[43]  Koushik Sen,et al.  Randomized active atomicity violation detection in concurrent programs , 2008, SIGSOFT '08/FSE-16.

[44]  Koushik Sen,et al.  Race directed random testing of concurrent programs , 2008, PLDI '08.

[45]  Boris Beizer,et al.  Black Box Testing: Techniques for Functional Testing of Software and Systems , 1996, IEEE Software.

[46]  David Brumley,et al.  Optimizing Seed Selection for Fuzzing , 2014, USENIX Security Symposium.

[47]  Patrice Godefroid Random testing for security: blackbox vs. whitebox fuzzing , 2007, RT '07.

[48]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[49]  Michael D. Ernst,et al.  Feedback-Directed Random Test Generation , 2007, 29th International Conference on Software Engineering (ICSE'07).

[50]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[51]  Suresh Jagannathan,et al.  Synthesizing racy tests , 2015, PLDI.

[52]  Koushik Sen,et al.  Effective random testing of concurrent programs , 2007, ASE.

[53]  Rauli Kaksonen,et al.  System Security Assessment through Specification Mutations and Fault Injection , 2001, Communications and Multimedia Security.

[54]  Amitabh Srivastava,et al.  Vulcan Binary transformation in a distributed environment , 2001 .

[55]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[56]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[57]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[58]  Nikolaj Bjørner,et al.  Satisfiability modulo theories , 2011, Commun. ACM.

[59]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[60]  Jared Roesch,et al.  Language fuzzing using constraint logic programming , 2014, ASE.

[61]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[62]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[63]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[64]  Mathias Payer,et al.  T-Fuzz: Fuzzing by Program Transformation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[65]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[66]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[67]  Abhinav Srivastava,et al.  Robust signatures for kernel data structures , 2009, CCS.

[68]  Song Wang,et al.  QTEP: quality-aware test case prioritization , 2017, ESEC/SIGSOFT FSE.

[69]  Sergey Bratus,et al.  LZfuzz: a fast compression-based fuzzer for poorly documented protocols , 2008 .

[70]  Artem Dinaburg,et al.  The Past, Present, and Future of Cyberdyne , 2018, IEEE Security & Privacy.

[71]  Neeraj Suri,et al.  The impact of fault models on software robustness evaluations , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[72]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[73]  David Lo,et al.  kb-anonymity: a model for anonymized behaviour-preserving test and debugging data , 2011, PLDI '11.

[74]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[75]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[76]  Alastair F. Donaldson,et al.  Many-core compiler fuzzing , 2015, PLDI.

[77]  Zhendong Su,et al.  Coverage-directed differential testing of JVM implementations , 2016, PLDI.

[78]  Lionel C. Briand,et al.  Automated testing for SQL injection vulnerabilities: an input mutation approach , 2014, ISSTA 2014.

[79]  Jeff Huang,et al.  EHBDroid: Beyond GUI testing for Android applications , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[80]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[81]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[82]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[83]  R. Weisberg A-N-D , 2011 .

[84]  Mathias Payer,et al.  HexType: Efficient Detection of Type Confusion Errors for C++ , 2017, CCS.

[85]  Sang Kil Cha,et al.  IMF: Inferred Model-based Fuzzer , 2017, CCS.

[86]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[87]  Milo M. K. Martin,et al.  CETS: compiler enforced temporal safety for C , 2010, ISMM '10.

[88]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[89]  Hao Chen,et al.  Angora: Efficient Fuzzing by Principled Search , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[90]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[91]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[92]  Wenke Lee,et al.  Type Casting Verification: Stopping an Emerging Attack Vector , 2015, USENIX Security Symposium.

[93]  Daniel P. Siewiorek,et al.  Comparing operating systems using robustness benchmarks , 1997, Proceedings of SRDS'97: 16th IEEE Symposium on Reliable Distributed Systems.

[94]  Stephen McCamant,et al.  Input generation via decomposition and re-stitching: finding bugs in Malware , 2010, CCS '10.

[95]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.

[96]  Jianfeng Pan,et al.  Digtool: A Virtualization-Based Framework for Detecting Kernel Vulnerabilities , 2017, USENIX Security Symposium.

[97]  Mingwei Zhang,et al.  A platform for secure static binary instrumentation , 2014, VEE '14.

[98]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[99]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[100]  P. W. Jones,et al.  Bandit Problems, Sequential Allocation of Experiments , 1987 .

[101]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[102]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[103]  Alex Groce,et al.  Taming compiler fuzzers , 2013, PLDI.

[104]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[105]  Michael Laurenzano,et al.  PEBIL: Efficient static binary instrumentation for Linux , 2010, 2010 IEEE International Symposium on Performance Analysis of Systems & Software (ISPASS).

[106]  Hiroyuki Sato,et al.  GRT: Program-Analysis-Guided Random Testing (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[107]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[108]  Allen D. Householder Well There's Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File , 2012 .

[109]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[110]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[111]  Dick Hamlet When only random testing will do , 2006, RT '06.

[112]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[113]  Pablo Buiras,et al.  QuickFuzz: an automatic random fuzzer for common file formats , 2016, Haskell.

[114]  Rajeev Alur,et al.  Representation dependence testing using program inversion , 2010, FSE '10.

[115]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[116]  Harald Raffelt,et al.  LearnLib: a library for automata learning and experimentation , 2005, FMICS '05.

[117]  Allen D. Householder,et al.  Probability-Based Parameter Selection for Black-Box Fuzz Testing , 2012 .

[118]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[119]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[120]  Vincent M. Weaver,et al.  perf fuzzer: Targeted Fuzzing of the perf event open() System Call , 2015 .

[121]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[122]  Alexander Aiken,et al.  Synthesizing program input grammars , 2016, PLDI.

[123]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[124]  Magnus Almgren,et al.  T-Fuzz: Model-Based Fuzzing for Robustness Testing of Telecommunication Protocols , 2014, 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation.

[125]  Yuqing Zhang,et al.  BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with Grammatical Inputs , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[126]  Myra B. Cohen,et al.  An orchestrated survey of methodologies for automated software test case generation , 2013, J. Syst. Softw..

[127]  Michael Pradel,et al.  Saying ‘Hi!’ is not enough: Mining inputs for effective test generation , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[128]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[129]  Joeri de Ruiter,et al.  Protocol State Fuzzing of TLS Implementations , 2015, USENIX Security Symposium.

[130]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[131]  Wen Xu,et al.  CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems , 2017, USENIX Annual Technical Conference.

[132]  Andreas Zeller,et al.  Simplifying and Isolating Failure-Inducing Input , 2002, IEEE Trans. Software Eng..

[133]  Nahid Shahmehri,et al.  Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing , 2015, ESEC/SIGSOFT FSE.

[134]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[135]  Peng Li,et al.  Understanding integer overflow in C/C++ , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[136]  Armando Solar-Lezama,et al.  Towards optimization-safe systems: analyzing the impact of undefined behavior , 2013, SOSP.

[137]  Tsong Yueh Chen,et al.  Adaptive Random Testing: The ART of test case diversity , 2010, J. Syst. Softw..

[138]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[139]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[140]  Xiangyu Zhang,et al.  Deriving input syntactic structure from execution , 2008, SIGSOFT '08/FSE-16.

[141]  Xiangyu Zhang,et al.  Automatic Text Input Generation for Mobile Testing , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[142]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[143]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[144]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[145]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[146]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[147]  Shing-Chi Cheung,et al.  Detecting atomic-set serializability violations in multithreaded programs through active randomized testing , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[148]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[149]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[150]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[151]  Herbert Bos,et al.  IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming , 2016, ESORICS.

[152]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[153]  W. M. McKeeman,et al.  Differential Testing for Software , 1998, Digit. Tech. J..

[154]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2017, IEEE Trans. Software Eng..

[155]  Úlfar Erlingsson,et al.  Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM , 2014, USENIX Security Symposium.