A systematic review of fuzzing techniques

Abstract Fuzzing is an effective and widely used technique for finding security bugs and vulnerabilities in software. It inputs irregular test data into a target program to try to trigger a vulnerable condition in the program execution. Since the first random fuzzing system was constructed, fuzzing efficiency has been greatly improved by combination with several useful techniques, including dynamic symbolic execution, coverage guide, grammar representation, scheduling algorithms, dynamic taint analysis, static analysis and machine learning. In this paper, we will systematically review these techniques and their corresponding representative fuzzing systems. By introducing the principles, advantages and disadvantages of these techniques, we hope to provide researchers with a systematic and deeper understanding of fuzzing techniques and provide some references for this field.

[1]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[2]  Frank T. Willmore,et al.  Debugging with gdb , 2016 .

[3]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[4]  Alex Groce,et al.  Taming compiler fuzzers , 2013, PLDI.

[5]  C. D. Gelatt,et al.  Optimization by Simulated Annealing , 1983, Science.

[6]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[7]  Arun K. Pujari,et al.  A Fast Host-Based Intrusion Detection System Using Rough Set Theory , 2005, Trans. Rough Sets.

[8]  Stephen McCamant,et al.  Statically-directed dynamic automated test generation , 2011, ISSTA '11.

[9]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[10]  Alessandro Orso,et al.  BugRedux: Reproducing field failures for in-house debugging , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[11]  Rahul Gupta,et al.  DeepFix: Fixing Common C Language Errors by Deep Learning , 2017, AAAI.

[12]  Wenyuan Xu,et al.  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study , 2010, USENIX Security Symposium.

[13]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[15]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[16]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[17]  Xiangyu Zhang,et al.  Deriving input syntactic structure from execution , 2008, SIGSOFT '08/FSE-16.

[18]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[19]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[20]  Igor Santos,et al.  OPEM: A Static-Dynamic Approach for Machine-Learning-Based Malware Detection , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[21]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[22]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[23]  Felix FX Lindner,et al.  Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities Using Machine Learning , 2011, WOOT.

[24]  Alexander Aiken,et al.  Synthesizing program input grammars , 2016, PLDI.

[25]  Doo-Hwan Bae,et al.  Automatic and lightweight grammar generation for fuzz testing , 2013, Comput. Secur..

[26]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[27]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[28]  Abhik Roychoudhury,et al.  Model-based whitebox fuzzing for program binaries , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[29]  Will Drewry,et al.  Flayer: Exposing Application Internals , 2007, WOOT.

[30]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[31]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[32]  Nando de Freitas,et al.  Neural Programmer-Interpreters , 2015, ICLR.

[33]  David Leon,et al.  Tree-based methods for classifying software failures , 2004, 15th International Symposium on Software Reliability Engineering.

[34]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[35]  Herbert Bos,et al.  Body Armor for Binaries: Preventing Buffer Overflows Without Recompilation , 2012, USENIX Annual Technical Conference.

[36]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[37]  Yoshua Bengio,et al.  Learning Phrase Representations using RNN Encoder–Decoder for Statistical Machine Translation , 2014, EMNLP.

[38]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[39]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[40]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[41]  Salvatore J. Stolfo,et al.  Learning Rules from System Call Arguments and Sequences for Anomaly 20 Detection , 2003 .

[42]  Nikolaj Bjørner,et al.  νZ - Maximal Satisfaction with Z3 , 2014, SCSS.

[43]  Mark David Weiser,et al.  Program slices: formal, psychological, and practical investigations of an automatic program abstraction method , 1979 .

[44]  Andrew G. Barto,et al.  Reinforcement learning , 1998 .

[45]  Bruno C. d. S. Oliveira,et al.  Regression tests to expose change interaction errors , 2013, ESEC/FSE 2013.

[46]  Quoc V. Le,et al.  Sequence to Sequence Learning with Neural Networks , 2014, NIPS.

[47]  Cristian Cadar,et al.  KATCH: high-coverage testing of software patches , 2013, ESEC/FSE 2013.

[48]  Abhik Roychoudhury,et al.  Hercules: Reproducing Crashes in Real-World Application Binaries , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[49]  K. V. Hanford,et al.  Automatic Generation of Test Cases , 1970, IBM Syst. J..

[50]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[51]  Guillermo L. Grinblat,et al.  Toward Large-Scale Vulnerability Discovery using Machine Learning , 2016, CODASPY.

[52]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[53]  Allen D. Householder,et al.  Probability-Based Parameter Selection for Black-Box Fuzz Testing , 2012 .

[54]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[55]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[56]  William K. Robertson,et al.  LAVA: Large-Scale Automated Vulnerability Addition , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[57]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[58]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[59]  Paul Walton Purdom,et al.  A sentence generator for testing parsers , 1972 .

[60]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[61]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[62]  H. B. Barlow,et al.  Unsupervised Learning , 1989, Neural Computation.

[63]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[64]  Nahid Shahmehri,et al.  Turning programs against each other: high coverage fuzz-testing using binary-code mutation and dynamic slicing , 2015, ESEC/SIGSOFT FSE.

[65]  Jun Wang,et al.  Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[66]  David H. Wolpert,et al.  No free lunch theorems for optimization , 1997, IEEE Trans. Evol. Comput..

[67]  Dawson R. Engler,et al.  Redundant State Detection for Dynamic Symbolic Execution , 2013, USENIX Annual Technical Conference.

[68]  Thomas G. Dietterich Machine-Learning Research , 1997, AI Mag..

[69]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[70]  Nikola Kasabov,et al.  Artificial Neural Networks , 2015 .

[71]  Paolo Tonella,et al.  Generating valid grammar-based test inputs by means of genetic programming and annotated grammars , 2017, Empirical Software Engineering.

[72]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[73]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[74]  Angelos D. Keromytis,et al.  A Dynamic Mechanism for Recovering from Buffer Overflow Attacks , 2005, ISC.

[75]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[76]  Pushmeet Kohli,et al.  Adaptive Neural Compilation , 2016, NIPS.

[77]  David A. Padua,et al.  Dependence graphs and compiler optimizations , 1981, POPL '81.

[78]  Yang Liu,et al.  Steelix: program-state based binary fuzzing , 2017, ESEC/SIGSOFT FSE.

[79]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[80]  Mark Weiser,et al.  Programmers use slices when debugging , 1982, CACM.

[81]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[82]  Marcin Andrychowicz,et al.  Neural Random Access Machines , 2015, ERCIM News.

[83]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[84]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[85]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[86]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[87]  Andreas Zeller,et al.  Mining input grammars from dynamic taints , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[88]  Laurie A. Williams,et al.  An initial study on the use of execution complexity metrics as indicators of software vulnerabilities , 2011, SESS '11.

[89]  Armando Solar-Lezama,et al.  sk_p: a neural program corrector for MOOCs , 2016, SPLASH.

[90]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[91]  B. Saperstein On the Occurrence of n Successes Within N Bernoulli Trials , 1973 .

[92]  David Brumley,et al.  Program-Adaptive Mutational Fuzzing , 2015, 2015 IEEE Symposium on Security and Privacy.

[93]  Stephen McCamant,et al.  Transformation-aware Exploit Generation using a HI-CFG , 2013 .

[94]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[95]  Yang Liu,et al.  Skyfire: Data-Driven Seed Generation for Fuzzing , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[96]  Rich Caruana,et al.  An empirical comparison of supervised learning algorithms , 2006, ICML.

[97]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[98]  Herbert Bos,et al.  The BORG: Nanoprobing Binaries for Buffer Overreads , 2015, CODASPY.

[99]  Rupak Majumdar,et al.  Directed test generation using symbolic grammars , 2007, ESEC-FSE '07.

[100]  Riccardo Poli,et al.  Particle swarm optimization , 1995, Swarm Intelligence.

[101]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[102]  Rishabh Singh,et al.  Automated Correction for Syntax Errors in Programming Assignments using Recurrent Neural Networks , 2016, ArXiv.

[103]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.