Evolutionary Grammar-Based Fuzzing

A fuzzer provides randomly generated inputs to a targeted software to expose erroneous behavior. To efficiently detect defects, generated inputs should conform to the structure of the input format and thus, grammars can be used to generate syntactically correct inputs. In this context, fuzzing can be guided by probabilities attached to competing rules in the grammar, leading to the idea of probabilistic grammar-based fuzzing. However, the optimal assignment of probabilities to individual grammar rules to effectively expose erroneous behavior for individual systems under test is an open research question. In this paper, we present EvoGFuzz, an evolutionary grammar-based fuzzing approach to optimize the probabilities to generate test inputs that may be more likely to trigger exceptional behavior. The evaluation shows the effectiveness of EvoGFuzz in detecting defects compared to probabilistic grammar-based fuzzing (baseline). Applied to ten real-world applications with common input formats (JSON, JavaScript, or CSS3), the evaluation shows that EvoGFuzz achieved a significantly larger median line coverage for all subjects by up to 48% compared to the baseline. Moreover, EvoGFuzz managed to expose 11 unique defects, from which five have not been detected by the baseline.

[1]  Michael D. Ernst,et al.  Randoop: feedback-directed random testing for Java , 2007, OOPSLA '07.

[2]  Myra B. Cohen,et al.  An orchestrated survey of methodologies for automated software test case generation , 2013, J. Syst. Softw..

[3]  I. Mackay,et al.  Evolution of dominance , 1979, Nature.

[4]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[5]  K. V. Hanford,et al.  Automatic Generation of Test Cases , 1970, IBM Syst. J..

[6]  Rishabh Singh,et al.  Learn&Fuzz: Machine learning for input fuzzing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[7]  Andrew Ruef,et al.  Evaluating Fuzz Testing , 2018, CCS.

[8]  ChenYang,et al.  Finding and understanding bugs in C compilers , 2011 .

[9]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[10]  Xiangyu Zhang,et al.  Automatic Text Input Generation for Mobile Testing , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[11]  Roxana Geambasu,et al.  Pythia: Grammar-Based Fuzzing of REST APIs with Coverage-guided Feedback and Learning-based Mutations , 2020, ArXiv.

[12]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[13]  Patrice Godefroid,et al.  Fuzzing: hack, art, and science , 2020, Commun. ACM.

[14]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[15]  Adam Kiezun,et al.  Grammar-based whitebox fuzzing , 2008, PLDI '08.

[16]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[17]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[18]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[19]  Cacm Staff,et al.  BufferBloat , 2011, Communications of the ACM.

[20]  Clifford J. Maloney,et al.  Systematic mistake analysis of digital computer programs , 1963, CACM.

[21]  Yang Liu,et al.  Superion: Grammar-Aware Greybox Fuzzing , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[22]  Corina S. Pasareanu,et al.  DifFuzz: Differential Fuzzing for Side-Channel Analysis , 2018, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[23]  Andreas Zeller,et al.  Fuzzing with Code Fragments , 2012, USENIX Security Symposium.

[24]  David E. Goldberg,et al.  Genetic Algorithms, Tournament Selection, and the Effects of Noise , 1995, Complex Syst..

[25]  Jinyi Guo,et al.  Elitism and Distance Strategy for Selection of Evolutionary Algorithms , 2018, IEEE Access.

[26]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[27]  Lionel C. Briand,et al.  A Hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering , 2014, Softw. Test. Verification Reliab..

[28]  Gregg Rothermel,et al.  Software testing: a research travelogue (2000–2014) , 2014, FOSE.

[29]  Andrew E. Santosa,et al.  Smart Greybox Fuzzing , 2018, IEEE Transactions on Software Engineering.

[30]  Mark Harman,et al.  Search Based Software Engineering: Techniques, Taxonomy, Tutorial , 2010, LASER Summer School.

[31]  Andreas Zeller,et al.  Mining Input Grammars with AUTOGRAM , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[32]  Herbert Bos,et al.  IFuzzer: An Evolutionary Interpreter Fuzzer Using Genetic Programming , 2016, ESORICS.

[33]  Chris Cummins,et al.  Compiler fuzzing through deep learning , 2018, ISSTA.

[34]  H. B. Mann,et al.  On a Test of Whether one of Two Random Variables is Stochastically Larger than the Other , 1947 .

[35]  Andreas Zeller,et al.  Inputs from Hell: Generating Uncommon Inputs from Common Samples , 2018, ArXiv.

[36]  ArcuriAndrea,et al.  A Hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering , 2014 .

[37]  Koushik Sen,et al.  Saffron: Adaptive Grammar-based Fuzzing for Worst-Case Analysis , 2019, SOEN.