• Corpus ID: 229340630

Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants

@article{Fioraldi2020ProgramSA,
  title={Program State Abstraction for Feedback-Driven Fuzz Testing using Likely Invariants},
  author={Andrea Fioraldi},
  journal={ArXiv},
  year={2020},
  volume={abs/2012.11182}
}
Fuzz testing proved its great effectiveness in finding software bugs in the latest years, however, there are still open challenges. Coverage-guided fuzzers suffer from the fact that covering a program point does not ensure the trigger of a fault. Other more sensitive techniques that in theory should cope with this problem, such as the coverage of the memory values, easily lead to path explosion. In this thesis, we propose a new feedback for Feedback-driven Fuzz testing that combines code… 
[PDF] Semantic Reader
1 Citation
Highly Influential Citations
1
Background Citations
1
Methods Citations
1

Figures and Tables from this paper

One Citation

StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing

This paper assessed the limitation of coverage-guided fuzzing solutions and proposed a state-aware fuzzing solution StateFuzz, which reaches 19% higher code coverage and 32% higher state coverage than the state-of-the-art fuzzer Syzkaller and is effective at discovering both new code and vulnerabilities.

105 References

Automated Whitebox Fuzz Testing

This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.

REDQUEEN: Fuzzing with Input-to-State Correspondence

The prototype implementation of REDQUEEN, a lightweight, yet very effective alternative to taint tracking and symbolic execution to facilitate and optimize state-of-the-art feedback fuzzing that easily scales to large binary applications and unknown environments, is introduced.

Fuzzing with Code Fragments

LangFuzz is an effective tool for security testing: Applied on the Mozilla JavaScript interpreter, it discovered a total of 105 new severe vulnerabilities within three months of operation (and thus became one of the top security bug bounty collectors within this period); applied on the PHP interpreter, It discovered 18 new defects causing crashes.

FuzzFactory: domain-specific fuzzing with waypoints

FuzzFactory is presented, a framework for developing domain-specific fuzzing applications without requiring changes to mutation and search heuristics and shows how multiple domains can be composed to perform better than the sum of their parts.

Random testing for security: blackbox vs. whitebox fuzzing

An overview of the recent work on whitebox fuzzing is presented, with an emphasis on the key algorithms and techniques needed to make this approach effective and scalable.

T-Fuzz: Fuzzing by Program Transformation

T-Fuzz leverages a symbolic execution-based approach to filter out false positives and reproduce true bugs in the original program by transforming the program as well as mutating the input, and covers more code and finds more true bugs than any existing technique.

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

A framework called kernel-AFL (kAFL) is developed to assess the security of Linux, macOS, and Windows kernel components and introduces almost no performance overhead, even in cases where the OS crashes, and performs up to 17,000 executions per second on an off-the-shelf laptop.

ParmeSan: Sanitizer-guided Greybox Fuzzing

This paper presents sanitizer-guided fuzzing, a new design point in this space that specifically optimizes for bug coverage, and shows that ParmeSan greatly reduces the TTE of real-world bugs, and finds bugs 37% faster than existing state-of-the-art coverage-based fuzzers (Angora) and 288% faster more than directed fuzzing (AFLGo), while still covering the same set of bugs.

Ijon: Exploring Deep State Spaces via Fuzzing

This paper proposes Ijon, an annotation mechanism that a human analyst can use to guide the fuzzer and shows that using Ijon and AFL, one can solve many challenges from the CGC data set that resisted all fully automated and human guided attempts so far.

A Survey of Symbolic Execution Techniques

The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in Symbolic execution, distilling them for a broad audience.
...