1,128 research outputs found
Targeted Greybox Fuzzing with Static Lookahead Analysis
Automatic test generation typically aims to generate inputs that explore new
paths in the program under test in order to find bugs. Existing work has,
therefore, focused on guiding the exploration toward program parts that are
more likely to contain bugs by using an offline static analysis.
In this paper, we introduce a novel technique for targeted greybox fuzzing
using an online static analysis that guides the fuzzer toward a set of target
locations, for instance, located in recently modified parts of the program.
This is achieved by first semantically analyzing each program path that is
explored by an input in the fuzzer's test suite. The results of this analysis
are then used to control the fuzzer's specialized power schedule, which
determines how often to fuzz inputs from the test suite. We implemented our
technique by extending a state-of-the-art, industrial fuzzer for Ethereum smart
contracts and evaluate its effectiveness on 27 real-world benchmarks. Using an
online analysis is particularly suitable for the domain of smart contracts
since it does not require any code instrumentation---instrumentation to
contracts changes their semantics. Our experiments show that targeted fuzzing
significantly outperforms standard greybox fuzzing for reaching 83% of the
challenging target locations (up to 14x of median speed-up)
Combining Static and Dynamic Analysis for Vulnerability Detection
In this paper, we present a hybrid approach for buffer overflow detection in
C code. The approach makes use of static and dynamic analysis of the
application under investigation. The static part consists in calculating taint
dependency sequences (TDS) between user controlled inputs and vulnerable
statements. This process is akin to program slice of interest to calculate
tainted data- and control-flow path which exhibits the dependence between
tainted program inputs and vulnerable statements in the code. The dynamic part
consists of executing the program along TDSs to trigger the vulnerability by
generating suitable inputs. We use genetic algorithm to generate inputs. We
propose a fitness function that approximates the program behavior (control
flow) based on the frequencies of the statements along TDSs. This runtime
aspect makes the approach faster and accurate. We provide experimental results
on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur
Scaling in the Positive Plaquette Model and Universality in SU(2) Lattice Gauge Theory
We investigate universality, scaling, the beta-function and the topological
charge in the positive plaquette model for SU(2) lattice gauge theory.
Comparing physical quantities, like the critical temperature, the string
tension, glueball masses, and their ratios, we explore the effect of a complete
suppression of a certain lattice artifact, namely the negative plaquettes, for
SU(2) lattice gauge theory. Our result is that this modification does not
change the continuum limit, i.e., the universality class. The positive
plaquette model and the standard Wilson formulation describe the same physical
situation. The approach to the continuum limit given by the beta-function in
terms of the bare lattice coupling, however, is rather different: the
beta-function of the positive plaquette model does not show a dip like the
model with standard Wilson action.Comment: 35 pages, preprint numbers FSU-SCRI-94-71 and HU Berlin-IEP-94/1
- …